Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0067: APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

EnterpriseG0067GroupObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

APT37 is an ATT&CK group entry for a North Korean state-sponsored espionage actor with multiple aliases and reported targeting across South Korea and several other countries. Its ATT&CK relationships matter because they show a pattern defenders can plan around: backdoors/RATs, downloaders, an exfiltration tool, Cobalt Strike, command execution, discovery, persistence through scheduled tasks, obfuscation, and local data collection.

Executive priority

Treat this as a threat-intelligence planning object rather than a standalone detection rule. Leaders should ask whether sensitive business, government, research, financial, or regional operations matching the ATT&CK-described targeting have tested coverage for RAT/backdoor activity, document-delivered malware where relevant, suspicious scheduled tasks, script execution, and data collection before exfiltration. Because North Korean group naming overlaps in public reporting, prioritize behaviors and controls over alias-based attribution.

Technical view

MITRE provides no official detection text and no platforms on the group object itself, but relationships include many Windows-oriented tools such as DOGCALL, KARAE, POORAIM, SLOWDRIFT, ROKRAT, NavRAT, Final1stspy, and BLUELIGHT, plus Cobalt Strike and techniques covering execution, discovery, defense evasion, persistence, collection, and privilege-escalation-adjacent behavior. SOC and IR teams should validate detections around Windows command shell and Visual Basic execution, scheduled task creation/modification, process injection indicators, invalid code signatures, obfuscated or steganographic payloads, user/process discovery, local file collection, and RAT-like network behavior.

Likely telemetry

  • Endpoint process creation and command-line telemetry, especially cmd.exe and Visual Basic-related execution
  • Windows scheduled task creation, modification, and execution events
  • EDR memory/process injection alerts and cross-process activity metadata
  • File creation, archive/encryption indicators, suspicious media files, and invalid or misleading code-signature metadata
  • User and process discovery command telemetry

Detection direction

  • Do not rely on the APT37 name or aliases as the primary analytic key; map coverage to the related tools and techniques instead.
  • Tune for suspicious combinations: script or command execution followed by discovery, scheduled task persistence, obfuscated payload staging, local data access, and outbound RAT-like traffic.
  • Review allowlists and code-signing checks for binaries with invalid signatures or copied signature metadata, because visual trust can differ from cryptographic validation.
  • Account for false positives from administrators, software deployment tools, and legitimate scheduled tasks by baselining normal task names, paths, parent processes, and execution accounts.
  • Validate whether telemetry covers the Windows-heavy relationships while noting that some related ATT&CK techniques are cross-platform even though the group object lists no platforms.

Mitigation priorities

  • Prioritize endpoint visibility and response coverage for command execution, scheduled tasks, process injection, and suspicious file staging.
  • Harden script and command interpreter use through least privilege, application control, and administrative baselining where operationally feasible.
  • Enforce software patching and safe handling for document-processing applications relevant to the environment, including HWP where used.
  • Use egress controls, proxy/DNS logging, and anomaly review to make RAT and backdoor communications harder to hide.
  • Maintain sensitive-data handling, segmentation, and access controls so local data collection from a compromised host has limited business impact.
Analyst notes and limits

The strongest defensive value comes from the relationship context: APT37 is linked to multiple backdoors/RATs, a downloader, an exfiltration tool, Cobalt Strike, and techniques for execution, discovery, evasion, persistence, and collection. The official description also warns that North Korean group definitions overlap, so attribution labels should be handled cautiously in reporting and incident decisions.

MITRE supplies no official detection guidance, no group-level tactics, and no group-level platforms for this object. The listed relationships support behavioral planning but do not prove activity in any specific environment, current exploitation, or guaranteed detection coverage. Local asset inventory, telemetry availability, regional exposure, and intelligence requirements are needed to assess priority.

Official MITRE ATT&CK definition

APT37

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

29 rows
Domain ID Name Relationship / procedure
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

APT37's has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\.[1][3]
Enterprise T1120 Peripheral Device Discovery

APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. [4]
Enterprise T1059.006 Python Sub-technique

APT37 has used Python scripts to execute payloads.CitationVolexity InkySquid RokRAT August 2021
Enterprise T1105 Ingress Tool Transfer

APT37 has downloaded second stage malware from compromised websites.[1][4][5]CitationVolexity InkySquid RokRAT August 2021
Enterprise T1071.001 Web Protocols Sub-technique

APT37 uses HTTPS to conceal C2 communications.[3]
Enterprise T1027.003 Steganography Sub-technique

APT37 uses steganography to send images to users that are embedded with shellcode.[3][4]
Enterprise T1102.002 Bidirectional Communication Sub-technique

APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[1][3]
Enterprise T1082 System Information Discovery

APT37 collects the computer name, the BIOS model, and execution path.[3]
Enterprise T1204.002 Malicious File Sub-technique

APT37 has sent spearphishing attachments attempting to get a user to open them.[1]
Enterprise T1036.001 Invalid Code Signature Sub-technique

APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”[2]
Enterprise T1548.002 Bypass User Account Control Sub-technique

APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.[4]
Enterprise T1033 System Owner/User Discovery

APT37 identifies the victim username.[3]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[1]
Enterprise T1529 System Shutdown/Reboot

APT37 has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.[3]
Enterprise T1005 Data from Local System

APT37 has collected data from victims' local systems.[1]
Enterprise T1559.002 Dynamic Data Exchange Sub-technique

APT37 has used Windows DDE for execution of commands and a malicious VBS.[2]
Enterprise T1106 Native API

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[3]
Enterprise T1203 Exploitation for Client Execution

APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.[2][1][3][5]
Enterprise T1055 Process Injection

APT37 injects its malware variant, ROKRAT, into the cmd.exe process.[3]
Enterprise T1027 Obfuscated Files or Information

APT37 obfuscates strings and payloads.[3][4]CitationVolexity InkySquid RokRAT August 2021
Enterprise T1189 Drive-by Compromise

APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.[2][1][5]
Enterprise T1057 Process Discovery

APT37's Freenki malware lists running processes using the Microsoft Windows API.[3]
Enterprise T1059 Command and Scripting Interpreter

APT37 has used Ruby scripts to execute payloads.CitationVolexity InkySquid RokRAT August 2021
Enterprise T1059.003 Windows Command Shell Sub-technique

APT37 has used the command-line interface.[1][3]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

APT37 delivers malware using spearphishing emails with malicious HWP attachments.[1][3][4]
Enterprise T1123 Audio Capture

APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.[1]
Enterprise T1059.005 Visual Basic Sub-technique

APT37 executes shellcode and a VBA script to decode Base64 strings.[3]
Enterprise T1053.005 Scheduled Task Sub-technique

APT37 has created scheduled tasks to run malicious scripts on a compromised host.CitationVolexity InkySquid RokRAT August 2021
Enterprise T1561.002 Disk Structure Wipe Sub-technique

APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).[1][3]
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Malware Enterprise

S0247: NavRAT

NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. [1]

Windows
Malware Enterprise

S0213: DOGCALL

DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. [1]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1120: Peripheral Device Discovery Enterprise uses · Technique T1059.006: Python Enterprise uses · Malware S0657: BLUELIGHT Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Malware S0212: CORALDECK Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1027.003: Steganography Enterprise uses · Malware S0215: KARAE Enterprise uses · Malware S0218: SLOWDRIFT Enterprise uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1036.001: Invalid Code Signature Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1529: System Shutdown/Reboot Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Malware S0240: ROKRAT Enterprise uses · Technique T1559.002: Dynamic Data Exchange Enterprise uses · Technique T1106: Native API Enterprise uses · Malware S0217: SHUTTERSPEED Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
2b373c2810d3dfc8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 2b373c2810d3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye APT37 Feb 2018

    FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Securelist ScarCruft Jun 2016

    Raiu, C., and Ivanov, A. (2016, June 17). Operation Daybreak. Retrieved February 15, 2018.

    Open source URL
  3. [3]
    Talos Group123

    Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

    Open source URL
  4. [4]
    Securelist ScarCruft May 2019

    GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.

    Open source URL
  5. [5]
    Volexity InkySquid BLUELIGHT August 2021

    Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

    Open source URL
  6. [6]
    APT37

    (Citation: FireEye APT37 Feb 2018)

  7. [7]
    CrowdStrike Richochet Chollima September 2021

    CrowdStrike. (2021, September 30). Adversary Profile - Ricochet Chollima. Retrieved September 30, 2021.

    Open source URL
  8. [8]
    Group123

    (Citation: FireEye APT37 Feb 2018)

  9. [9]
    InkySquid

    (Citation: Volexity InkySquid BLUELIGHT August 2021)

  10. [10]
    Reaper

    (Citation: FireEye APT37 Feb 2018)

  11. [11]
    Ricochet Chollima

    (Citation: CrowdStrike Richochet Chollima September 2021)

  12. [12]
    ScarCruft

    (Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)

  13. [13]
    TEMP.Reaper

    (Citation: FireEye APT37 Feb 2018)

  14. [14]
    mitre-attack G0067
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use