2012
Spying on South Korean users.
2016
Operation “Erebus”
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures
2016-03
Operation “Daybreak”
Target: High profile victims.
Method: Previously unknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.
https://securelist.com/operation-daybreak/75100/
Note: not the same operation as {{DarkHotel}}’s Operation “Daybreak”.
2016-08
Operation “Golden Time”
Target: South Korean users.
Method: spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite
2016-11
Operation “Evil New Year”
Target: South Korean users.
Method: spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite.
2017-03
Operation “Are You Happy?”
Target: South Korean users.
Method: Not only to gain access to the remote infected systems but to also wipe the first sectors of the device.
2017-05
Operation “FreeMilk”
Target: Several non-Korean financial institutions.
Method: A malicious Microsoft Office document, a deviation from their normal use of Hancom documents.
https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/
2017-11
Operation “North Korean Human Right”
Target: South Korean users.
Method: Spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite.
2017-12
Operation “Fractured Block”
https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/
2018-01
Operation “Evil New Year 2018”
Target: South Korean users.
Method: Spear-phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite.
2018-03
Operation “Battle Cruiser”
https://blog.alyac.co.kr/1625
2018-04
Operation “Star Cruiser”
http://blog.alyac.co.kr/1653
2018-05
Operation “Onezero”
https://brica.de/alerts/alert/public/1215993/analysis-of-apt-attack-on-operation-onezero-conducted-as-a-document-on-panmunjom-declaration/
2018-08
Operation “Rocket Man”
https://brica.de/alerts/alert/public/1226363/the-latest-apt-campaign-of-venus-121-group-operation-rocket-man/
2018-11
Operation “Korean Sword”
https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/
2019-01
Operation “Holiday Wiper”
https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/
2019-03
Operation “Golden Bird”
https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/
2019-03
Operation “High Expert”
https://brica.de/alerts/alert/public/1252896/venus-121-apt-organization-operation-high-expert/
2019-04
Operation “Black Banner”
https://brica.de/alerts/alert/public/1257351/venus-121-rocketman-campaign-operation-black-banner-apt-attack/
2019-05
We recently discovered some interesting telemetry on this actor, and decided to dig deeper into ScarCruft’s recent activity. This shows that the actor is still very active and constantly trying to elaborate its attack tools. Based on our telemetry, we can reassemble ScarCruft’s binary infection procedure. It used a multi-stage binary infection to update each module effectively and evade detection.
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
2019-07
Operation “Fractured Statue”
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/
2019-09
Operation “Dragon messenger”
https://blog.alyac.co.kr/attachment/cfile1.uf@99A46A405DC8E3031C9E2A.pdf
2020-01
North Korean APT used VBA self decode technique to inject RokRat
https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/
2020-03
Operation “Spy Cloud”
https://blog.alyac.co.kr/attachment/cfile8.uf@9977CF405E81A09B1C4CE2.pdf
2020-12
North Korean software supply chain attack targets stock investors
https://www.bleepingcomputer.com/news/security/north-korean-software-supply-chain-attack-targets-stock-investors/
https://blog.alyac.co.kr/3489
2021-03
ScarCruft surveilling North Korean defectors and human rights activists
https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
2021-04
North Korean APT InkySquid Infects Victims Using Browser Exploits
https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/
2021-04
Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/
2021-07
New variant of Konni malware used in campaign targetting Russia
https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
2021-12
North Korean hackers target Russian diplomats using New Year greetings
https://therecord.media/north-korean-hackers-attack-russian-diplomats-using-new-year-greetings/
https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/
2022-01
KONNI evolves into stealthier RAT
https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/
2022-03
The ink-stained trail of GOLDBACKDOOR
https://stairwell.com/news/threat-research-the-ink-stained-trail-of-goldbackdoor/
2022-03
Lookout Discovers New Spyware by North Korean APT37
https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37
2022-05
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/
2022-07
Operation “STIFF#BIZON”
The Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries.
https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/
2022-09
Meeting the “Ministrer”
https://www.fortinet.com/blog/threat-research/konni-rat-phishing-email-deploying-malware
2022-10
Internet Explorer 0-day exploited by North Korean actor APT37
https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/
2023-01
RedEyes hackers use new malware to steal data from Windows, phones
https://www.bleepingcomputer.com/news/security/redeyes-hackers-use-new-malware-to-steal-data-from-windows-phones/
2023-02
HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)
https://asec.ahnlab.com/en/48063/
2023-03
CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)
https://asec.ahnlab.com/en/49089/
2023-04
RokRAT Malware Distributed Through LNK Files (*.lnk): RedEyes (ScarCruft)
https://asec.ahnlab.com/en/51751/
2023-04
ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)
https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/
2023-05
Tracking Traces of Malware Disguised as Hancom Office Document File and Being Distributed (RedEyes)
https://asec.ahnlab.com/en/53377/
2023-05
RedEyes Group Wiretapping Individuals (APT37)
https://asec.ahnlab.com/en/54349/
2023-07
Operation “STARK#MULE”
Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures
https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/
2023-09
Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft)
https://asec.ahnlab.com/en/56756/
2023-09
RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release
https://asec.ahnlab.com/en/56857/
2023-12
Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)
https://asec.ahnlab.com/en/59763/
2023-12
ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals
https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/
2024-08
AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)
https://asec.ahnlab.com/en/83877/
2024-09
Kimsuky-linked hackers use similar tactics to attack Russia and South Korea, researchers say
https://therecord.media/kimsuky-north-korea-hackers-targeting-russia-south-korea
2024-09
Operation “SHROUDED#SLEEP”
SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia
https://www.securonix.com/blog/shroudedsleep-a-deep-dive-into-north-koreas-ongoing-campaign-against-southeast-asia/
2025-03
Operation “ToyBox Story”
Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)
https://www.genians.co.kr/en/blog/threat_intelligence/toybox-story