🇰🇵
APT37
APT Group
Information theft and espionage
32 zero-day CVEs
ETDA ✓
Also Known As 16 names
APT 37
APT-C-28
ATK4
G0067
Group 123
Group123
InkySquid
Moldy Pisces
Operation Daybreak
Operation Erebus
Reaper
Reaper Group
Red Eyes
Ricochet Chollima
ScarCruft
Venus 121
Target Countries 18
Countries highlighted in red
Australia
Belgium
China
France
United Kingdom
Hong Kong
India
Japan
Cambodia
Republic of Korea
Kuwait
Nepal
Poland
Romania
Thailand
United States
Bolivarian Republic of Venezuela
Vietnam
Sectors Targeted
High-Tech
Financial
Aerospace
Automotive
Education
Healthcare
Freight Transportation Arrangement
48851
Personal Care Services
8121
Data Processing, Hosting, and Related Services
51821
Government
Investigation, Guard, and Armored Car Services
56161
National Security and International Affairs
9281
Other Amusement and Recreation Industries
7139
Media
Chemical
Transportation
Technology
Educational Support Services
6117
Manufacturing
Management, Scientific, and Technical Consulting Services
5416
Details
Origin
🇰🇵 KP
Last Updated
01 Jun 2022
Malware Families 7
chinotto
open_carrot
goldbackdoor
freenki
kevdroid
poorweb
rambleon
MITRE ATT&CK 203
T1001
T1003 - OS Credential Dumping
T1005 - Data from Local System
T1007
T1008 - Fallback Channels
T1010
T1011
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1020 - Automated Exfiltration
T1021
T1021.001 - Remote Desktop Protocol
T1021.006 - Windows Remote Management
T1025 - Data from Removable Media
T1027 - Obfuscated Files or Information
T1027.002 - Software Packing
T1027.003
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1036.001
T1036.003 - Rename System Utilities
T1036.004 - Masquerade Task or Service
T1036.005 - Match Legitimate Name or Location
T1039
T1041 - Exfiltration Over C2 Channel
T1043
T1046
T1047
T1048
T1049 - System Network Connections Discovery
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task
T1055 - Process Injection
T1055.001 - Dynamic-link Library Injection
T1055.009 - Proc Memory
T1055.012 - Process Hollowing
T1055.013 - Process Doppelgänging
T1056 - Input Capture
T1056.001 - Keylogging
T1056.002 - GUI Input Capture
T1057 - Process Discovery
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1059.005 - Visual Basic
T1059.006
T1059.007 - JavaScript
T1060
T1064
T1068 - Exploitation for Privilege Escalation
T1070 - Indicator Removal on Host
T1070.001 - Clear Windows Event Logs
T1070.004 - File Deletion
T1071 - Application Layer Protocol
T1071.001 - Web Protocols
T1071.004 - DNS
T1072
T1074 - Data Staged
T1078 - Valid Accounts
T1080
T1081
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1085
T1087
T1087.001 - Local Account
T1090 - Proxy
T1094
T1095
T1098
T1102 - Web Service
T1102.002 - Bidirectional Communication
T1104 - Multi-Stage Channels
T1105 - Ingress Tool Transfer
T1106 - Native API
T1107
T1110
T1112 - Modify Registry
T1113 - Screen Capture
T1114 - Email Collection
T1114.001
T1115
T1119
T1120
T1123 - Audio Capture
T1124 - System Time Discovery
T1125 - Video Capture
T1127
T1130
T1132 - Data Encoding
T1132.001 - Standard Encoding
T1133
T1134 - Access Token Manipulation
T1135 - Network Share Discovery
T1136
T1137
T1140 - Deobfuscate/Decode Files or Information
T1146
T1170
T1176 - Browser Extensions
T1189 - Drive-by Compromise
T1190 - Exploit Public-Facing Application
T1193
T1195 - Supply Chain Compromise
T1197
T1199 - Trusted Relationship
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - Malicious Link
T1204.002 - Malicious File
T1212
T1213
T1217 - Browser Bookmark Discovery
T1218 - Signed Binary Proxy Execution
T1218.005 - Mshta
T1218.011 - Rundll32
T1404 - Exploit OS Vulnerability
T1412 - Capture SMS Messages
T1418
T1420
T1426
T1429 - Capture Audio
T1430
T1432 - Access Contact List
T1444
T1481
T1485 - Data Destruction
T1486
T1489
T1490 - Inhibit System Recovery
T1495
T1496 - Resource Hijacking
T1497 - Virtualization/Sandbox Evasion
T1497.003
T1498 - Network Denial of Service
T1503
T1505
T1512 - Capture Camera
T1514 - Elevated Execution with Prompt
T1518 - Software Discovery
T1528
T1529 - System Shutdown/Reboot
T1530
T1531 - Account Access Removal
T1532
T1537
T1539 - Steal Web Session Cookie
T1543
T1546 - Event Triggered Execution
T1547 - Boot or Logon Autostart Execution
T1547.001 - Registry Run Keys / Startup Folder
T1548
T1548.002
T1550
T1552
T1553 - Subvert Trust Controls
T1555
T1555.003 - Credentials from Web Browsers
T1559 - Inter-Process Communication
T1559.002
T1560 - Archive Collected Data
T1560.001 - Archive via Utility
T1561
T1561.002
T1562 - Impair Defenses
T1562.001
T1564 - Hide Artifacts
T1564.007 - VBA Stomping
T1566 - Phishing
T1566.001 - Spearphishing Attachment
T1567 - Exfiltration Over Web Service
T1569
T1570
T1571 - Non-Standard Port
T1573 - Encrypted Channel
T1573.001 - Symmetric Cryptography
T1574 - Hijack Execution Flow
T1574.001 - DLL Search Order Hijacking
T1583 - Acquire Infrastructure
T1584 - Compromise Infrastructure
T1585
T1587
T1588.001 - Malware
T1588.002 - Tool
T1588.004 - Digital Certificates
T1595
T1598
T1602 - Data from Configuration Repository
T1606
T1608
TA0002
TA0003
TA0004
TA0005
TA0006
TA0007
TA0009
TA0011
TA0028
TA0034
TA0037
TA0040
Related Zero-Days 32
CVE-2016-4171
CVE-2017-0199
CVE-2017-8291
CVE-2018-8174
CVE-2020-1380
CVE-2020-1472
CVE-2021-26855
CVE-2022-0609
CVE-2022-3236
CVE-2022-41128
CVE-2022-42475
CVE-2023-20109
CVE-2023-20198
CVE-2023-22515
CVE-2023-36884
CVE-2023-38831
CVE-2023-46604
CVE-2023-4966
CVE-2024-21412
CVE-2024-23222
CVE-2024-38112
CVE-2024-38178
CVE-2024-38193
CVE-2024-4040
CVE-2024-43093
CVE-2024-43461
CVE-2024-47575
CVE-2025-1316
CVE-2025-27363
CVE-2025-6218
CVE-2025-8088
CVE-2025-9491