Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G0067

APT37

Aliases

Reaper, Ruby Sleet, Group123

Type

State-sponsored cyberespionage group.

Target

Government, Military

Malware

Cobalt Strike, WinDealer, Custom loaders

Country

North Korea North Korea

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for APT37

Who is APT37?

APT37 is a North Korean state-sponsored spy group. It is also known as Reaper and has been active since 2012. The group’s main mission is gathering intelligence for North Korea.

It mainly targets the South Korean government and military. But it also goes after key industries and individuals. These include defectors, journalists, and human rights groups.

The group has been linked to several high-profile attacks, including a cyberattack on the 2018 South Korean Winter Olympics.

Common Tactics and Tools

APT37 uses a variety of methods for initial access. These include spear-phishing, watering hole attacks, and zero-day vulnerabilities.

A key feature is how they attack software popular in Korea, particularly the Hangul Word Processor (HWP).

They have a large and growing set of malware, which they change often to avoid being caught.

  • RokRAT: One of the group’s main backdoors. This Remote Access Trojan (RAT) can log keystrokes, take screenshots, and steal files. Attackers often deliver it using malicious HWP files.
  • DOGCALL: A backdoor used for early spying. After a hack, it gathers system information and downloads more malware.
  • WINERACK: A powerful RAT that gives attackers full remote control. They often use it on high-value targets for long-term spying.

How to Defend Against APT37

Defending against APT37 requires robust technical controls. You will benefit from awareness of their methods.

  • Patch region-specific software: Patching the Hangul Word Processor is a top priority. Organizations in or dealing with South Korea must treat HWP security with great urgency.
  • Enhance phishing defenses: Use email gateways to sandbox and check attachments, especially HWP files. Train users to be wary of these files. Train users to be suspicious of emails containing such attachments, especially if the topic relates to Korean political affairs.
  • Restrict script and macro execution: Set policies to block or disable macros in all office software, including HWP. This stops malicious code from running.
  • Build an integrated security stack: Make your security tools work together. An integrated stack shares data between endpoint, network, and cloud security. This provides a full view of an attack and helps you respond faster.
  • Segment your network: Divide your network into smaller, isolated zones. This contains any breach. If an attacker gets into one area, segmentation stops them from reaching critical systems. Monitor traffic between these zones to spot intruders.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.