Intelligence notes

Dashboard

APT37 — ScarCruft

11 min read

APT37 — ScarCruft

Executive Profile (BLUF)

APT37 — also tracked as ScarCruft, Reaper, Group123, TEMP.Reaper, and InkySquid — is a North Korea state-sponsored cyber espionage group active since at least 2012. Unlike the Reconnaissance General Bureau (RGB)-aligned DPRK cyber actors (Lazarus Group, APT38 — Bluenoroff, Kimsuky, Andariel), APT37 is attributed to the Ministry of State Security (MSS) — the DPRK organ responsible for internal security, border surveillance, and counter-defector operations. This organizational placement is reflected directly in the group’s targeting profile, which prioritizes North Korean defectors, defector-support organizations, humanitarian groups operating along the DPRK-PRC border, and DPRK-focused journalism over the policy-and-government collection mission characteristic of Kimsuky.

Attribution correction (critical): APT37/ScarCruft is the MSS-linked DPRK cyber group. Kimsuky is RGB-linked. This is the most commonly confused attribution pairing in DPRK cyber analysis, and the error runs in both directions across secondary sources. Mandiant’s 2023 organizational mapping states explicitly: “APT37’s previous campaigns targeting foreign joint venture partners as well as threat activity against defectors, defector support organizations, and humanitarian organizations indicate APT37’s activities most likely align with the agenda of MSS.” The MSS’s institutional mandate — internal security, defector tracking, border control, and counter-intelligence — maps cleanly onto APT37’s documented victimology over a decade of operations.

Operationally, APT37 is distinguished from other DPRK cyber actors by its consistent willingness to invest in zero-day exploitation rather than relying purely on social engineering. The group has burned multiple zero-days against narrowly scoped target sets, indicating both the technical capability and the priority weighting that the MSS places on the targets in question.

Organizational Structure / Parent Hierarchy

APT37 is attributed to the DPRK Ministry of State Security (MSS) — sometimes rendered as the State Security Department (SSD) or Ministry of State Security (MSS) depending on translation convention. The MSS is the DPRK’s principal civilian security and counter-intelligence agency, structurally and functionally distinct from the Reconnaissance General Bureau (RGB) (military intelligence).

Functional differentiation:

  • MSS mandate — internal security, regime protection, border surveillance, counter-defector operations, foreign counter-intelligence, monitoring of DPRK citizens abroad
  • RGB mandate — foreign intelligence collection, special operations, cyber operations for revenue and disruption

APT37’s victimology — overwhelmingly weighted toward defectors, defector-support networks, humanitarian organizations along the DPRK-PRC border, and the journalists who report on these communities — aligns precisely with the MSS counter-defector mission. The intelligence value of these targets is not foreign policy collection (which is the RGB/Kimsuky lane) but regime preservation through tracking, harassment, and disruption of the defector ecosystem.

DPRK cyber-organizational mapping (current best open-source assessment):

  • MSSAPT37 — ScarCruft (counter-defector espionage, regime preservation)
  • RGB 5th BureauKimsuky (geopolitical/peninsula intelligence)
  • RGB Lab 110 / 121 Bureau lineageLazarus Group (broad cyber operations)
  • RGB sub-elementAPT38 — Bluenoroff (financial sector heists)
  • RGB sub-elementAndariel (defense, aerospace, ransomware)

Analysts citing APT37 attribution should be alert to vendor reports and aggregators that conflate APT37 with RGB-aligned groups. The MSS attribution is the analytically supported placement.

Mission & Targeting Profile

APT37’s mission is regime preservation through counter-defector and counter-dissident operations, executed through the MSS chain of command. Targeting is consistent over a decade and clusters around the MSS portfolio.

Primary targets:

  • North Korean defectors residing in ROK, third countries, and the United States
  • Defector-support NGOs and humanitarian organizations (DPRK human rights groups, escape network operators)
  • South Korean media organizations and individual journalists covering DPRK
  • South Korean academic and policy researchers focused on defector issues and human rights
  • ROK government bodies handling defector resettlement (Ministry of Unification, Hana Centers)

Secondary targets (post-2017 geographic expansion):

  • Japanese entities, particularly those engaged with the DPRK abduction issue
  • Vietnamese targets (documented expansion of operational footprint)
  • Middle Eastern entities, including a documented 2017 campaign against a Middle Eastern firm engaged in a DPRK joint venture
  • Foreign joint-venture partners doing business with the DPRK
  • Most recently: gaming/entertainment industry supply-chain compromise (ESET, May 2026)

The 2017 expansion outside the Korean peninsula and the 2026 supply-chain operation indicate APT37’s operational reach has broadened, but the core mission — tracking and disrupting the DPRK defector and dissident ecosystem — remains the consistent organizing logic of the group’s victimology.

Capabilities & TTPs

APT37’s signature is zero-day exploitation paired with watering-hole attacks, a tradecraft profile that contrasts sharply with Kimsuky’s reliance on patient social engineering. While Lazarus Group occasionally uses zero-days, APT37 does so more consistently and against narrower target sets — suggesting dedicated exploit development resources or procurement, an operational priority that fits the MSS regime-preservation mandate.

Core capabilities:

  • Zero-day exploitation — Adobe Flash (CVE-2018-4878 lineage), Internet Explorer, Windows scripting engine (CVE-2024-38178, patched August 2024 and used in the wild for RokRAT delivery)
  • Watering-hole attacks — Compromise of websites frequented by target communities (defector-support sites, DPRK-policy think tanks, niche academic resources)
  • Mobile surveillance — KoSpy Android spyware, samples tracked March 2022 through March 2024, targeting defectors and dissidents whose primary device is mobile
  • Supply-chain compromise — 2026 ESET-documented compromise of a gaming platform, most recent documented operation
  • HWP exploitation — Like other DPRK actors, weaponized Hangul Word Processor documents targeting ROK-specific software

Core malware:

  • RokRAT — Signature Windows backdoor. Uses legitimate cloud services (Dropbox, OneDrive, pCloud, Yandex Disk) for C2, complicating network-based detection. Continuously evolved since first observed circa 2017.
  • KoSpy — Android spyware family for mobile surveillance of high-value individual targets. Sample collection March 2022–March 2024 documented in vendor reports.
  • DOGCALL — Earlier Windows backdoor family.
  • Karae, WINERACK, POORAIM — Additional implants in the toolset.

Tradecraft observations:

  • Faster zero-day operational tempo than Kimsuky
  • More watering-hole activity than Lazarus or Kimsuky
  • Mobile surveillance capability against individuals — atypical among DPRK cyber actors
  • Cloud-service C2 (RokRAT) is operationally distinctive

Major Operations

DateOperationTargetMethodConfidence
2016Operation DaybreakROK government and adjacent targetsCVE-2016-4171 Flash zero-dayHigh (vendor IR)
2017Operation ErebusROK targetsFlash exploitationHigh (vendor IR)
2017Operation Honey BearROK think tanks (DPRK policy)Spearphishing, multi-stage backdoorsHigh (vendor IR)
2017Middle East joint-venture targetingMiddle Eastern firm with DPRK JV exposureWatering hole, Flash exploitHigh (FireEye/Mandiant)
2018Flash zero-day campaignROK defector-related targetsCVE-2018-4878 Flash zero-dayHigh (Cisco Talos, KrCERT/CC)
2021InkySquid campaignSouth Korean newspaperWatering hole, IE exploitsHigh (Volexity)
2022–2024KoSpy Android surveillanceDefectors, individual high-value targetsAndroid spyware, mobile C2High (Lookout, vendor IR)
Aug 2024CVE-2024-38178 exploitationTargeted RokRAT deliveryWindows scripting engine zero-dayHigh (Microsoft, AhnLab)
May 2026Gaming platform supply-chain compromiseGaming industry (espionage staging)Supply-chain code/update tamperingHigh (ESET, most recent documented operation)

Attribution Basis

Attribution to North Korea and to the MSS rests on convergent evidence:

  • Mandiant organizational assessment (2023) — Explicit MSS attribution based on targeting profile (defectors, defector-support, humanitarian organizations, joint-venture partners). Mandiant’s framing — “APT37’s activities most likely align with the agenda of MSS” — is the foundational open-source MSS attribution statement.
  • FireEye / Mandiant historical reporting — Multi-year tracking of toolset (RokRAT, DOGCALL), language artifacts (Korean-language strings, build-environment Korean locale), operational timing (Pyongyang business hours), and victimology consistency.
  • Cisco Talos — 2018 Flash zero-day analysis attributing CVE-2018-4878 weaponization to Group 123 (Talos’s APT37 tracking name).
  • KrCERT/CC and ROK national CERT — Confirms in-the-wild exploitation against ROK targets and provides victim-side telemetry.
  • Volexity — InkySquid campaign technical analysis, 2021.
  • Microsoft Threat Intelligence and AhnLab — Reporting on CVE-2024-38178 exploitation for RokRAT delivery, August 2024.
  • Lookout — KoSpy Android spyware research.
  • ESET — May 2026 reporting on ScarCruft supply-chain compromise of a gaming platform — most recent documented operation.

Naming taxonomy: ScarCruft (Kaspersky, common), Reaper (FireEye historical), Group123 (Cisco Talos), TEMP.Reaper (Mandiant), InkySquid (Volexity), APT37 (Mandiant numerical taxonomy). These names refer to the same adversary; vendor cluster boundaries are largely convergent.

Geopolitical Context

APT37’s operational existence is a direct reflection of the DPRK regime’s perception of its defector and dissident diaspora as a national security threat. The MSS treats defectors not as individuals who left but as ongoing security risks — sources of information for foreign intelligence services, vectors for ideological contamination back into the DPRK, and material for adversary information operations.

The defector targeting also has a deterrent function: visible cyber harassment of escapees and the organizations that support them is intended to dissuade further defections and to chill the operations of defector-support networks. This is regime preservation by way of psychological pressure on a specific population — a mission that fits the MSS portfolio precisely.

The 2017 expansion to foreign joint-venture partners reflects MSS concerns about foreign business contacts being conduits for intelligence collection on DPRK economic activities and sanctions evasion. The 2026 supply-chain operation against a gaming platform indicates either a target-of-opportunity individual within the gaming community or an operational maturation toward more sophisticated supply-chain access — analysts should watch ESET and follow-on vendor reporting for clarification of the operational intent.

APT37’s relationship with Kimsuky: both groups target the inter-Korean information space, but the operational division of labor is clear. Kimsuky focuses on policy intelligence — what the ROK and US governments and think tanks are planning regarding the DPRK. APT37 focuses on defector and dissident tracking — who is leaving, who is helping them, who is reporting on it. Both groups occasionally target overlapping individuals (e.g., a DPRK-focused academic who is also a defector advocate), but the strategic mission separation is visible in their distinct collection priorities.

See DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization for the broader DPRK cyber-strategic context.

Gaps

  • Internal MSS cyber unit structure — Even less is publicly known about MSS internal cyber organization than about the RGB. Sub-unit identifiers, headcount, and operator-level identities are largely opaque.
  • Sanctions exposure — Unlike Kimsuky (OFAC-designated November 2023) and Lazarus Group (multiply sanctioned), APT37 has not received a discrete OFAC SDN designation as of writing. Whether this reflects intelligence-protection considerations or simply prioritization is unclear.
  • 2026 gaming platform supply-chain operation — Initial ESET reporting establishes the operation but the full scope, victim count, and intended end-target population remain under-developed in open source as of May 2026.
  • Operational overlap with MSS HUMINT — How APT37 cyber operations integrate with traditional MSS HUMINT against the defector population is inferred but not directly evidenced in open source.
  • KoSpy distribution channels — How KoSpy reaches target Android devices (sideloading, store distribution, supply chain) is partially documented but the full picture is incomplete.

Strategic Implications

For the defector and human-rights community, APT37 is the principal cyber threat actor and should be treated as a persistent, well-resourced adversary with mobile-device targeting capability. Defector-support organizations should assume that their staff, communications, and informant networks are under continuous targeting by an actor willing to burn zero-days. Mobile OPSEC (device hygiene, careful sideloading practices, anti-spyware monitoring) is operationally critical for at-risk individuals.

For ROK and US policy analysts, APT37’s MSS lineage is the analytically important fact. Confusing APT37 with Kimsuky or RGB-aligned groups produces wrong conclusions about DPRK organizational logic — for example, attributing defector-targeting activity to the RGB’s foreign-intelligence mission instead of correctly placing it within the MSS counter-defector mandate would obscure the regime-preservation priority that the activity actually reflects.

For Advanced Persistent Threats taxonomy work, APT37 is the canonical example of an MSS-aligned cyber actor and a counter-example to the assumption that all DPRK cyber operations flow through the RGB. The DPRK runs at least two distinct cyber organizational lines (MSS and RGB) with distinct missions, distinct tradecraft tendencies, and distinct victimology — APT37 is the visible MSS line. Future organizational discoveries (additional MSS units, RGB sub-elements) should be mapped against this two-line baseline.

For strategic intelligence consumers, APT37 operational tempo against specific target communities is a real-time indicator of MSS priorities. A surge in defector-community targeting can correlate with internal DPRK developments (succession dynamics, elite purges, regime stress signals) that the MSS perceives as raising the defector-threat profile.

Sources (confidence-tagged)

  • [primary, vendor-IR] Mandiant — APT37 organizational mapping (MSS attribution); historical and current tracking. The MSS attribution language is foundational open-source assessment.
  • [primary, vendor-IR] FireEye, “APT37 (Reaper): The Overlooked North Korean Actor,” 2018 — early comprehensive profile and toolset documentation.
  • [primary, vendor-IR] Cisco Talos — Group 123 / CVE-2018-4878 Flash zero-day analysis, 2018.
  • [primary, vendor] Kaspersky — ScarCruft tracking and RokRAT analysis.
  • [primary, vendor] Volexity — InkySquid campaign technical analysis, 2021.
  • [primary, vendor] Microsoft Threat Intelligence and AhnLab — CVE-2024-38178 exploitation for RokRAT delivery, August 2024.
  • [primary, vendor] Lookout — KoSpy Android spyware research.
  • [primary, vendor] ESET — May 2026 ScarCruft gaming platform supply-chain compromise (most recent documented operation).
  • [primary, authoritative] KrCERT/CC (ROK national CERT) — ROK victim telemetry and exploitation confirmation across multiple campaigns.
  • [reference] DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization — vault thematic study.
  • [reference] Kimsuky — RGB-aligned counterpart, distinct attribution and mission.

Source labeling caution: Vendor IR reports are the primary open-source basis for APT37 attribution to the MSS. Mandiant’s MSS framing is convergent with FireEye historical reporting and consistent with the group’s decade-long victimology, but it is not (as of writing) directly corroborated by a formal US government SDN designation of APT37 specifically. Analysts should treat the MSS attribution as well-supported but at “high confidence” rather than “authoritative” pending future government designations or declassifications.

Graph View

Backlinks