THREATOPS Actor Dossier
LIVE ← Dashboard

APT37

G00671 reports
aliases · APT37 · InkySquid · ScarCruft · Reaper · Group123 · TEMP.Reaper · Ricochet Chollima
Export dossier:
1
Reports
0
Techniques
0
Tactics
0
Countries
n/a
Hunt coverage
7
Aliases

Analyst assessment — key judgments

  • Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
  • Assessment confidence: n/a.

Activity & trend

DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2026-05-05 · last 2026-05-05
0
7d
0
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Overview

Analyst triage
Intelligence summary

APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation
            • No ATT&CK techniques associated yet.

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected