APT37 is an advanced persistent threat group widely attributed by private cybersecurity firms to North Korea. It is also tracked under the aliases Reaper, ScarCruft, Group123, Ricochet Chollima (CrowdStrike), and InkySquid. FireEye's 2018 report APT37 (Reaper): The Overlooked North Korean Actor publicly profiled the group, assessing with high confidence that it operates on behalf of the North Korean government, distinct from the better-known Lazarus Group.
The group's targeting reflects Pyongyang's strategic intelligence priorities. Historically it has focused on South Korean public and private sector organizations, particularly in chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. Since around 2017 its scope expanded to Japan, Vietnam, the Middle East, and entities linked to North Korean defectors, human rights NGOs, and journalists covering the DPRK.
APT37 is known for rapid exploitation of zero-day vulnerabilities, including a 2017 Adobe Flash zero-day (CVE-2018-4878) and Internet Explorer flaws. Its custom toolset includes malware families such as ROKRAT, DOGCALL, KARAE, CORALDECK, and GELCAPSULE, frequently delivered via spear-phishing emails with weaponized Hangul Word Processor (HWP) documents — a file format dominant in South Korean government use. The group has also abused cloud services like Dropbox, pCloud, and Yandex for command-and-control.
For Model UN and policy researchers, APT37 is a useful case study in:
- Attribution challenges, since DPRK denies state-sponsored hacking;
- Sanctions enforcement, given UN Security Council resolutions (notably 2321, 2371, 2375, 2397) addressing DPRK cyber activity;
- The DPRK Panel of Experts reports, which since 2019 have documented North Korean cyber operations as revenue and intelligence tools circumventing sanctions.
APT37 is generally distinguished from APT38 (financially motivated DPRK operations targeting banks and cryptocurrency) and the broader Lazarus cluster, though some tool overlap has been observed.
Example
In February 2018, FireEye publicly attributed a campaign exploiting an Adobe Flash zero-day (CVE-2018-4878) against South Korean targets to APT37, linking the activity to North Korean state interests.
Frequently asked questions
Lazarus is a broader umbrella for DPRK cyber operations including financially motivated heists; APT37 is assessed as a separate cluster focused on espionage against South Korea and DPRK-related civil society targets.
Keep learning