ScarCruft is a state-aligned advanced persistent threat (APT) group widely attributed to North Korea by multiple cybersecurity vendors, including Kaspersky, which gave the group its name, and others that track it under aliases such as APT37, Reaper, InkySquid, Group123, and Ricochet Chollima. The group is generally assessed to operate in support of North Korean intelligence collection priorities, and is considered distinct from the better-known Lazarus Group, which is more associated with financially motivated operations.
Active since at least 2012, ScarCruft has focused much of its targeting on South Korea, particularly:
- North Korean defectors and human rights activists
- Journalists covering Korean Peninsula affairs
- South Korean government, military, and diplomatic entities
- Think tanks and academics working on Northeast Asian security
The group has also been observed targeting victims in Japan, Vietnam, the Middle East, and other regions where North Korean interests intersect with diaspora communities or strategic intelligence requirements.
ScarCruft is technically notable for its willingness to deploy zero-day exploits, including past abuse of vulnerabilities in Adobe Flash and Internet Explorer, and for a varied custom malware toolkit. Reported tools include RokRat (a remote access trojan often delivered via weaponized HWP and Microsoft Office documents), Chinotto, Dolphin, and GoldBackdoor. The group frequently uses spear-phishing lures themed around Korean political affairs, sanctions, and inter-Korean relations, and has experimented with Bluetooth reconnaissance and mobile (Android) implants.
For Model UN delegates and IR researchers, ScarCruft is a useful case study in how cyber operations complement traditional statecraft: it illustrates how a sanctioned, relatively isolated state uses targeted intrusions to surveil dissidents abroad and to gather diplomatic intelligence, blurring the line between espionage, transnational repression, and information warfare in the context of the Korean Peninsula.
Example
In 2021, researchers at Kaspersky documented a ScarCruft campaign using the Chinotto backdoor to spy on North Korean defectors, journalists, and human rights activists in South Korea.
Frequently asked questions
No. Both are linked to North Korea, but analysts track them as separate clusters. Lazarus is primarily associated with financially motivated and disruptive operations, while ScarCruft (APT37) focuses on espionage against defectors, journalists, and regional government targets.
Keep learning