APT37
APT37, also known as Konni, TA406, and Thallium, is a North Korean state-sponsored threat actor. The group operates under the Kimsuky umbrella and is primarily focused on cyber-espionage targeting South Korean entities. Recent campaigns attributed to APT37 have targeted South Korean Android users with remote-wipe attacks by abusing Google's Find Hub feature after compromising Google accounts. Their tactics include spear-phishing (notably spoofing South Korea's National Tax Service), malware propagation via KakaoTalk, and the use of malware such as AutoIt-based scripts, LilithRAT, and RemcosRAT. APT37 is known for leveraging compromised messaging accounts to spread malware and for innovative abuse of legitimate cloud and device management features for destructive and espionage purposes. Their operations are highly targeted and align with North Korean strategic interests in the region.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
APT37 (Reaper) is a North Korean APT group known for using custom malware such as RokRAT Loader in cyber-espionage campaigns.
APT37 is conducting espionage campaigns targeting South Korean Android users, using spear-phishing and social engineering to deliver malware, compromise Google accounts, and remotely wipe devices via Google's Find Hub service.
APT37 is conducting espionage campaigns targeting South Korean Android users, using spear-phishing and social engineering to deliver malware, compromise Google accounts, and remotely wipe devices via Google's Find Hub service.
APT37 is targeting Windows systems using a Rust-based backdoor and a Python loader.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.