<ciso brief/>
Tag Banner

All news with #apt37 tag

all tags →

Tue, November 11, 2025

APT37 Abuses Google Find Hub to Remotely Wipe Android

#Android #Find My #Account Takeover #KakaoTalk #APT37 #Data Exfil via Tools

🔍 North Korean-linked operators abuse Google Find Hub to locate targets' Android devices and issue remote factory resets after compromising Google accounts. The attacks focus on South Koreans and begin with social engineering over KakaoTalk, using signed MSI lures that deploy AutoIT loaders and RATs such as Remcos, Quasar, and RftRAT. Wiping devices severs mobile KakaoTalk alerts so attackers can hijack PC sessions to spread malware. Recommended defenses include enabling multi-factor authentication, keeping recovery access ready, and verifying unexpected files or messages before opening.

read more →

Mon, September 1, 2025

ScarCruft Deploys RokRAT in 'HanKook Phantom' Campaign

#APT37 #Data Exfil via Tools #Phishing #RokRAT

🚨Seqrite Labs has uncovered a spear-phishing campaign named Operation HanKook Phantom attributed to North Korea–linked ScarCruft (APT37). The attacks use ZIP attachments containing malicious Windows LNK shortcuts that masquerade as PDFs and drop a RokRAT backdoor while displaying decoy documents. RokRAT can collect system information, execute commands, enumerate files, capture screenshots, and download further payloads, exfiltrating data via cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud. A second observed variant leverages fileless PowerShell and obfuscated batch scripts to deploy additional droppers and conceal network traffic as browser file uploads.

read more →

Fri, August 29, 2025

APT37 Spear-Phishing Campaign Targets South Korean Officials

#Active Exploitation #APT37 #Backdoor Found #Data Exfil via Tools #RokRAT

🛡️ Seqrite attributes a large-scale spear-phishing operation, dubbed Operation HanKook Phantom, to APT37, a North Korea–linked group targeting South Korean government and intelligence personnel. Attackers distributed malicious LNK shortcuts disguised as a legitimate National Intelligence Research Society newsletter and a statement from Kim Yo-jong, which triggered downloads and execution of payloads including RokRAT. The campaign employed in-memory execution, fileless PowerShell, XOR decryption, LOLBins and covert exfiltration techniques to blend with normal traffic and evade detection.

read more →