Introduction
APT37, or Reaper and Ricochet Chollima, continues to be one of the most active and dangerous cyber threat groups associated with North Korea. Within the last ten years, we have seen APT37 grow from being primarily an espionage actor targeting South Koreans to one engaging in global operations with sophisticated tooling and innovative persistence capabilities. As of 2025, APT37 presents a high-priority threat to governments, think tanks, and industries that contribute to DPRK’s strategic goals.
Identity and Motivation
Attribution: North Korea links, operating subject to the DPRK’s intelligence apparatus
Active Since: At least 2012, with significant growth since 2017
Aliases: Reaper, Ricochet Chollima, Group123, ScarCruft
Motivation: Primarily cyberespionage activities in support of the DPRK’s political, military and economic activities with limited financially motivated activity designed to evade sanctions or fund regime operations.
TTPs
APT37 has continually revised the techniques and tactics it employs, mostly as a combination of conventional espionage with traditional cybercrime strategies.
Initial Access techniques are spearphishing with geopolitically-themed lures, exploiting zero-days, trojanized software updates, and watering hole compromises
Persistence techniques are DLL sideloading, Windows Registry tampering, scheduled tasks, and newly observed abuse of cloud authorization tokens for stealthy re-entry
Command and Control Infrastructure techniques have included abuse of common cloud services (e.g., Dropbox, Google Drive, GitHub) for exfiltration of data and actions on target systems, including abuse of its own C2 servers in 2023.
Malware and Tools: ROKRAT (cloud-hosted RAT), BabyShark, Gold Dragon, LATEOP, Dolphin backdoor, and new modular implants that were identified in campaigns in 2024-2025.
Techniques include social engineering coinciding with DPRK propaganda narratives, bypassing kernel-level defenses, and uploading exfiltrated data through encrypted cloud channels.
Notable Operations
- 2017: Espionage targeting the South Korean defense industry while tensions were inflamed in the region.
- 2018: ROKRAT used against defectors and NGOs supporting North Korean human rights issues.
- 2021: BabyShark campaigns against U.S. policy think tanks.
- 2024: Introduced Dolphin backdoor against South Korean research institutes and media.
- 2025: Ongoing global campaigns using cloud persistence and trojanized productivity software with indications of targeting European and Middle Eastern government organizations.
Recent Activity
The operations of APT37 in late 2024 and early 2025 indicate an evolution in their tactics and techniques. The group is not only using cloud platforms as a way to exfiltrate data, they are also using cloud platforms for persistence to hinder stoppage and remediation. Further, there are indications of collaboration with QRN29 and other financially motivated DPRK-nexus clusters, demonstrating a convergence of both espionage and revenue-generating missions.
Conclusion
APT37 demonstrates the diversity, persistence, and adaptability of North Korea’s cyber program. The combination of sophisticated malware, access to zero-day exploits, and their utilization of cloud infrastructure is challenging for any defender. The key lessons learned for defenders are as follows:
- Make anti-spearphishing and trojanized software update defenses stronger
- Watch for abnormal cloud service usage and credential theft
- Patch edge devices and quickly respond to zero-days
- Think of APT37 as an equal opportunity global espionage actor, rather than a localized rogue bad actor
As we head into 2025, it is likely APT37 will continue to hybridize global espionage and domestic financially motivated campaigns, and potentially challenge governments and enterprises globally for many years to come.
You can download and review the sheet for all the details!
