56e5630023fe905b2a8f511e24d9b84a.pdf (3 MB)

360's 2018 APT review highlights DPRK-linked activity through Lazarus Group and Group 123/APT37 sections rather than a single incident. The Lazarus section notes that vendor naming was becoming less clear, with FireEye separating financially motivated activity as APT38, and lists reported activity including the Celas Trade Pro cryptocurrency trading application for Windows and Mac, Ryuk's code similarities to HERMES, Cosmos Bank theft, HIDDEN COBRA ATM alerts, Trend Micro ATM attacks, and Operation Sharpshooter implants suspected to share Duuzer backdoor code. The Group 123 section describes a North Korea-linked actor also known as Reaper, APT37, Geumseong121, and Scarcruft, active since at least 2012 and initially focused on South Korea before expanding toward Japan, Vietnam, the Middle East, and industrial verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and healthcare. The report matters for DPRK tracking because it places Lazarus, APT38, and APT37 activity in a broader 2018 APT landscape while emphasizing attribution challenges caused by changing tools, anonymous infrastructure, false flags, and copied techniques.