20230620_threat_inteligence_report_apt37_macos.pdf (3 MB)

Genians reported a macOS-focused APT37 campaign targeting South Korean people involved in North Korean human-rights and DPRK-related work. The attackers first conducted phishing and reconnaissance to steal email credentials and learn the victim's browser and operating-system details, then delivered a macOS malicious application disguised with an HWP document icon and themed around R2P conference materials. The campaign used a Samsung Galaxy Note-themed C2 domain, malicious AppleScript based on Open Scripting Architecture, LaunchAgents persistence, and information-stealing behavior similar to prior APT37 operations.