APT GROUP123

2025-05-14 • Cyfirma •

https://www.cyfirma.com/research/apt-group123/

#Group123 #T1102.002 #T1082 #T1059.003 #T1005 #T1071.001 #T1059.006 #T1027 #T1204.002 #T1555.003 #T1057 #T1059.005 #T1566.001 #T1547.001 #T1053.005 #T1059 #T1105 #T1055 #T1203 #T1189 #T1123 #T1548.002 #T1106 #T1529 #T1033 #T1561.002 #T1559.002 #T1120 #T1036.001 #T1094 #T1027.003

CYFIRMA profiles Group123 as a North Korean state-sponsored espionage group active since at least 2012 and tracked as APT37, Reaper, ScarCruft, and related aliases. The report describes targeting in South Korea, Japan, Vietnam, the Middle East, and other regions, with defense, aerospace, nuclear technology, engineering, and government-related entities among the collection priorities. Reported tradecraft includes spear phishing with HWP and Office lures, exploitation of public-facing applications, watering holes, drive-by compromise, DLL sideloading, staged payloads, and C2 through legitimate or compromised services. The profile lists tools and malware associated with the cluster, including RokRat, Konni, BLUELIGHT, Chinotto, NavRAT, M2RAT, and other APT37-linked families.

Related Actors

Group123

Cisco Talos

Scarcruft

First seen: Jan 2018

Last seen: May 2025

Related Reports

2025-08-13 • 39% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: T1102.002, T1082, T1059.003 • Same author: Cyfirma

2025-02-12 • 35% Match

APT PROFILE – APT43

Cyfirma

#APT43 #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: T1102.002, T1082, T1059.003 • Same author: Cyfirma

2024-09-12 • 30% Match

APT PROFILE – KIMSUKY

Cyfirma

#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: T1102.002, T1082, T1059.003 • Same author: Cyfirma

2025-04-23 • 29% Match

A Deep Dive Into a Multi-Stage Malware Campaign Potentially Linked to DPRK’s Konni Group

navneet

#Konni #LNK #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1071.001 #T1027 #T1059.005 #T1566.001 #T1547.001 #T1059.001 #T1573.001

Shares tags: T1059.003, T1005, T1071.001 • Published within a month

2025-04-23 • 27% Match

North Korea Calling - Web3 Zoom Campaign

Huntabil

#macOS #T1082 #T1005 #T1041 #T1071.001 #T1059.004 #T1566.002 #T1057 #T1547.001 #T1059 #T1518

Shares tags: T1082, T1005, T1071.001 • Published within a month

2025-04-24 • 26% Match

Lazarus APT updates its toolset in watering hole attacks

Kaspersky

#ThreatNeedle #LPEClient #SIGNBT #AGAMEMNON #Lazarus #Innorix #SyncHole #CrossEX #T1027.013 #T1082 #T1140 #T1071.001 #T1083 #T1057 #T1583.003 #T1583.001 #T1105 #T1620 #T1574.002 #T1135 #T1573.001 #T1190 #T1189 #T1049 #T1573.002 #T1016 #T1087.001 #T1218.011 #T1584.001 #T1574.001 #T1564.004 #T1027.009 #T1569.002 #T1543.003 #T1087.002 #T1570 #T1608.004 #T1547.005 #T1007

Shares tags: T1082, T1071.001, T1057 • Published within a month

« Back