APT37 aka ScarCruft or RedEyes – Active IOCs
2024-11-01 • Rewterz •
https://www.rewterz.com/threat-advisory/apt37-aka-scarcruft-or-redeyes-active-iocs-8
APT37, also known as ScarCruft or RedEyes, is described as a North Korean espionage group that mainly targets South Korea and has also operated across Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and the Middle East. The advisory links APT37 to RokRAT and Goldbackdoor, and says RedEyes expanded from CHM malware disguised as a Korean financial security email to RokRAT delivery through LNK files. RokRAT uses PowerShell launched from LNK content, collects machine data for target selection, communicates through cloud services such as Dropbox, pCloud, Yandex Cloud, and OneDrive, and supports additional payload execution and data exfiltration. The IOC set includes multiple hashes tied to the LNK and RokRAT activity, including 89c0d2cc1e71b17449eec454161d60da and 707e8cb56f32209ca837f2853801256cd3490ed2cc4b3428dc5e4238848f226d.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | c045b9da0456430268861da18735f7e… | 2024-11-01 | 2025-06-27 |
| HASH | 144928fc87e1d50f5ed162bb1651ab24 | 2024-11-01 | 2025-06-27 |
| HASH | e917166ed0096688994709acb94233b… | 2024-11-01 | 2025-06-27 |
| HASH | f3c087a0be0687afd78829cab2d3bc2b | 2024-11-01 | 2025-02-19 |
| HASH | 3323777ca4ac2dc2c39f5c55c0c54e3c | 2024-11-01 | 2025-02-19 |
| HASH | 89c0d2cc1e71b17449eec454161d60da | 2024-11-01 | 2025-02-19 |
| HASH | 707e8cb56f32209ca837f2853801256… | 2024-11-01 | 2024-11-04 |
| HASH | e9528f09f1e58ffc308893087f4a8b7… | 2024-11-01 | 2024-11-04 |
| HASH | 625c361380bf472c16edec72f5c3a87… | 2024-11-01 | 2024-11-01 |
| HASH | 72b6f743a93275adaa5096839454389… | 2024-11-01 | 2024-11-01 |
| HASH | b319317c7028d7bbb2f1d289945e4c2… | 2024-11-01 | 2024-11-01 |
| HASH | 20e4c50dd521b8561510e15f99c6774… | 2024-11-01 | 2024-11-01 |