APT37

APT37 - RokRat

2025-03-10 • ZW01f •

https://zw01f.github.io/malware%20analysis/apt37/

#APT37 #RokRAT #LNK

By 2023, APT37 had shifted to phishing campaigns targeting users on both Windows and Android platforms. Infection Vector: The attack begins with phishing emails containing ZIP attachments that hide malicious LNK files, masquerading as documents related to North Korean affairs or trade agreements. APT37, also known as ScarCruft, Reaper, and Red Eyes, is a North Korean state-sponsored hacking group that has been active since 2012. This data is then exfiltrated to the Command-and-Control (C2) server.

Indicators of Compromise

Type	Value	First Seen	Last Seen
URL	https://content.dropboxapi.com/…	2020-03-25	2025-09-03
URL	https://content.dropboxapi.com/…	2018-09-21	2025-09-03
URL	https://cloud-api.yandex.net/v1…	2025-03-10	2025-08-29
URL	https://cloud-api.yandex.net/v1…	2024-04-03	2025-08-29
URL	https://cloud-api.yandex.net/v1…	2024-04-03	2025-08-29
URL	https://api.pcloud.com/uploadfi…	2024-04-03	2025-08-29
URL	https://cloud-api.yandex.net/v1…	2024-04-03	2025-08-29
URL	https://api.pcloud.com/getfilel…	2024-04-03	2025-08-29
URL	https://api.pcloud.com/listfold…	2024-04-03	2025-08-29
URL	https://api.dropboxapi.com/2/fi…	2023-01-16	2025-08-29
URL	https://api.dropboxapi.com/2/fi…	2018-09-21	2025-08-29
URL	https://api.pcloud.com/deletefi…	2018-09-21	2025-08-29
DOMAIN	cloud-api.yandex.net	2018-02-27	2025-08-29
YARA	detct_RokRat	2025-03-10	2025-03-10
HASH	9d96e4816a59475768d461a71cecf20…	2025-03-10	2025-03-10
HASH	cfc814a16547dd4e92607bd42d2722c…	2025-03-10	2025-03-10
HASH	6d790df4a2c81e104db10f5e47eb663…	2025-03-10	2025-03-10
HASH	1c4cd06ebece62c796ea517bf26cc86…	2025-03-10	2025-03-10
HASH	2b6928101efa6ededc7da18e7894866…	2025-03-10	2025-03-10
HASH	09a4adef9a7374616851e5e2a7d9539…	2025-03-10	2025-03-10
HASH	7df7ad7b88887a06b559cd453e7b652…	2025-01-21	2025-03-10
HASH	5306582c8a24508b594fed478d5abaa…	2024-12-17	2025-03-10
HASH	94159655fa0bfb1eff092835d8922d3…	2024-09-13	2025-03-10

Related Actors

Mandiant

Scarcruft

First seen: Feb 2018

Last seen: Jun 2026

Related Reports

2025-05-12 • 92% Match

한국 국가안보전략 싱크탱크 위장 APT37 공격 사례 분석 (작전명. 토이박스 스토리)

Genians

#APT37 #RokRAT #LNK #ToyBoxStory

Shares tags: APT37, RokRAT, LNK • Shares 13 IOCs

2025-05-12 • 92% Match

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story)

Genians

#APT37 #RokRAT #LNK #ToyBoxStory

Shares tags: APT37, RokRAT, LNK • Shares 13 IOCs

2025-03-04 • 92% Match

한글 문서로 위장한 두 공격 그룹의 악성코드 비교

Logpresso

#Konni #APT37 #RokRAT #LNK

Shares tags: APT37, RokRAT, LNK • Shares 7 IOCs • Published within a week

2025-08-29 • 87% Match

Operation HanKook Phantom: APT37 Spear-Phishing Campaign

Seqrite

#APT37 #RokRAT #LNK #T1102.002 #T1027.013 #T1082 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1083 #T1204.001 #T1204.002 #T1566.001 #T1547.001 #T1053.005 #T1059.001 #T1123 #T1087.001 #T1056.002 #T1574.001 #T1217 #T1027.009 #T1529 #T1055.009 #T1055.001

Shares tags: APT37, RokRAT, LNK • Shares 13 IOCs

2025-03-31 • 80% Match