AhnLab20Red_Eyes_Hacking_Group_Report201.pdf (918 KB)

AhnLab links Red Eyes to Geumseong121, Group 123, ScarCruft, APT37, Reaper, and Ricochet Chollima, with repeated targeting of people and organizations working on North Korea. The activity focused on North Korean defectors, human rights activists, researchers, journalists, and in some cases Korean military-related documents. The group delivered malware through documents sent by email or mobile messenger, embedding VBS or executable payloads and exploiting Hangul EPS issues, Microsoft Word DDE, and Adobe Flash CVE-2018-4878. Observed malware included document files, droppers, and backdoors such as DocPrint/Reloader and DogCall/Redoor, with PDB paths showing recurring development strings across samples.