Sophos profiles NICKEL FOXCROFT as a North Korea-linked espionage group that targets South Korean individuals and organizations focused on North Korea reporting, Korean peninsula geopolitics, and defector support. The profile maps the group to aliases including APT37, Group 123, Reaper, ScarCruft, RICOCHET CHOLLIMA, and Venus 121. Its tradecraft centers on social engineering and spear-phishing, including abuse of social media access to target associates, plus malicious HWP and Microsoft Word documents. Reported tooling includes RokRat, Bluelight, Chinotto, GOLDBACKDOOR, KevDroid, KoSpy, and PoorWeb, with capabilities for credential theft, data exfiltration, screenshots, system collection, and file management.