Quick and dirty over APT37 (aka Group123, aka ScarCruft) Android spying backdoor

2019-08-14 • Emanueledelucia •

https://www.emanueledelucia.net/group123-apt37-quick-and-dirty-over-their-malicious-jpge-viewer-mobile-app/

#APT37

Emanuele De Lucia analyzes an APT37, also known as Group123 or ScarCruft, campaign focused on South Korean targets. The activity used Korean-language spear-phishing, Hanmail addresses, payloads masquerading as JPEG files, and cloud services for command-and-control. The post is useful for defenders tracking APT37 delivery tradecraft, regional targeting, and Android spying backdoor activity.

Related Actors

APT37

Mandiant

Scarcruft

First seen: Feb 2018

Last seen: Jun 2026

Related Reports

2019-10-28 • 70% Match

疑似Group123（APT37）针对中韩外贸人士的攻击活动分析

Qihoo360

#APT37 #Group123

Shares tag: APT37

2026-06-14 • 60% Match

Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2

Genians

#APT37 #LNK #T1059.003 #T1567.002 #T1113 #T1071.001 #T1497 #T1056.001 #T1027 #T1204.002 #T1566.001 #T1053.005 #T1059.001 #T1102 #T1497.001 #T1105 #T1123 #T1025 #NarwhalRAT

Shares tag: APT37

2026-06-14 • 60% Match

2026-05-10 • 60% Match

Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign

Genians

#APT37 #LNK #Deepfake

Shares tag: APT37

2026-04-28 • 60% Match

South Korea Threat Landscape Report

Cyfirma

#Trend #Kimsuky #APT37 #Lazarus

Shares tag: APT37

« Back