Threat Actor Profile
High APT
Description

APT37is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.APT37has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3] North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the nameLazarus Groupinstead of tracking clusters or subgroups.

Confidence Score
100%
Tags
mitre-attack crawled web-source mitre-group
First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 42 minutes ago

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (25)
T1005 - Data from Local System
Collection
T1123 - Audio Capture
Collection
T1071 - Application Layer Protocol
Command and Control
T1102 - Web Service
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1555 - Credentials from Password Stores
Credential Access
T1027 - Obfuscated Files or Information
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1033 - System Owner/User Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1120 - Peripheral Device Discovery
Discovery
T1053 - Scheduled Task/Job
Execution
T1059 - Command and Scripting Interpreter
Execution
T1106 - Native API
Execution
T1203 - Exploitation for Client Execution
Execution
T1204 - User Execution
Execution
T1559 - Inter-Process Communication
Execution
T1529 - System Shutdown/Reboot
Impact
T1561 - Disk Wipe
Impact
T1189 - Drive-by Compromise
Initial Access
T1566 - Phishing
Initial Access
T1547 - Boot or Logon Autostart Execution
Persistence
T1548 - Abuse Elevation Control Mechanism
Privilege Escalation
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': [],
 'description': 'APT37is a North Korean state-sponsored cyber espionage group '
                'that has been active since at least 2012. The group has '
                'targeted victims primarily in South Korea, but also in Japan, '
                'Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and '
                'other parts of the Middle East.APT37has also been linked to '
                'the following campaigns between 2016-2018: Operation '
                'Daybreak, Operation Erebus, Golden Time, Evil New Year, Are '
                'you Happy?, FreeMilk, North Korean Human Rights, and Evil New '
                'Year 2018.[1][2][3] North Korean group definitions are known '
                'to have significant overlap, and some security researchers '
                'report all North Korean state-sponsored cyber activity under '
                'the nameLazarus Groupinstead of tracking clusters or '
                'subgroups.',
 'external_references': [{'external_id': 'G0067',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0067/'}],
 'id': 'threat-actor--G0067',
 'metadata': {'crawled_at': '2026-04-29T14:32:48.411140+00:00',
              'mitre_group_id': 'G0067',
              'page_title': 'APT37, InkySquid, ScarCruft, Reaper, Group123, '
                            'TEMP.Reaper, Ricochet Chollima, Group G0067 | '
                            'MITRE ATT&CK®'},
 'name': 'APT37',
 'type': 'threat-actor'}
Quick Actions
Related TTPs (25)
Data from Local System
Collection
Audio Capture
Collection
Application Layer Protocol
Command and Control
Web Service
Command and Control
Ingress Tool Transfer
Command and Control
View All 25 TTPs
Back to Threat Actors
Dashboard Home