cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Lax security reveals North Korean hacking group APT37’s tactics

The North Korean threat actor APT37 has been around for over a decade, but a recent slip in the group’s own operational security has given security researchers a detailed glimpse into the group’s operations and the tactics it uses in both its phishing and malware campaigns.

user icon David Hollingworth
Tue, 11 Apr 2023
Lax security reveals North Korean hacking group APT37’s tactics
expand image

The group has been particularly active this year, largely targeting South Korean organisations and individuals. Zscaler’s ThreatLabz had been doing research into the group and recently discovered the group’s GitHub code repository, complete with samples of malicious code, phishing lures, and other files dating back to 2020.

“Due to an operational security (OpSec) failure of the threat actor,” ThreatLabz’ researchers said in a blog post, “we were able to access a wealth of information about the malicious files used by this APT group along with the timeline of their activities dating as far back as October 2020”.

The researchers discovered a number of different attack vectors, ranging from various file types with malicious payloads, but all the attack chains end by installing a Chinotto PowerShell-based backdoor onto affected networks. The backdoor can then receive commands from APT37’s command and control infrastructure, and exfiltrate data.


The group uses a number of themes to lure victims into opening malicious files. It uses compressed files claiming to contain information related to South Korean national security, university-level exam questions, and documents relating to two South Korean technology companies — Samsung and LG. Financial documents are also used.

In each case, the decoy document is real but hides the malicious payload.

The group has also recently started using embedded OLE objects in documents to execute its payload, and malicious .LNK files.

“This wealth of information retrieved from the GitHub repository gave us a lot of insight into the types of themes used by the threat actor as social engineering lures, and we were able to make an educated guess about the potential targets of the campaign,” ThreatLabz said.

APT37 is thought to be a state-affiliated threat actor, gathering intelligence on behalf of the Democratic People's Republic of Korea (DPRK). While it does focus on South Korean targets, the group has widened its activities to include Japan and Vietnam.

In 2017, the group also targeted a business in the Middle East that was doing business in South Korea.

The group remains active.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.