APT PROFILE – GROUP 123

Group123 is a North Korean state-sponsored advanced persistent threat (APT) group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. The group is known for its cyber espionage campaigns primarily targeting South Korea, but since 2017, it has expanded its operations to Japan, Vietnam, the Middle East, and other regions.

Alias: Cloud Dragon, InkySquid, APT 37, APT-37,  ITG10, Reaper, Red Eyes, RedAnt, Ricochet Chollima, ScarCruft, TEMP.Reaper

Motivation: Information Theft, Espionage

Target Technologies: Office Suites Software, Operating System, Web Application

Targeted Regions: East Asia, Southeast Asia, the Middle East

Targeted Industries

Targeted Countries
South Korea, Japan, Vietnam, China, Russia, Nepal, India, Kuwait, Romania, Czechia, Poland, the Middle East countries, and the United States

Tools Used by Group123:

SLOWDRIFT, MS Office exploits, Konni, Oceansalt, HAPPYWORK, Freenki Loader, N1stAgent, KevDroid, PoohMilk Loader, WINERACK, KARAE, RUHAPPY, GELCAPSULE, FlashExploits, RICECURRY, SOUNDWAVE, ZUMKONG, Nokki, Syscon, CARROTBALL, GreezeBackdoor, NavRAT, RokRat, DOGCALL, CARROTBAT, CORALDECK, POORAIM, MILKDROP, SHUTTERSPEED, Final1stSpy, ScarCruft, Erebus

Malware used by Group123:

KARAE, HAPPYWORK, PoohMilk Loader, Oceansalt, BLUELIGHT, WINERACK, CORALDECK, Chinotto, RokRat, SHUTTERSPEED, Konni, Erebus, GreezeBackdoor, Final1stSpy, Syscon, N1stAgent, Nokki, SOUNDWAVE, GELCAPSULE, ScarCruft, RUHAPPY, ROKRAT, POORAIM, KevDroid, KoSpy, CARROTBALL, NavRAT, Freenki Loader, DOGCALL, SLOWDRIFT, M2RAT, CARROTBAT, ZUMKONG, Final1stspy, RICECURRY, MILKDROP.

ATTACK FLOW DIAGRAM OF APT GROUP123

Group123’s Recent Campaign Highlights and Trends

Campaign highlights

• Intensified Windows-focused intrusions: Recently, Group123 ramped up active campaigns against Windows environments, using spear‑phishing, malicious document lures (including Hangul/HWP files), and exploitation of newly disclosed vulnerabilities in office suites, operating systems, and web apps to deliver multi-stage payloads. These operations aim to gain persistent footholds in government, defense, research, and critical infrastructure networks.
• Use of custom malware families: Recent campaigns rely heavily on a mature toolkit including ROKRAT, PoohMilk Loader, Freenki Loader, GELCAPSULE, and Oceansalt, alongside older families like DOGCALL/Nokki and NavRAT. These implants support command execution, data exfiltration, credential theft, and lateral movement while blending into normal traffic through HTTPS‑based C2 and multi‑stage loading.
• Zero‑day and exploit adoption: Group123 has a track record of using browser and Flash zero‑days (for example, CVE‑2016‑4171 CVSS Score:9.8) and continues to rapidly integrate newly disclosed vulnerabilities into its intrusion chains, putting unpatched organizations at particular risk.

Tactical and strategic trends

• Blend of espionage and financial motives: While strategic intelligence collection for North Korean state interests remains a top priority, recent intelligence notes a partial shift toward revenue‑generating activity, including ransomware operations (such as use of Maui ransomware) to supplement state income.
• Advanced defense evasion: Group123 increasingly uses DLL sideloading, DLL hollowing, call‑stack spoofing, payload fragmentation, and sandbox/analysis checks, plus heavy encryption of C2 traffic, to evade traditional detection and complicate forensics.
• Infrastructure hardening and cloud abuse: The group relies more on compromised legitimate web servers and cloud platforms for C2, leveraging their reputation to bypass filters and maintain resilient infrastructure across campaigns.

Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework