May 19, 2025 — North Korean state-sponsored hackers, known as APT Group 123, have stepped up their cyber espionage efforts, focusing on Windows-based systems in various industries around the world.
Also known as APT37, Reaper, and ScarCruft, the group has been active since at least 2012. While it initially targeted South Korea, it has since expanded its reach to Japan, Vietnam, the Middle East, and other regions.
The group’s main goal is to steal sensitive data from critical sectors, including government, aerospace, manufacturing, and high-tech industries.
Attack Methods
APT Group 123 uses several attack methods. The most common is spear phishing. Hackers send targeted emails with malicious attachments that exploit weaknesses in Microsoft Office and similar programs.
They also use watering hole attacks and drive-by downloads. These tactics infect users when they visit compromised websites, taking advantage of browser and plugin vulnerabilities.
These techniques help the group gain initial access to networks and show their ability to adapt to different environments.
Shifting Tactics and Financial Motivation
According to researchers at cybersecurity firm Cyfirma, APT Group 123 is now combining espionage with financial crime. The group has started using ransomware attacks to generate income, which appears to fund its spying activities.
The group has affected organizations in at least 13 countries, often targeting those with valuable intellectual property or strategic data.
Advanced Malware and Network Infiltration
APT Group 123 uses custom malware tools such as ROKRAT, PoohMilk, and Freenki Loader. These tools help attackers stay inside networks undetected.
Once inside, they move through systems, increase their access, and send stolen data back to their servers. This can cause serious damage to both operations and security.
Evading Detection
The group uses encrypted communication, such as HTTPS, to hide their activity among regular network traffic. This makes it harder for traditional security tools to spot them.
Their malware often uses multiple stages and spreads the payload across different components. This makes analysis and detection more difficult.
The attackers are also aware of security tools. Their malware checks for such tools and changes its behavior to avoid raising alarms.
They commonly use advanced methods like DLL sideloading, DLL hollowing, and call stack spoofing to hide malicious code inside legitimate Windows processes.
Using Legitimate Platforms to Avoid Detection
Analysts have found that APT Group 123 is increasingly using legitimate web servers and cloud platforms for command and control operations. This includes services like X, Yandex, Mediafire, and possibly Google Drive.
This change makes it even harder for defenders to identify threats, as malicious activity is hidden behind normal-looking internet traffic.
Security experts warn that the group continues to evolve quickly, using new software vulnerabilities soon after they are discovered.
