The Scarlet Reaper: APT37

Threat Intelligence Tarot

Vol. II · 81

North Korea (RGB - Reconnaissance General Bureau)

G0067

★★★★★

risk 3/5

✦ The Scarlet Reaper ✦

APT37

ScarCruft · Reaper · InkySquid · Ruby Sleet

South KoreaJapanVietnamMiddle EastGovernmentHealthcareDefectors and journalists

Active since ~2012 · Espionage, Intelligence gathering on defectors

The Scarlet Reaper harvests the voices of those who fled, cataloguing every word and contact before the blade falls silent. It hunts not armies but individuals: the defector, the journalist, the witness.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1203

Exploitation for Client Execution

Execution

T1059.003

Windows Command Shell

Execution

T1082

System Information Discovery

Discovery

T1113

Screen Capture

Collection

T1005

Data from Local System

Collection

T1041

Exfiltration Over C2 Channel

Exfiltration

Notable Operations

◆Operation Daybreak (2016)
◆Operation Erebus (2017)
◆Targeting of North Korean defectors
◆BLUELIGHT malware campaigns against media

Defenses

▸
Phishing simulation training for at-risk communities
NIST CSF: PR.AT ↗
▸
Application allowlisting to block unsigned executables
CIS Control 10 ↗
▸
Screen capture and keylogger behavioral detection via EDR
CIS Control 13 ↗
▸
Network egress filtering to block beaconing to unknown hosts
NIST CSF: PR.PT ↗

Reversed: Their Weakness

Its reliance on known malware families and predictable spearphishing lures makes it detectable by modern endpoint tools. Exposed defectors who apply operational security render targeting futile.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Lotus Watcher Next →The Veil of Chafer

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.