# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt37, apt-c-37, geumseong121, group123, redeyes, scarcruft, Red Eyes, Venus 121, Thallium, ta406, Temp.Reaper # Reference: https://otx.alienvault.com/pulse/5d4456d289603cc548ddbc92 # Reference: https://blog.alyac.co.kr/2453 (Korean) # Reference: https://fortiguard.com/resources/threat-brief/2019/08/09/fortiguard-threat-intelligence-brief-august-09-2019 price365.co.kr/abbi/head0.jpg price365.co.kr/abbi/json/openssl.php price365.co.kr/abbi/tail0.jpg darvishkhan.net/wp-content/uploads/2017/06/update3.dat darvishkhan.net/wp-content/uploads/2017/06/update6.dat # Reference: http://blogs.360.cn/post/analysis-of-apt-c-37.html # Reference: https://otx.alienvault.com/pulse/5d7916e3f619df83fd65778e adamnews.for.ug btcaes2.duckdns.org da3da3.duckdns.org israanews.zz.com.ve mmksba.dyndns.org mmksba.simple-url.com samd1.duckdns.org samd2.duckdns.org sorry.duckdns.org webhoptest.webhop.info # Reference: https://twitter.com/blackorbird/status/1188726162928758784 # Reference: https://mp.weixin.qq.com/s/Wnb-r7SWbGGN-XuQ8fW_jw artmuseums.or.kr/swfupload/fla/1.jpg casaabadia.es/wp-content/uploads/2018/06/null/ fjtlephare.fr/wp-content/uploads/2018/05/null/ # Reference: https://twitter.com/blackorbird/status/1112904229495042049 # Reference: https://blog.alyac.co.kr/2226 (Korean) /skin15/include/bin/forlab.php /ct/data/icon/files/goal.php # Reference: https://twitter.com/navSi16/status/1066296138498629637 padosori.co.kr /_controller/admin/upload_sec/down.php # Reference: https://twitter.com/cyberwar_15/status/1122692430262706178 # Reference: https://blog.alyac.co.kr/2281 (Korean) youngs.dgweb.kr /skin15/include/bin/home.php # Reference: https://ti.qianxin.com/blog/articles/anatomy-of-moonLight-attack-on-the-middle-east/ (Chinese) http://72.21.245.117 martnews.aba.ae mslove.mypressonline.com # Reference: https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU # Reference: https://malpedia.caad.fkie.fraunhofer.de/actor/apt37 # Reference: https://twitter.com/jfslowik/status/1212097943550873600 # Reference: https://otx.alienvault.com/pulse/5e0b9895c5ed003a85210202 (# Thallium) # Reference: https://pastebin.com/ScaPd18W ahooc.com app-wallet.com bigwnet.com bitwoll.com cexrout.com change-pw.com checkprofie.com cloudwebappservice.com com-change.pw com-serviceround.info ctquast.com dataviewering.com dauurn.net day-post.com dialy-post.com doc-view.work documentviewingcom.com dounn.net dovvn-mail.com down-error.com drivecheckingcom.com drog-service.com encodingmail.com files-download.net filinvestment.com fixcool.net foldershareing.com golangapis.com graphwin.com grnaeil.com gstaticstorage.com hanrnaii.net helpnaver.com hotrnall.com iinaver.com imap-login.com inbox-yahoo.com lh-logins.com lh-logs.com login-sec.com login-use.com mai1.info mail-down.com maingoogie.com maingoogle.com matmiho.com mihomat.com mofako.com naerver.com natwpersonal-online.com navuor.com nid-login.com nidlogon.com office356-us.org office365-us.org phlogin.com pieceview.club pw-change.com reader.cash reviewer.mobi rnaii.com rnailm.com rnicrosoft.com sec-live.com secrityprocessing.com securitedmode.com security-lnfo.com securytingmail.com seoulhobi.biz set-login.com smtper.org usrchecking.com wallet-vahoo.com yalnoo.com yrnall.com # Reference: https://twitter.com/kyleehmke/status/1212119523077349378 lnfo-master.com # Reference: https://twitter.com/kyleehmke/status/1217486993871056899 security-acount.info # Reference: https://otx.alienvault.com/pulse/5e206c7aef589acc3f96cb79 # Reference: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ blockochain.info files-downloader.net webmail-googie.com webmail-gooqle.com # Reference: https://twitter.com/cyberwar_15/status/1313379907926335489 (Korean) busyday.atwebpages.com # Reference: https://twitter.com/ShadowChasing1/status/1344266120413384705 # Reference: https://www.virustotal.com/gui/file/7820bc1aa19ed61d035a2b7efb315ddb8b73cdf4df6ca41c365ce60ec160e713/detection # Reference: https://www.virustotal.com/gui/file/9d58a6920db59a06e513cf077597a8e1848892ad2cf0ec9e3de8fd677efbfedd/detection hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php # Reference: https://blog.alyac.co.kr/3489 (Korean) frog.smtper.co/frog/ park.smtper.co/frogstock/ # Reference: https://blog.alyac.co.kr/3536 (Korean) # Reference: https://www.virustotal.com/gui/ip-address/23.106.160.32/relations factorgpu.com greenulz.com # Reference: https://twitter.com/cyberwar_15/status/1362413268472655877 klsa.onlinewebshop.net # Reference: https://twitter.com/C0ryInTheHous3/status/1364275034638942210 down-drive.me # Reference: https://twitter.com/cyberwar_15/status/1392459596069961734 nid-naver.servepics.com # Reference: https://twitter.com/cyberwar_15/status/1392488563309105155 # Reference: https://www.virustotal.com/gui/file/1136ba6837a18a39b430cd8d2a7ff276dbaddf813060c47725c7c629dbab7ce5/detection ahnlab.check.pe.hu # Reference: https://twitter.com/cyberwar_15/status/1392469490592411651 daum.sytes.net enolja.com naver.servemp3.com nid-naver.servehttp.com # Reference: https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48 # Reference: https://otx.alienvault.com/pulse/60eeb8b1f8a87529ba8d6d8c mobile-analytics-d0558.web.app # Reference: https://twitter.com/cyberwar_15/status/1422376991907450886 # Reference: https://www.boannews.com/media/view.asp?idx=99543 (Korean) # Reference: https://otx.alienvault.com/pulse/610a5db8cefc6068865ae665 tksrpdl.atwebpages.com # Reference: https://github.com/EmergingThreats/threatresearch/blob/master/ta406/ta406_ioclist.csv acount-pro.club acount-pro.live anlysis-info.xyz asia-studies.net bignaver.com carnegieinsider.com change-pw.com clonesec.us cloudnaver.com cloudocument.com cloudsecurityservice.net dailycloudservice.com daumhelp.net daum-protect.com deioncube.biz delivernaver.com delivers-security.com delivers-security.net diplomatictraining.com document-package.online documentpackages.link documentpackages.online documentpackage.space documentpackages.space documentpackages.store documentserver.site down-error.com download-apks.com downloader-hanmail.net download-live.com emailnaver.com globalcloudservices.org gooapi.online google-acount.com goolg-e.com goolge.space govermentweb.site help-master.online helpnaver.host helpnaver.link helpnaver.online help-naver.site helpnaver.site help-secure.info hpronto-login.com itamaraty.net knowledgeofworld.org lnfo-master.com login-protect.club login-protect.online mail-master.online microsoft-pro.host microsoft-pro.live microsoft-pro.site microsoft-pro.space midsecurity.org mid-service.com mid-service.org myethrvvallet.com mysoftazure.com naverhelp.com navermain.com naversecurity.us nicnaver.com nidnaver.host nidnaver.press nidnaver.site nidnaver.store noreply-cc.online noreply-goolge.com noreply-sec.online noreply-yahoo.com oaass-torrent.com proattachfile.com pronto-login.info pw-change.com resetpolicy.com resetprofile.com rfa.news rnaii.com rnail-inbox.com rnailm.com rnail-suport.site rneail.com secureaction.ru securelevel.site security-acount.info securitycounci1report.org security-delivers.com securityforcastreport.com security-lnfo.com security-nid.space security-pro.me security-pro.online securitysettings.info seoulhobi.biz servicenaver.com servicenidnaver.com sinoforecast.com softfilemanage.com ssidnaver.com stategov.biz support-info.network unosa.org voakorea.news voakoreas.com voipgoogle.com vpsino.org webofknowledg.com xfindphoneloc.com xn--mcrosoft-online-hic.com 0member-services.hol.es 1006ieudneu.atwebpages.com 1995ieudneu.atwebpages.com attachdown.000webhostapp.com attachdownload.000webhostapp.com attachdownload.99on.com dnsservice.esy.es emailru.99on.com firefox-plug.c1.biz koryogroup.1apps.com lookyes.c1.biz north-korea.medianewsonline.com online-manual.c1.biz romanovawillkillyou.c1.biz securitydownload.99on.com silverlog.hol.es softlay-ware.c1.biz takemetoyouheart.c1.biz taketodjnfnei898.c1.biz taketodjnfnei898.ueuo.com u13448720.ct.sendgrid.net u19402039.ct.sendgrid.net u7747409.ct.sendgrid.net u8253848.ct.sendgrid.net u9810308.ct.sendgrid.net upsrv.16mb.com vscode-plug.c1.biz win10-ms.c1.biz # Reference: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ acddesigns.com.au buttyfly.000webhostapp.com kmbr1.nitesbr1.org planar-progress.000webhostapp.com stjohns-burscough.org # Reference: https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ djsm.co.kr/js/20170805.hwp doseoul.com/bbs/data/hnc/update.php haeundaejugong.com/data/jugong/do.php haeundaejugong.com/editor/chinotto/do.php hz11.cn/jquery-ui-1.10.4/tests/unit/widget/doc/pu.php kjdnc.gp114.net/data/log/do.php kumdo.org/admin/cont/do.php luminix.kr/bbs/data/proc/proc.php luminix.openhaja.com/bbs/data/proc1/proc.php # Reference: https://0xthreatintel.medium.com/apt37-targets-journalists-security-researchers-4d18c559767c js5950.cafe24.com kjdnc.gp114.net # Reference: https://twitter.com/midnight_comms/status/1467886870226952199 # Reference: https://www.virustotal.com/gui/file/3f3d492fe284569abb0ee60595e63ca5220ca8206c62df2a1f0ccfb8b9060405/detection annstyle.ru # Reference: https://twitter.com/midnight_comms/status/1467887093561053188 # Reference: https://www.virustotal.com/gui/file/facb0525447439cb402c1808e5a3a2436b887f8aa01af63201b1ca5350bee34e/detection iblcor.cafe24.com # Reference: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf # Reference: https://otx.alienvault.com/pulse/61978976fed1a4a1794586e7 acl-medias.fr christinadudley.com fd-com.fr kswebdesign.eu oaass.co.kr rabadaun.com influencer.jvproduccionessv.com mail.apm.co.kr mail.summitz.com securitydownload.99on.com simple.kswebdesign.eu # Reference: https://stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report_-The-ink-stained-trail-of-GOLDBACKDOOR.pdf # Reference: https://lists.emergingthreats.net/pipermail/emerging-sigs/2022-April/030646.html # Reference: https://otx.alienvault.com/pulse/6261887e15fc527fe850e657 dailynk.us lit-peak-25706.herokuapp.com mail.dailynk.us main.dailynk.us # Reference: https://twitter.com/cyberwar_15/status/1481430358629707776 # Reference: https://twitter.com/cyberwar_15/status/1528619208183287809 # Reference: https://twitter.com/ShadowChasing1/status/1529451994532167682 bigfilemail.net work3.b4a.app # Reference: https://otx.alienvault.com/pulse/62e127f6ae973b499899ff9b # Reference: https://www.virustotal.com/gui/file/0675443b6438e3a7e910d591aaefcf616a65e55856aa0aea58305f23035818f8/detection http://185.176.43.106 # Reference: https://twitter.com/Timele9527/status/1600690222685032448 # Reference: https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/ free-xmlformat.com ms-office.services ms-offices.com openxmlformat.org template-openxml.com word-template.net # Reference: https://www.cib.gov.tw/News/BulletinDetail/8294 # Reference: https://otx.alienvault.com/pulse/5ec7ff4ec67d6aca23b7c350 # Reference: https://www.virustotal.com/gui/file/926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f/detection # Reference: https://www.virustotal.com/gui/file/af5fb99d3ff18bc625fb63f792ed7cd955171ab509c2f8e7c7ee44515e09cebf/detection outlook-offices.com phonectrl.com tibet-office.com conference.outlook-offices.com file.outlook-offices.com mofa.outlook-offices.com nds1.outlook-offices.com office.phonectrl.com file-sharing.tibet-office.com # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/group123/ScarCruft%20(APT37)%20active%20in%20South%20Korea.pdf /bbs/data/cjdc/proc.php /bbs/data/comb/price.php # Reference: https://asec.ahnlab.com/en/48063/ # Reference: https://otx.alienvault.com/pulse/63f67cceee1cc80ed9497ecf elearning.or.kr # Reference: https://asec-ahnlab-com.translate.goog/ko/48764/?_x_tr_sl=auto&_x_tr_tl=es&_x_tr_hl=en&_x_tr_pto=wapp # Reference: https://otx.alienvault.com/pulse/6408a4922f014d07a51f1f77 shacc.kr/skin/product/mid.xn--php # Reference: https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/ http://141.105.65.165 attiferstudio.com/install.bak/sony/ clovery-shapes.000webhostapp.com/defcon/ hk-law.co.kr/data/file/joomla/ jdwanxiang.com/win/shenti/ koaagj.co.kr/files/2014/12/fix/ ri-guard.com/download/temp/cn-var/ # Reference: https://twitter.com/fmc_nan/status/1638528180947668993 # Reference: https://twitter.com/malwrhunterteam/status/1638661235146104832 # Reference: https://www.virustotal.com/gui/file/40cb1016a2d962482f40f1ce712403fbd8e23ce3d24b08241a6d5102306ecbc0/detection yangak.com/data/cheditor4/pro/mid.php yangak.com/data/cheditor4/pro/temp/7.html yangak.com/data/cheditor4/pro/ # Reference: https://twitter.com/malwrhunterteam/status/1646612420683526146 # Reference: https://www.virustotal.com/gui/ip-address/194.165.16.93/relations # Reference: https://www.virustotal.com/gui/file/1f3d808d89ea6c78d0fb0ff7e7d4be2115d231289c8dabd1663c4ffa19c56c26/detection sharefiles-betterbusinessbureau-upload.com sharefiles-betterbusinessbureau-us1.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2023-05-01-v10312/521 daum-store.com docx1.b4a.app link.b4a.app nate-download.com naver-file.com naver-storage.com # Reference: https://twitter.com/StopMalvertisin/status/1662733487768739842 http://128.199.133.121 # Reference: https://twitter.com/fmc_nan/status/1664179152331866112 # Reference: https://www.virustotal.com/gui/file/c26746a7a3e474e2c4915b4e05042a0ca53c195ac32f440bda73382008519793/detection http://172.93.181.249 # Reference: https://twitter.com/h2jazi/status/1681122432000618499 # Reference: https://www.virustotal.com/gui/file/012063e0b7b4f7f3ce50574797112f95492772a9b75fc3d0934a91cc60faa240/detection # Reference: https://www.virustotal.com/gui/file/01e7405ddd5545ffb4a57040acc4b6f8b8a5cc328fa8172e1800a1cb49bdf15c/detection atusay.lat tosals.ink # Reference: https://twitter.com/malwrhunterteam/status/1681595936991064064 # Reference: https://www.virustotal.com/gui/file/eb21cf8e6f64340216e9c326fb58956d5408d6f2c0c5126ff8af9a4aac39e1a2/detection ppangz.mom /mjifi # Reference: https://twitter.com/h2jazi/status/1688977725279600648 # Reference: https://www.virustotal.com/gui/file/d42ef12b6b40c1e3d0132a4be8954bb44d4019b7b82061651604895feb3ab016/detection jutise.fun # Reference: https://twitter.com/StopMalvertisin/status/1690399427255758848 # Reference: https://www.virustotal.com/gui/file/5071a29f42689c6d83de6fc16bbc6272b50ff06a53c721f34b0d94a29112bba6/detection drimby.top # Reference: https://twitter.com/StopMalvertisin/status/1690399430405734400 # Reference: https://www.virustotal.com/gui/file/f5e46e18facc6f8fde6658b96dcd379b82cc6ae2e676fb47f08cbeccd307b1b4/detection # Reference: https://www.virustotal.com/gui/file/fcfb0398eb0216332bb3ce25e5e353e59a2f7af84e0b96fa04b65666276f5785/detection crilts.cfd labimy.ink # Reference: https://twitter.com/StopMalvertisin/status/1690422578509479936 # Reference: https://www.virustotal.com/gui/file/7dd84cc7d8271a88063ce1ff1f1abe74c8e5b33301cb957b951161e6fe1b73fc/detection http://75.119.136.207 ableinfo.co.kr/member/ bian0151.cafe24.com vmi810830.contaboserver.net # Reference: https://twitter.com/suyog41/status/1691027132254986240 # Reference: https://www.virustotal.com/gui/file/ee08d70c66ce95755b6936d59290eca71ebacce3efeae075e1454bb0f577a5d7/detection nobuay.ink # Reference: https://twitter.com/blackorbird/status/1694912623299674230 # Reference: https://mp.weixin.qq.com/s/pIdyesArvoXaD-lLYVvXiw bajut.pro giath.xyz oebil.lat # Reference: https://twitter.com/suyog41/status/1697536913610314016 # Reference: https://www.virustotal.com/gui/file/b31b89e646de6e9c5cbe21798e0157fef4d8e612d181085377348c974540760a/detection navercorp.ru # Reference: https://twitter.com/suyog41/status/1704025925187473638 # Reference: https://twitter.com/suyog41/status/1704098124762132790 # Reference: https://www.virustotal.com/gui/file/02489e283a347299152394ca9ef82812808501ab8a5b458bebc5a658644d2799/detection teishin.org/img/Updater.zip teishin.org/treasury/wp_asist.php teishin.org/treasury/resources/admin/wp-admin/attack.php # Reference: https://twitter.com/malwrhunterteam/status/1510919695423184896 # Reference: https://www.virustotal.com/gui/file/e6091e6bf8135e09f46b6a230873a6cacc6f7fc2fa4d8c3d5899b210eed1a5a9/detection # Reference: https://www.virustotal.com/gui/file/e4ff04fe1aa1f28a993ac57cac277cd1e4bd8777d57644eb9e22d891194a90bf/detection # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf successgoo.com vhostnetwork.com # Reference: https://twitter.com/malwrhunterteam/status/1523754342402052097 # Reference: https://www.virustotal.com/gui/file/ce1a5653444eb9902dd98365b1e2fd1bfee4ceb4e8d6746078d557bbaa764fe7/detection # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf cerebrovascular.net # Reference: https://twitter.com/blackorbird/status/1714576304279032023 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf cheth.lol honess.fun plifty.lat sgibn.cam # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/20231016_threat_inteligence_report_DarkHorse.pdf # Reference: https://www.virustotal.com/gui/file/fd25c643565fdd42bb9a9af7d965b2dcfd80a889b50526abc5e9a4fd1bab6542/detection shoru.net # Reference: https://twitter.com/StopMalvertisin/status/1722227919634981372 # Reference: https://www.virustotal.com/gui/file/7387d00194adf8a8f15e12e191bfaa8dbd6c7af227ddc14d7fec742b30adc245/detection ebpp.airport.kr # Reference: https://twitter.com/fmc_nan/status/1729428966967271693 # Reference: https://www.virustotal.com/gui/file/194354cae93878dc3ba6ca2f71b70452ea0f1ac9d62f95431e5d3483b4f83074/detection goodmarket.or.kr # Reference: https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/ alireza.traderfree.online bellissues.live benefitinfo.live benefitinfo.pro benefiturl.pro careagency.online cra-receivenow.online crareceive.site depositurl.co depositurl.lat direct.traderfree.online faguo.namecentless.top forex.traderfree.online groceryrebate.online groceryrebate.site gstcreceive.online hl.namecentless.top instantreceive.org li.namecentless.top lin.namecentless.top namecentless.top receive.bio receiveinstant.online rentsubsidy.help rentsubsidy.online shate.namecentless.top tes.namecentless.top tes1.namecentless.top tes2.namecentless.top tes3.namecentless.top tes4.namecentless.top tinyurlinstant.co traderfree.online ttt.namecentless.top urldepost.co verifyca.online visiononline.store # Reference: https://twitter.com/suyog41/status/1772149859698524630 # Reference: https://www.virustotal.com/gui/file/fb55f221a1c382eaaea943c9c4c3bc35f512f0ae515d9f33693bff9ccd1b7483/detection sklims.lat ems.nps.or.kr # Reference: https://www.virustotal.com/gui/file/2ede67e3953d9d8519f450c6be70f2b8f4826e17b2b5f43fa1144a3a5d15973f/detection urbiusla.homes