# Group123/APT37 ## 20221208 Internet Explorer 0-day exploited by North Korean actor APT37 https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/ word-template[.]net openxmlformat[.]org ms-office[.]services ms-offices[.]com template-openxml[.]com ## 20211129 ScarCruft surveilling North Korean defectors and human rights activists https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ ## 20191111 Group123，North Korean defector sponsor 'Dragon Messenger' mobile APT attack https://blog.alyac.co.kr/2588 (Nov 11 , 2019) ## 20190423 ### Spear Phishing operation: Group123, APT attack impersonating Unification Ministry, spread malicious code to Google Drive https://blog.alyac.co.kr/2268 (April 22 , 2019) related： 'group123' group 'survey on the total number of discovery of separated families in North and South' https://blog.alyac.co.kr/1767 (July 28, 2014) IOC： email_93682646.html 88107e3c785d3d30e5f6fc191622a157 memo.utr 86f83586c96943ce96309e3017a3500c email: Lee Soo-hyun 211.197.11.18 info: http://155.138.236.240/sec[.]png?id= ### phishing: ### input password and login it will redirect to unikorea.go.kr https://unikorea.go.kr/upload/editUpload/20190418/2019041814360535872.png https://unikorea.go.kr/upload/editUpload/20190418/2019041814364795734.png ### The html file is misleading in this two-step process and will connect you to a specific Google Drive address in the background. download:memo.utr google drive owner: 한국정치학회 Gmail:kpsapress@gmail.com decode PE and collect private information ### post to "pcloud" the authorize email is kcrc1214@hanmail.net ,2018.12.3 join The attacking organization seems to have registered Russian expressions to intentionally give the analysts a false flag, and when translated into English, it will change to the expression 'Humpty Dumpty'. ### D:\System\Kernel32\Shell32\Sample\Release\Шалтай-Болтай.pdb (Humpty Dumpty) ### HTML code feature