North Korean hackers reboot espionage operations following December takedown

APT37 is back, according to research from a South Korean security company.
Lazarus Group, apt37
Pyongyang, North Korea (Pixabay)

Suspected North Korean hackers have been running a spearphishing email operation targeting people interested in North Korean refugees, according to new research from ESTsecurity, a South Korea-based security firm.

The cyber-espionage group, which ESTsecurity Security Response Center (ESRC) researchers attribute to a group known as Geumseong121, entices its victims into clicking links that look to be about North Korean refugees. But instead of delivering valuable information, the link points recipients to repositories that download malicious files, according to ESRC.

The campaign, which ESRC has named “Operation Spy Cloud” since it relies on cloud services, shows the hacking group returning to operations following a setback in December when Microsoft seized 50 websites used by the group in spearphishing campaigns. The group is also widely known as APT37.

Following the takedown, the group is working to conceal its activities, according to ESRC. The attackers appear to have opted to prompt users to click links in their spearphishing emails, for instance, instead of directly attaching the malicious documents in the hopes of avoiding security solutions.


“This allows attackers to modify or delete files as needed, to evade detection and minimize the footprint,” ESRC researchers write.

The campaign, which started earlier this month, is just the latest espionage operation run by Geumseong121. Last year, the North Korean hackers ran an operation related to North Korean defectors. Known as “Dragon Messenger,” that operation targeted both defectors and North Korean-related organizations with a malicious application purporting to be a fundraising application for North Korean defectors. The group’s motivation appeared to be both financial gain and surveillance, according to previous ESRC research.

Although the Spy Cloud campaign’s exact targets are unclear, the group typically focuses on people who are invested in reunification between North Korea and South Korea, foreign affairs, national security, or North Korean refugees, according to ESRC.

The attack

Once the victims click through the links and malicious documents, which range from .doc, .xls, to .hwp — a word processor format used by the Korean government — the attackers also distribute malicious Visual Basic for Applications (VBA) macro files to victims.


The malware then connects to the attackers’ command and control server, Google Drive, and attempts to share system information to PickCloud. Once a user gets to this step, attackers may also try to install additional backdoors, according to the researchers.

The campaign includes both Windows- and Android-based components, according to ESRC.

Beyond the similarities in content, ESRC attributes the campaign to Geumseong121 because the tactics, techniques, procedures, and final payload are “exactly the same as the materials” used in another recent cyber-espionage operation carried out by the group, the ESRC researchers write. ESRC also found similar coding techniques and a similar reliance on cloud services between previous Geumseong121 campaigns and the Spy Cloud campaign.

ESRC researchers note the email account used to register the cloud services in this campaign is similar to an account the group has used in previous campaigns as well.

It is not clear if Geumseong121 has been successful in exfiltrating data this month or what kinds of information or financial gain the group may ultimately be seeking at this time.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts