Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory

APT37

APT37, also known as Konni, TA406, and Thallium, is a North Korean state-sponsored threat actor. The group operates under the Kimsuky umbrella and is primarily focused on cyber-espionage targeting South Korean entities. Recent campaigns attributed to APT37 have targeted South Korean Android users with remote-wipe attacks by abusing Google's Find Hub feature after compromising Google accounts. Their tactics include spear-phishing (notably spoofing South Korea's National Tax Service), malware propagation via KakaoTalk, and the use of malware such as AutoIt-based scripts, LilithRAT, and RemcosRAT. APT37 is known for leveraging compromised messaging accounts to spread malware and for innovative abuse of legitimate cloud and device management features for destructive and espionage purposes. Their operations are highly targeted and align with North Korean strategic interests in the region.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.