TA-RedAnt

TA-RedAnt is a North Korean-linked threat actor identified in the provided content as APT37. The reporting describes the group conducting espionage-focused operations primarily against South Korean and North Korea-related targets, including North Korea-related professionals in South Korea, national security think tanks, academia and research personnel, and previously North Korean defectors and South Korean experts on North Korea. The content also describes broader targeting of South Korean users through a large-scale campaign. Observed activity includes spear-phishing, watering-hole-style delivery, abuse of trusted cloud services, and exploitation of Internet Explorer vulnerabilities. In May 2024, TA-RedAnt/APT37 was attributed with “Operation Code on Toast,” a large-scale campaign that exploited CVE-2024-38178, a previously unknown Internet Explorer Chakra engine vulnerability, via malicious toast advertisements delivered through free software widely used in South Korea. According to the content, the attackers compromised a domestic ad agency server, injected a malicious iframe into HTML served to the ad program, achieved remote code execution, used a multi-stage malware chain with first-stage malware injected into explorer.exe, collected host information in a second stage, and ultimately deployed a RokRAT variant for command execution and data theft. The RokRAT variant used cloud services for C2, with Yandex Cloud configured by default. The content also states that in March 2025 TA-RedAnt distributed RokRAT through an LNK-based spear-phishing campaign themed as an academic event associated with a South Korean security think tank. That activity reportedly used ZIP/LNK delivery, Dropbox, and “Living off Trusted Sites” cloud-service-based C2, and is listed as exploiting CVE-2022-41128. The group is described as using multiple delivery strategies including watering hole, spear phishing, and SNS phishing, and as targeting Windows as well as Android users with malicious APKs and macOS users. In June 2025, TA-RedAnt reportedly targeted South Korea-based North Korea-related professionals in international relations, political science, academia, and research using the Rustonotto and Chinotto backdoors together with the FadeStealer data theft tool. Reported execution chains included LNK to PowerShell, CHM to HTA/PowerShell, and downloading and executing remote CAB/RAR files. Rustonotto is described as a Rust-compiled HTTP backdoor using Base64-encoded commands and responses. Chinotto is described as a PowerShell backdoor supporting file transfer, command execution, and persistence via registry and scheduled tasks. FadeStealer is described as collecting data through keylogging, screenshots, audio recording, device and file collection, and exfiltration of sensitive data. The content further states that TA-RedAnt used TxF-based process doppelgänging for concealed execution and used scheduler and registry mechanisms for persistence, with a single PHP-based C2 structure integrating Chinotto, FadeStealer, and Rustonotto. The provided reporting also attributes to TA-RedAnt/APT37 direct targeting of air-gapped environments. In that activity, the group combined LNK-based initial compromise, Zoho WorkDrive-based command-and-control, Ruby runtime droppers, and removable media such as USB for command delivery and data exfiltration. The campaign is described as enabling persistent reconnaissance, keylogging, and audio and video collection inside isolated networks. Known aliases directly supported by the content: TA-RedAnt, APT37.