Dolphin
Dolphin is a previously unreported Windows backdoor used by the North Korean-linked ScarCruft espionage group, also tracked as APT37, Reaper, Red Eyes, and Erebus. ESET reported it was used in highly targeted operations for more than a year and observed multiple versions from April 2021 through January 2022. Dolphin was deployed as a selective second-stage payload in a multistage intrusion chain, including a 2021 watering-hole attack against a South Korean online newspaper focused on North Korea, where an Internet Explorer exploit led to BLUELIGHT and then Dolphin on selected victims.
Dolphin is a C++ Windows executable with broad surveillance and theft capabilities. It profiles infected hosts by collecting system information such as username, computer name, local and external IP addresses, OS version, RAM details, installed security products, current time, malware version, and checks for debugging or inspection tools. It can automatically search fixed drives, removable drives, and portable devices such as smartphones via the Windows Portable Device API for files of interest, including documents, media, emails, and certificates, then archive and exfiltrate them. It also supports keylogging, screenshot capture, shell command execution, shellcode execution, and theft of saved passwords and cookies from Chrome, Edge, and Internet Explorer. Earlier versions could also modify signed-in Google and Gmail account settings to enable IMAP and less secure app access, likely to preserve access to victims’ email inboxes after credential theft.
A notable characteristic of Dolphin is its use of Google Drive as both command-and-control infrastructure and storage for stolen data. Operators uploaded commands to Google Drive and Dolphin uploaded execution results and stolen data back to Google Drive, staging exfiltrated material in encrypted ZIP archives and tracking uploaded files by MD5 hash to avoid duplicates. Its configuration contained Google Drive API credentials, encryption keys, and instructions for keylogging and file exfiltration.
Installation involved a multistage loader chain. The installer downloaded a CAB file from OneDrive containing a legitimate Python 2.7 interpreter, unpacked it into %APPDATA%\Python27(32) or %APPDATA%\Python27(64), and used a Python script plus XOR-encrypted shellcode stages to load the final payload. The loader created a host process from a random %WINDIR%\System32*.exe file and injected shellcode into it. Persistence was established via an HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry value launching pythonw.exe with loader arguments, along with a one-time scheduled task.
Observed Dolphin versions included 1.9, 2.0, 2.2, and 3.0, showing ongoing development and anti-detection changes such as dynamic API resolution, string obfuscation, and temporary removal and later restoration of credential-stealing functionality. The malware name derives from a PDB path found in a sample: D:\Development\BACKDOOR\Dolphin\x64\Release\Dolphin.pdb. High-confidence associations in the provided content tie Dolphin to ScarCruft/APT37 operations primarily targeting South Korea and other entities of interest to North Korea, including government, military, and related organizations, with additional reporting noting targeting of EU-based organizations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
ESET researchers have analyzed a previously unreported backdoor used by the ScarCruft APT group. The backdoor, which we named Dolphin, has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers. | ScarCruft exploits CVE-2020-1380 to compromise victims.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The blog post about Dolphin is available on WeLiveSecurity at https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/
Security researchers found a previously unknown backdoor they call Dolphin that's been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage.
Security researchers found a previously unknown backdoor they call Dolphin that's been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage.
For example, the threat actors targeted EU-based organizations with a new version of their mobile backdoor named 'Dolphin.'
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesAccording to the researchers, the malware was used in a watering-hole attack on a South Korean paper reporting on activity and events related to North Korea.
ScarCruft Indicators of Compromise A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
Execution
5 techniquesTo start the loading chain after installation, it creates a one-time scheduled task.
The installer downloads a CAB file from OneDrive, containing a legitimate Python 2.7 interpreter... Step 1, the Python script, reads a specified file, XOR-decrypts its contents, and executes the resulting shellcode.
MITRE ATT&CK techniques... ScarCruft used malicious JavaScript for a watering-hole attack.
MITRE ATT&CK techniques... Dolphin uses Windows API functions to execute files and inject processes.
The hackers relied on an Internet Explorer exploit to ultimately deliver Dolphin backdoor to the target hosts.
Persistence
2 techniquesPrivilege Escalation
4 techniquesTo start the loading chain after installation, it creates a one-time scheduled task.
The Python loader includes a script and shellcode, launching a multi-step XOR-decryption, process creation, etc., eventually resulting in the execution of the Dolphin payload in a newly created memory process.
Step 2, shellcode, creates a host process (random CLI executable from %WINDIR%\System32\*.exe ), XOR-decrypts further shellcode carried within itself, and injects it into the created process.
Stealth
3 techniquesStep 2 (embedded in the installer) containing the rest of the loading chain, including the payload, is encrypted with a one-byte XOR key... The content is encrypted using AES CBC... Most strings in this version are base64 encoded.
The Python loader includes a script and shellcode, launching a multi-step XOR-decryption, process creation, etc., eventually resulting in the execution of the Dolphin payload in a newly created memory process.
Credential Access
3 techniquesDolphin can record user keystrokes in Google Chrome by abusing the 'GetAsyncKeyState' API.
First, it enables access to Gmail via the IMAP protocol... It steals the existing cookie of the logged-in account from the browser and crafts requests that modify the settings.
Dolphin can retrieve credentials from browsers in the form of saved passwords and cookies. The following browsers are supported: Chrome Edge Internet Explorer
Discovery
8 techniquesDolphin logs keystrokes for windows with titles containing substrings specified in its configuration. The defaults are chrome and internet explore (sic). This is done via the GetAsyncKeyState API, with keystrokes being logged along with the window name and current time.
The following basic information about the computer and the backdoor is collected: ... Local and external IP address
Internet connection check added ( https://www.microsoft.com ); no malicious code is executed if offline
The following basic information about the computer and the backdoor is collected: ... Username
During the initial stage, Dolphin collects the following information from the infected machine: Username, Computer name, Local and external IP address, Installed security software, RAM size and usage, Presence of debugging or network packet inspection tools, OS version.
By default, Dolphin searches all non-fixed drives (USBs), creates directory listings and exfiltrates files by extension... Among regular drives, Dolphin also searches portable devices such as smartphones.
The following basic information about the computer and the backdoor is collected: ... Current time
The following basic information about the computer and the backdoor is collected: ... List of installed security products
Collection
9 techniquesThe malware has an extended set of capabilities that includes scanning local and removable drives for various types of data (media, documents, emails, certificates) that is archived and delivered to Google Drive.
The malware has an extended set of capabilities that includes scanning local and removable drives for various types of data (media, documents, emails, certificates) that is archived and delivered to Google Drive.
Dolphin can record user keystrokes in Google Chrome by abusing the 'GetAsyncKeyState' API.
Data staging Dolphin exfiltrates data to Google Drive storage, staging the data in encrypted ZIP archives before upload.
it can take a snapshot of the active window every 30 seconds.
Dolphin now unconditionally creates directory listings and exfiltrates files by extension every 30 minutes for all drives and devices (fixed drives, removable drives, portable devices).
Its search capabilities extend to any phone connected to the compromised host by using the Windows Portable Device API.
The malware has an extended set of capabilities that includes scanning local and removable drives for various types of data (media, documents, emails, certificates) that is archived and delivered to Google Drive.
Data staging Dolphin exfiltrates data to Google Drive storage, staging the data in encrypted ZIP archives before upload.
Command and Control
3 techniquesDolphin is a C++ executable using Google Drive as a command and control (C2) server and to store stolen files. The researchers say that the hackers delivered their commands to Dolphin by uploading them on Google Drive. In response, the backdoor uploads the result from executing the commands.
It communicates with Google Drive cloud storage, which is used as its C&C server... Dolphin uses HTTPS to communicate with Google Drive.
Dolphin downloads commands, issued by its operators, from Google Drive storage and executes them. After execution, the output of commands is uploaded.
Exfiltration
2 techniquesDolphin now unconditionally creates directory listings and exfiltrates files by extension every 30 minutes for all drives and devices
Security researchers found a previously unknown backdoor they call Dolphin that's been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage.
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Dolphin is a mobile backdoor associated with ScarCruft.
A mobile backdoor used by APT37 against EU-based organizations.
A ScarCruft backdoor used for espionage. It collects system information, searches fixed/removable/portable drives for files of interest, exfiltrates data to Google Drive, logs keystrokes, captures screenshots, executes shellcode and shell commands, steals browser credentials/cookies, and in earlier versions modifies Google/Gmail account settings to reduce security and help maintain mailbox access.
A C++ backdoor used in targeted espionage operations that uses Google Drive for command-and-control and exfiltration. It collects host information, steals browser passwords, logs keystrokes, takes screenshots, scans local/removable drives and connected phones for files, exfiltrates data, and establishes persistence via Windows Registry modifications.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.