Request a Demo
Rewterz
Multiple WordPress Plugins Vulnerabilities
December 2, 2025
Rewterz
APT Group Gamaredon aka Shuckworm – Active IOCs
December 3, 2025

APT37 aka ScarCruft or RedEyes – Active IOCs

Severity

High

Analysis Summary

APT37, also known as ScarCruft or Red Eyes, is a North Korean state-sponsored espionage group active since at least 2012. While historically focused on South Korea, the group has expanded its targeting across Asia, the Middle East, and Europe. It has led several notable operations such as Operation Daybreak, Erebus, Golden Time, and Evil New Year, all centered on intelligence collection, disruption, and high-value data theft.

A core tool associated with APT37 is RokRAT, a sophisticated remote-access trojan repeatedly used across its campaigns. By 2025, APT37 continues to evolve its techniques and has shifted to distributing RokRAT through malicious LNK files, moving away from earlier HWP and Word document lures. These LNK files contain PowerShell commands that deploy additional scripts and payloads through temporary directories, enabling a stealthy infection process.

RokRAT’s effectiveness remains rooted in its in-memory execution, encrypted communications, and use of legitimate cloud services such as Dropbox, pCloud, OneDrive, and Yandex Cloud for command-and-control. It also gathers machine-specific information to validate victims and tailor follow-on actions. In 2025, APT37’s continued use and adaptation of RokRAT demonstrates the group’s persistence and growing sophistication, reinforcing its status as a significant cyber threat.

Impact

  • Information Theft and Espionage

Indicators of Compromise

Domain Name

  • jlrandsons.co.uk

MD5

  • a6392cfc3a11b972a7060c221d51d1fc

  • d5fe744b9623a0cc7f0ef6464c5530da

  • a2ee8d2aa9f79551eb5dd8f9610ad557

  • ad6273981cb53917cb8bda8e2f2e31a8

SHA-256

  • 0b6df94a47ea02db784376c55f2f099fbe33047436178321070d79f81cd55c35

  • 41d9b6d8cf0fff85bf35327d4b94db629cd9f754c487672911b7f701fe8c5539

  • e27467f7fdfa721e917384542ce10cc6108dfd78df14e23872cf8df916e0b8c6

  • 4f2617a971b9c78c8b215d6cb65525ff56f0633a3bcd381695a19efe08156a04

SHA1

  • 206f60ff637580b3a06811dc9647df77de60317b

  • b26a769254487129d64e1043a3eb3a9cbc5ac5fc

  • c53bdf6c05c13186a622ed9fd67f9edf2662bd47

  • 536d9332e34a2332b1d027fc45b01e0e5419a7cf

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
  • Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
  • Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.