Ricochet Chollima

Ricochet Chollima (also known as APT 37, Reaper, and ScarCruft) is a North Korean state backed hacker group group that is believed to have created sometime before 2016 and is typically involved in operations against financial institutions to generate assets for North Korea. But also conducts attacks on the industrial sector in other countries. CrowdStrike has stated that the group mainly attacks a variety of South Korean organizations and individuals, including academics, journalists, and North Korean defectors. But also stated the group has also engaged in attacks aganist Japan, Vietnam, Hong Kong, the Middle East, Russia, and the United States.[1][2][3] FireEye has called the group "the overlooked North Korean threat actor."[4]


The group is believed to have been founded sometime around 2012, according to FireEye.[4]

In January 2021 the group was found to be using a Trojan horse for a spear-phishing campaign that targeted the South Korean government.[5][6]

See alsoEdit


  1. ^ Meyers, Adam (2018-04-06). "STARDUST CHOLLIMA | Threat Actor Profile | CrowdStrike". Retrieved 2021-03-15.
  2. ^ Osborne, Charlie. "North Korean Reaper APT uses zero-day vulnerabilities to spy on governments". ZDNet. Retrieved 2021-03-15.
  3. ^ "Adversary: Ricochet Chollima - Threat Actor". Crowdstrike Adversary Universe. Retrieved 2022-02-04.
  4. ^ a b "APT37 (Reaper) The Overlooked North Korean Actor" (PDF). FireEye.{{cite web}}: CS1 maint: url-status (link)
  5. ^ "ALERT: North Korean hackers targeting South Korea with RokRat Trojan". The Hacker News. Retrieved 2021-03-15.
  6. ^ Team, Threat Intelligence (2021-01-06). "Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat". Malwarebytes Labs. Retrieved 2021-03-15.