North Korea’s Cyber Army: How Pyongyang’s Hackers Operate

North Korea has begun a showy demilitarization, but the resources freed up are being spent on a different kind of warfare—cyberwarfare. It’s remarkable how, despite its information isolation, North Korea manages to carry out successful attacks on the infrastructure of more developed countries. In this article, we’ll break down the largest of these attacks and shed light on the activities of hacker groups funded by the DPRK government.

Strength in Numbers and Skill

Experts from ClearSky Cyber Security, FireEye, CrowdStrike, and NTT Security agree that the potential of North Korea’s cyber army is greatly underestimated. Currently, its size is estimated at 7,000 to 10,000 people—an order of magnitude more than serve in USCYBERCOM at Fort Meade. More precise data is hard to come by, as most North Korean hackers operate outside their home country.

Unlike ordinary citizens, who are doomed to spend their lives in the northern part of the peninsula, hackers are sent on “internships” and “business” trips abroad. Most are recruited from math students who agree to do the government’s dirty work for various reasons. Traditional ideological indoctrination doesn’t work well on young IT specialists, but the prospect of traveling abroad is very appealing. Some even dare to seek political asylum and not return home. For students, this is difficult (their families are essentially hostages), but their supervisors sometimes have nothing to lose. For example, math professor Kim Hyun Kwan, who defected to South Korea, still keeps in touch with some students and knows how their lives turned out.

INFO: This article uses both open sources and classified technical reports prepared for the US government by various expert groups in 2017–2019. Copies of the latter are distributed only among authorized personnel according to sections B and C of DoDI 5230.24. These documents were not meant to be public (let alone searchable), but I managed to find them using Google dorks in .mil and .gov domains, as well as “private” links in cloud storage. Thanks to everyone who values convenience over confidentiality!

APT37 (aka Reaper, Scarcruft, Group123)

This group became famous for using a wide range of exploits, including zero-day vulnerabilities now identified as CVE-2018-0802 and CVE-2018-4878. The latter’s widespread use was first discovered by South Korea’s KR-CERT, as APT37’s main targets were government and financial organizations in South Korea.

On February 1, 2018, Adobe acknowledged that Flash Player 28.0.0.137 and earlier versions contained a critical vulnerability that could theoretically allow full remote control on any operating system: Windows (including 10), Linux, macOS, and Chrome OS. However, real attacks were only observed on Windows users, who received phishing emails with maliciously modified documents containing embedded Flash objects.

Secondary targets included industrial facilities and healthcare institutions in Japan and Vietnam. This may have been a side effect of their chosen tactics rather than intentional targeting. Additionally, first-stage malware was spread via torrents.

Once on a victim’s computer, the malware sent requests to a range of IP addresses belonging to the STAR-KP network—a joint venture between North Korea’s Postal and Telecommunications Corporation and Thailand-based Loxley Pacific. The C&C servers used by APT37 were also registered in this network and physically located in Pyongyang.

Major APT37 attacks. Infographic: Cisco Talos Intelligence Group

Arsenal

Almost all APT37’s network attacks were multi-stage. Infected computers gradually developed an ecosystem of various malware tailored to the user’s specific software and vulnerabilities.

Typically, the first stage involved delivering GelCapsule or HappyWork via torrents, phishing emails, or compromised websites. These are Trojan-Downloaders that don’t perform malicious actions themselves but are ready to download and install other malware on command from the C&C server.

APT37’s downloader often used launchers like MilkDrop and SlowDrift, which were set to run at startup. MilkDrop appears to be an early experiment, while SlowDrift is a sophisticated backdoor that communicates with C&C servers via cloud infrastructure. It can execute a wide range of remote commands, including searching, sending, and deleting files, and can install additional malware.

Another backdoor frequently used (and possibly written) by APT37 is PoorAim. From 2014 to 2017, it was used in campaigns against South Korean media organizations and sites related to North Korean defectors. PoorAim collected system data and lists of running processes to find vulnerable components, sent screenshots and browser bookmarks, and used AIM (AOL Instant Messenger) to mask communications with C&C.

After AIM was shut down in April 2017, APT37 switched to other backdoors, notably DogCall and Karae, which used cloud service APIs (Box, Dropbox, Yandex) for covert C&C communication. Karae is unremarkable, but DogCall is advanced, able to detect virtual environments and resist code analysis. It was distributed as an encoded binary, decrypted on the victim’s computer by other malware, such as WineRack.

WineRack is a complex backdoor that collects user and host information, creates and terminates processes, and manipulates the file system and registry. It’s named for generating a reverse shell using statically linked Wine cmd code to emulate the Windows command line.

DogCall also includes keylogger components, recording keystrokes and taking screenshots to capture passwords entered via on-screen keyboards.

DogCall was discovered during investigations into attacks on South Korean government and military organizations in spring 2017. It might have gone unnoticed if APT37 hadn’t used another component at the final stage—a wiper called RUHappy.

RUHappy is perhaps the most notable malware in APT37’s arsenal. It was often found on compromised computers alongside DogCall, usually inactive. Analysis showed that, upon receiving a C&C command, RUHappy would delete part of the Master Boot Record (MBR) and reboot the computer, making the OS unbootable and displaying the message “Are You Happy?”—hence the wiper’s name. In reality, this rarely happened, as modern computers use EFI bootloaders and GPT partitioning, and there are tools to protect and quickly restore the MBR. So RUHappy caused little real harm but generated a lot of noise.

Speaking of noise, APT37 repeatedly used the eavesdropping utility SoundWave, which duplicated all microphone input data to a file in %TEMP%\HncDownload\*.log and sent it to STAR-KP in 100-minute chunks. The file name was the current date and time. Since the trojan didn’t perform destructive actions, it went unnoticed for a long time. A 2018 investigation showed it had been present on some systems since mid-2015.

Besides audio data, APT37 searched for and sent files of certain types from infected computers, mainly documents containing specific keywords. The CoralDeck trojan found these files, packed them into password-protected archives, and sent them via HTTP POST to North Korean servers. Initially, ZIP format was used, but APT37 later switched to WinRAR for its stronger password protection.

Another APT37 hallmark is frequent exploitation of vulnerabilities in the Hangul (HWP) word processor by South Korea’s Hancom. Exploits for HWP were used to quickly deploy SlowDrift as an alternative to the two-step infection with GelCapsule.

In May 2017, APT37 used a fake bank liquidation letter as phishing bait for a Middle Eastern financial company board member. The email contained a modified attachment exploiting CVE-2017-0199—a Microsoft Office vulnerability discovered less than a month before the attack. This allowed APT37 to deploy ShutterSpeed, a backdoor that collects system info, takes screenshots, sends data to North Korean servers, and executes arbitrary code remotely.

In addition to email spam, infections often came from hacked South Korean company and educational institution websites, which hosted RiceCurry—a JS profiler used to identify the victim’s OS, browser, and plugins. This info helped select specific vulnerabilities for delivering other malware.

Special mention goes to ZumKong—a trojan that steals saved passwords from IE and Chrome browsers. Stolen passwords were sent via HTTP POST to a mailbox registered on zmail.ru. Analysts initially suspected a “Russian connection,” but soon found that the droppers and related backdoors communicated with the familiar STAR-KP network, unrelated to Russia.

The use of exploits, especially zero-days, shows APT37’s high level, but it’s not the only hacker group working for the DPRK government.

APT38

Reading reports about this group, one can imagine the director of the National Intelligence Service summoning the heads of Unit 180 and Bureau 121, walking together to the Sixth Technical Bureau and Lab 110, and promoting distinguished APT37 hackers to APT38. In reality, these organizations do exist, but APT38 is just a label used by Western analysts for another major group (or coalition) of hackers acting in the DPRK’s interests, but not directly related to APT37.

One thing is certain: APT38 specializes in stealing money, focusing on the SWIFT interbank network and using its features in complex laundering schemes. APT38 is believed to have ties to Lazarus (based on shared tools and tactics), but there’s no evidence they are the same group.

To date, APT38 has attacked at least sixteen financial institutions in thirteen countries, including Mexico’s Bancomext (January 2018) and Chile’s Banco de Chile (May 2018). APT38’s main strategy is maintaining covert control of infected computers for long periods—on average, five months from infection to discovery, with a maximum of two years.

Another hallmark is aggressive evidence destruction when detected. APT38 malware often resides in memory, monitoring for forensic tools and blocking their use. On compromised machines, malicious components are not just deleted but overwritten along with logs, and file attributes (especially creation and last access dates) are changed.

To counter this, forensic experts had to disconnect suspicious machines and analyze offline dumps instead of active processes, making it much harder to trace network interactions and recover encryption keys. The malware code used anti-debugging and obfuscation at every step, with executables protected by Enigma, Themida (aka X-Protector), Obsidium, and VMProtect, plus module encryption with Spritz or AES. Instead of hours, analysis took months—by which time APT38’s criminal scheme had often changed. In short, the experts found a worthy adversary.

APT38 attack scheme on SWIFT. Infographic: FireEye

Arsenal

During reconnaissance, APT38 often uses the MapMaker scanner to request the OS’s table of open TCP IPv4 connections and log them.

APT38 is notable for its extensive use of passive backdoors, which simply wait for commands from other nodes in the target organization’s network, signaling successful infection and the start of the next phase. Some can switch to active mode.

CheeseTray is an advanced backdoor with proxy support. It connects to the C&C server using its own binary protocol, with the TCP port specified as a command-line parameter. CheeseTray can search for files by criteria, save lists of active processes, installed drivers, and running services, monitor remote desktop sessions, load additional malware, terminate interfering processes, and create a reverse shell—providing nearly full remote control.

APT38 also uses the unique fileless backdoor NestEgg, which exists only in RAM and thus evades offline analysis. In addition to typical file and process actions, it creates Windows firewall rules to allow incoming traffic on a specified port.

Besides custom malware, APT38 uses modified public tools like DarkComet (a powerful RAT with over 60 functions, including system info collection, registry key management, autorun modification, network scanning, process management, file uploads, and system reboot/shutdown) and the JspSpy web shell, whose code is available on GitHub.

APT38 forges banking transactions using DyePack—a set of malware that alters data in the SWIFT system, delivered covertly in encrypted form. The DyePack.Fox variant can also modify data in PDF files (such as auto-generated SWIFT operation reports).

INFO: In early 2019, a helpful hacker obtained DyePack samples, reverse-engineered them with IDA Pro and Ghidra, and posted the results on GitHub. Study, improve, enjoy!

To activate the payload, APT38 typically used the BlindToAd loader—a 64-bit DLL that loads an encrypted file from disk, decrypts it in memory, and executes it.

If detection was imminent, the CleanToAd tool was launched to cover tracks, deleting malicious files with CloseShave (which renames the file before deletion and overwrites its space with zeros). CleanToAd then clears Windows event logs and other logs, overwriting their creation and last access dates. It also injects shellcode into notepad.exe for quick re-infection. Sometimes, the BootWreck wiper is triggered, erasing the original MBR to prevent booting.

In addition to SWIFT theft, APT38 engaged in extortion, using the Hermes ransomware trojan, which read disk partitions and launched a separate thread for each, quickly encrypting all user files with AES-256, deleting originals, and displaying a ransom note.

Each APT38 attack was unique, but their general lifecycle is as follows:

1. Gather information on the victim organization’s SWIFT transaction mechanisms. APT38 never hacked SWIFT itself, instead targeting third-party software and conducting targeted phishing against SWIFT-access personnel.
2. Penetrate via vulnerable components (most often outdated Apache Struts frameworks).
3. Deploy malware for deep system scanning, credential harvesting, and network topology mapping.
4. Launch fake servers for MitM attacks, gaining access to segmented internal systems and avoiding detection.
5. Transfer funds. Using backdoors and reverse shells, fake transactions are sent and their history altered to fool SWIFT. Funds are usually transferred in small amounts (below security thresholds) to banks in various countries, then moved through others until the trail is lost. By the time of investigation, some intermediary banks often no longer exist.
6. Destroy evidence (triggered only if countermeasures or security scans are detected).

It seems North Korea has long viewed its cyber army as a source of income. DPRK government hackers became self-sustaining back when they were stealing from South Korean, Chinese, and Japanese gamers, reselling stolen accounts and cashing out in-game currency for real won and dollars.

A few years ago, the stakes rose. The main targets became SWIFT, cryptocurrency exchanges, and major bitcoin investors. The hacks of Japan’s Coincheck in 2018 and South Korea’s Youbit a year earlier both trace back to Pyongyang, with over $559 million stolen from just these two exchanges.

Social engineering remains the main method for mass attacks. Vulnerabilities get patched, technologies change, but people don’t. In 2017, North Koreans began massively registering Facebook accounts, which was surprising in itself. Comparing profiles revealed they were all nearly identical. Thousands of fake “crypto investors from the US and Europe” befriended real ones, then sent them infected documents under various pretexts to obtain wallet.dat at the standard address and capture its password during entry.

By this point, the hackers had already learned through conversation which wallet the victim used. Asking directly would raise suspicion, but asking for a recommendation encouraged further discussion. People are most likely to recommend what they use themselves. For more on APT38’s evolution and techniques, see the article “North Korean-Style Hacking.”

Conclusions

Government-backed hackers are the norm in any modern state. How else can you wage undeclared wars and defend national interests behind the scenes? North Korea stands out both in its goals and its methods. While government hackers in developed countries mainly gather intelligence, and China focuses on stealing promising technologies, for North Korea, its cyber army has become a significant source of income—especially under sanctions pressure. A recent US Department of Justice report states: “…despite measures taken and international cooperation in the banking sector, APT38’s activities still pose a threat to the SWIFT system and financial institutions worldwide.”