Cyber Threat Actor: APT37
| Actor Type | Location | Known Incidents |
Nation State
|
North Korea
|
3 incidents |
|---|
Profile
The threat actor is known by multiple aliases including Void Dokkaebi, ScarCruft, No Nuclear Power, Reaper, APT37 and Temp.Reaper. Public reporting links the actor to North Korea, indicating a state‑nexiated origin. The aliases have appeared in threat intelligence feeds and in incident reports attributed to the same group. The actor’s location is consistently described as North Korea in open sources. This attribution is supported by technical tracing of command‑and‑control infrastructure to networks near the North Korean border.
The actor has targeted nuclear energy facilities in South Korea and Brazil, as well as software developers through fake job interview schemes. In the 2015 intrusion against Korea Hydro and Nuclear Power, the group demanded the shutdown of reactors, threatened destruction and sought monetary compensation while claiming activist motives. The 2021 ransomware incident against a Brazilian nuclear subsidiary was described as a financial extortion attempt that affected only administrative systems. The group’s tooling includes the Kimsuky malware family, large‑scale phishing campaigns and malicious Visual Studio Code tasks that execute when a project is opened. Additional tactics observed in the 2026 campaign involve cloning repositories with harmful VS Code configurations, using commit‑tampering tools to hide the .vscode folder and turning each compromised repository into a self‑propagating vector for remote access Trojans.
Representative operations include the 2015 KHNP data theft, the 2021 ransomware on the Brazilian nuclear unit and the 2026 fake‑job interview supply‑chain attack that impacted companies such as DataStax and Neutralinojs. These incidents demonstrate a pattern of targeting critical infrastructure and software supply chains to achieve espionage, financial gain and disruption. The actor’s repeated use of social engineering, malicious code injection and repository manipulation shows a consistent approach to initial access and persistence. Attribution to North Korea remains the only publicly stated link, with no indication of criminal‑consortium involvement. The actor continues to adapt its methods while maintaining a focus on high‑value targets.
