Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
Ricochet Chollima
Threat Actor Profile

Ricochet Chollima

Ricochet Chollima, also known as APT37, is a North Korean-linked threat actor believed to have emerged in 2012. This group is known for its cyber espionage operations targeting media, research, and public sectors globally. Their methods include phishing, malware deployment, and exploitation of Android vulnerabilities, making them a persistent and stealthy threat in the cybersecurity landscape.


Threat Actor Profile

Ricochet Chollima

Country of Origin

Ricochet Chollima is attributed to North Korea, as supported by intelligence reports linking the group to the country’s government-backed cyber operations. Their actions align with North Korea’s strategic interests in espionage and international disruption.

Members

The exact size of Ricochet Chollima remains unclear. The group operates under aliases, and it is assumed they consist of highly trained operatives specializing in advanced cyberattack techniques.

Leadership

The specific leadership behind Ricochet Chollima remains unknown. However, it is believed that their operations are state-sponsored and likely coordinated by North Korea’s cyber warfare divisions, such as the Reconnaissance General Bureau (RGB).

Ricochet Chollima TTPs

Tactics

Richocet Chollima is focused on cyber espionage to gather intelligence from critical sectors like media, government, and human rights organizations. They engage in disruption of targeted systems to promote strategic or political goals in sync with North Korea’s interests.

Techniques

Ricochet Chollima techniques include:

  • Advanced phishing campaigns, targeting specific individuals with malicious email payloads.

  • Development and deployment of spyware like Kospy, designed to infect Android devices for surveillance purposes.

  • Exploitation of zero-day vulnerabilities to infiltrate systems undetected.

Procedures

Ricochet Chollima procedures include:

  1. Leveraging spear phishing emails with malicious attachments or links.

  2. Utilizing malware variants such as Dolphin and Pegasus tied to Android spyware campaigns.

  3. Sustained surveillance and data exfiltration operations post-infiltration.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

  • Phishing Campaign (2019): Targeted South Korean journalists with malicious Android spyware.

  • Global NGO Espionage (2020): Conducted cyber espionage on high-profile activists and NGOs.

  • Zero-Day Exploit Campaign (2022): Exploited vulnerabilities in Windows systems to breach international institutions.


Law Enforcement & Arrests

While no public arrests tied directly to Ricochet Chollima have been reported, global cybersecurity efforts continue to monitor, attribute, and respond to the group’s campaigns. Collaborations between private organizations and international law enforcement agencies aim to disrupt their operations and enhance collective defense.

How to Defend Against Ricochet Chollima

1
Leverage endpoint protection tools to detect and mitigate spyware like Kospy and Dolphin.
2

Implement strong email filtering systems to prevent phishing attempts.

3

Regularly update and patch systems to address software vulnerabilities.

4

Use Huntress detection tools to monitor suspicious activity.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating threats with enterprise-grade technology.

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free