North Korea-linked threat group APT37, also known as ScarCruft, Red Eyes, Erebus, and Reaper, has been behind highly targeted attacks using the Dolphin backdoor
, which has evolved into more advanced versions since being first identified in April 2021, according to BleepingComputer
ESET researchers discovered that Dolphin, which leverages Google Drive as a command-and-control server for stolen file storage and alters Windows registry for persistence, has been used by attackers alongside the BLUELIGHT reconnaissance tool, to enable the deployment of the backdoor's Python loader.
Machines infected with Dolphin were found to have their usernames, computer names, installed security software, local and external IP addresses, RAM size and usage, debugging or network packet inspection tool presence, and operating system version details exfiltrated.
The report also showed that Dolphin could also enable local and removable drive scanning to exfiltrate various files.
Mobile phones connected to compromised devices could also have their files stolen by the backdoor through Windows Portable Device API.