APT37/Geumseong121: A Microsoft operation in December 2019 took down 50 websites known to be affiliated with North Korean threat group APT37. According to researchers from South Korea-based security company ESTsecurity Response Center (ESRC), they have now found a new campaign that started in March 2020, which they attribute to APT37. The campaign has been called “Operation Spy Cloud” by researchers because it uses popular cloud servers such as Google Drive and PickCloud to disguise the network communication with the malware, blending in with legitimate traffic to evade detection by security teams. The campaign targeted individuals through spear-phishing emails, enticing victims to click on links to information about North Korean refugees. The links actually lead to malicious documents and spreadsheet files including .doc, .xls to .hwp, which is a word processor format used by the Korean Government, and utilize Visual Basic for Applications (VBA) macro files to install malware on victims’ computers. The malware connects to the Command and Control (C2) server using Google Drive and attempts to share system information to PickCloud. After this is done, APT37 is able to install additional backdoors.