North Korea-linked APT37, aka ScarCruft, was found leveraging a previously undocumented backdoor, named Dolphin, against South Korean entities. The latest discovery links back to a watering-hole attack in 2021 on a South Korean online newspaper reporting on activity and events related to North Korea. So far, four Dolphin backdoor variants have been detected, 1.9 through 3.0 (86/64-bit). Dolphin frequently adds, removes, or improves commands in each variant.