{ "id": "dfa2236b-e6d1-4e7c-888a-426d0ce32408", "created_at": "2026-04-06T00:16:19.898884Z", "updated_at": "2026-04-10T13:12:58.882789Z", "deleted_at": null, "sha1_hash": "029bf6b2c39eb2f383430ff91aff23e1ad7168a3", "title": "TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 117398, "plain_text": "TraderTraitor: North Korean State-Sponsored APT Targets Blockchain\r\nCompanies | CISA\r\nPublished: 2022-04-20 · Archived: 2026-04-05 16:39:52 UTC\r\nSummary\r\nActions to take today to mitigate cyber threats to cryptocurrency:\r\n• Patch all systems.\r\n• Prioritize patching known exploited vulnerabilities.\r\n• Train users to recognize and report phishing attempts.\r\n• Use multifactor authentication.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S.\r\nTreasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated\r\nwith cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since\r\nat least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and\r\nStardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit https://www.us-cert.cisa.gov/northkorea.\r\nThe U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain\r\ntechnology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency,\r\nand individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The activity described in\r\nthis advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to\r\ndownload trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the\r\napplications to gain access to the victim’s computer, propagate malware across the victim’s network environment, and steal\r\nprivate keys or exploit other security gaps. These activities enable additional follow-on activities that initiate fraudulent\r\nblockchain transactions.\r\nThe U.S. government previously published an advisory about North Korean state-sponsored cyber actors using AppleJeus\r\nmalware to steal cryptocurrency: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. The U.S. government has\r\nalso previously published advisories about North Korean state-sponsored cyber actors stealing money from banks using\r\ncustom malware:\r\nHIDDEN COBRA – FASTCash Campaign\r\nFASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks\r\nThis advisory provides information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to\r\nstakeholders in the blockchain technology and cryptocurrency industry to help them identify and mitigate cyber threats\r\nagainst cryptocurrency. \r\nClick here for a PDF version of this report. \r\nClick here for STIX.\r\nTechnical Details\r\nThreat Update\r\nThe U.S. government has identified a group of North Korean state-sponsored malicious cyber actors using tactics similar to\r\nthe previously identified Lazarus Group (see AppleJeus: Analysis of North Korea’s Cryptocurrency Malware). The Lazarus\r\nGroup used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including\r\ncryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 1 of 9\n\napplications that were modified to include malware that facilitates theft of cryptocurrency. As of April 2022, North Korea’s\r\nLazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry\r\nusing spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting\r\nvulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to\r\nsupport the North Korean regime. \r\nTactics, Techniques and Procedures\r\nIntrusions begin with a large number of spearphishing messages sent to employees of cryptocurrency companies—often\r\nworking in system administration or software development/IT operations (DevOps)—on a variety of communication\r\nplatforms. The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download\r\nmalware-laced cryptocurrency applications, which the U.S. government refers to as \"TraderTraitor.\"\r\nThe term TraderTraitor describes a series of malicious applications written using cross-platform JavaScript code with the\r\nNode.js runtime environment using the Electron framework. The malicious applications are derived from a variety of open-source projects and purport to be cryptocurrency trading or price prediction tools. TraderTraitor campaigns feature websites\r\nwith modern design advertising the alleged features of the applications (see figure 1).\r\nFigure 1: Screenshot of CryptAIS website\r\nThe JavaScript code providing the core functions of the software is bundled with Webpack. Within the code is a function\r\nthat purports to be an “update,” with a name such as UpdateCheckSync() , that downloads and executes a malicious payload\r\n(see figure 2). \r\nThe update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project’s domain at either the\r\nendpoint /update/ or /oath/checkupdate.php . In recent variants, the server’s response is parsed as a JSON document\r\nwith a key-value pair, where the key is used as an AES 256 encryption key in Cipher Block Chaining (CBC) or Counter\r\n(CTR) mode to decrypt the value. The decrypted data is written as a file to the system’s temporary directory, as provided by\r\nthe os.tmpdir() method of Node.js, and executed using the child_process.exec() method of Node.js, which spawns a\r\nshell as a child process of the current Electron application. The text “Update Finished” is then logged to the shell for the user\r\nto see.\r\nObserved payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that\r\ncollects system information and has the ability to execute arbitrary commands and download additional payloads (see North\r\nKorean Remote Access Tool: COPPERHEDGE). Post-compromise activity is tailored specifically to the victim’s\r\nenvironment and at times has been completed within a week of the initial intrusion.  \r\nFigure 2: Screenshot depicting the UpdateCheckSync() and supporting functions bundled within\r\n60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 associated with DAFOM\r\nIndicators of Compromise\r\nDAFOM\r\nDAFOM purports to be a “cryptocurrency portfolio application.” A Mach-O binary packaged within the Electron application\r\nwas signed by an Apple digital signature issued for the Apple Developer Team W58CYKFH67. The certificate associated\r\nwith Apple Developer Team W58CYKFH67 has been revoked. A metadata file packaged in the DAFOM application\r\nprovided the URL hxxps://github[.]com/dafomdev for bug reports. As of April 2022, this page was unavailable.\r\ndafom[.]dev\r\nInformation as of February 2022:\r\nIP Address: 45.14.227[.]58\r\nRegistrar: NameCheap, Inc.\r\nCreated: February 7, 2022\r\nExpires: February 7, 2023\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 2 of 9\n\n60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18\r\nTags: dropper macos\r\nName: DAFOM-1.0.0.dmg\r\nSize: 87.91 MB (92182575 bytes)\r\nMD5: c2ea5011a91cd59d0396eb4fa8da7d21\r\nSHA-1: b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8\r\nSHA-256: 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18\r\nssdeep:\r\n1572864:LGLBnolF9kPEiKOabR2QEs1B1/LuUQrbecE6Xwijkca/pzpfaLtIP:LGVnoT9kPZK9tVEwBxWbecR5Faxzpf0M\r\nTokenAIS\r\nTokenAIS purports to help “build a portfolio of AI-based trading” for cryptocurrencies. Mach-O binaries packaged within\r\nthe Electron application contained an Apple digital signature issued for the Apple Developer Team RN4BTXA4SA. The\r\ncertificate associated with Apple Developer Team RN4BTXA4SA has been revoked. The application requires users to\r\n“register” an account by entering an email address and a password to use its features. The malicious TraderTraitor code is a\r\nNode.js function called UpdateCheckSync() located in a file named update.js , which is bundled in a file called\r\nrenderer.prod.js , which is in an archive called app.asar . This function passes the email address that the user provided\r\nand the system platform to the C2 server, decrypts the response using AES 256 in CBC mode with the hardcoded\r\ninitialization vector (IV) !@34QWer%^78TYui and a key provided in the response, then writes the decrypted data to a file and\r\nexecutes it in a new shell.\r\ntokenais[.]com\r\nInformation as of January 2022:\r\nIP Address: 199.188.103[.]115\r\nRegistrar: NameCheap, Inc.\r\nCreated: January 27, 2022\r\nExpires: January 27, 2023\r\n5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03\r\nTags: dropper macos\r\nName: TokenAIS.app.zip\r\nSize: 118.00 MB (123728267 bytes)\r\nMD5: 930f6f729e5c4d5fb52189338e549e5e\r\nSHA-1: 8e67006585e49f51db96604487138e688df732d3\r\nSHA-256: 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03\r\nssdeep: 3145728:aMFJlKVvw4+zLruAsHrmo5Vvw4+zLruAsHrmob0dC/E:aUlKtw4+/r2HNtw4+/r2HnMCM\r\nCryptAIS\r\nCryptAIS uses the same language as TokenAIS to advertise that it “helps build a portfolio of AI-based trading.” It is\r\ndistributed as an Apple Disk Image (DMG) file that is digitally signed by an Apple digital signature issued for the Apple\r\nDeveloper Team CMHD64V5R8. The certificate associated with Apple Developer Team CMHD64V5R8 has been revoked.\r\nThe application requires users to “register” an account by entering an email address and a password to use its features. The\r\nmalicious TraderTraitor code is a Node.js function called UpdateCheckSync() located in a file named update.js , which is\r\nbundled in a file called renderer.prod.js , which is in an archive called app.asar . This function passes the email address\r\nthat the user provided and the system platform to the C2 server, decrypts the response using AES 256 in CTR mode and a\r\nkey provided in the response, then writes the decrypted data to a file and executes it in a new shell.\r\ncryptais[.]com\r\nInformation as of August 2021:\r\nIP Address: 82.102.31.14\r\nRegistrar: NameCheap, Inc.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 3 of 9\n\nCreated: August 2, 2021\r\nExpires: August 2, 2022\r\nf0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b\r\nTags: dropper macos\r\nName: CryptAIS[.]dmg\r\nSize: 80.36 MB (84259810 bytes)\r\nMD5: 4e5ebbecd22c939f0edf1d16d68e8490\r\nSHA-1: f1606d4d374d7e2ba756bdd4df9b780748f6dc98\r\nSHA-256: f0e8c29e3349d030a97f4a8673387c2e21858cccd1fb9ebbf9009b27743b2e5b\r\nssdeep:\r\n1572864:jx9QOwiLDCUrJXsKMoGTwiCcKFI8jmrvGqjL2hX6QklBmrZgkZjMz+dPSpR0Xcpk:F9QOTPCUrdsKEw3coIg2Or6XBmrZg\r\nAlticGO\r\nAlticGO was observed packaged as Nullsoft Scriptable Install System (NSIS) Windows executables that extracted an\r\nElectron application packaged for Windows. These executables contain a simpler version of TraderTraitor code in a function\r\nexported as UpdateCheckSync() located in a file named update.js , which is bundled in renderer.prod.js, which is in the\r\napp.asar archive. The function calls an external function located in a file node_modules/request/index.js bundled in\r\nrenderer.prod.js to make an HTTP request to hxxps://www.alticgo[.]com/update/. One AlticGO sample,\r\ne3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad , instead contacts\r\nhxxps://www.esilet[.]com/update/ (see below for more information about Esilet). Some image resources bundled with\r\nthe application included the CreAI Deck logo (see below for more information about CreAI Deck). The response is written\r\nto disk and executed in a new shell using the child_process.exec() method in Node.js . Unlike newer versions of\r\nTraderTraitor, there is no mechanism to decrypt a payload.\r\nalticgo[.]com\r\nInformation as of August 2020:\r\nIP Address: 108.170.55[.]202\r\nRegistrar: NetEarth One Inc.\r\nCreated: August 8, 2020\r\nExpires: August 8, 2021\r\n765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819\r\nTags: dropper peexe nsis\r\nName: AlticGO.exe\r\nSize: 43.54 MB (45656474 bytes)\r\nMD5: 1c7d0ae1c4d2c0b70f75eab856327956\r\nSHA-1: f3263451f8988a9b02268f0fb6893f7c41b906d9\r\nSHA-256: 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819\r\nssdeep:\r\n786432:optZmVDkD1mZ1FggTqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yVPUXi7:opzKDginspAU6JXnJ46X+eC6cySihW\r\nCompilation timestamp: 2018-12-15 22:26:14 UTC\r\ne3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad\r\nTags: dropper peexe nsis\r\nName: AlticGO_R.exe\r\nSize: 44.58 MB (46745505 bytes)\r\nMD5: 855b2f4c910602f895ee3c94118e979a\r\nSHA-1: ff17bd5abe9f4939918f27afbe0072c18df6db37\r\nSHA-256: e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad\r\nssdeep:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 4 of 9\n\n786432:LptZmVDkD1mQIiXUBkRbWGtqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yH:LpzKDgzRpWGwpAU6JXnJ46X+\r\nCompilation timestamp: 2020-02-12 16:15:17 UTC\r\n8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925\r\nTags: dropper peexe nsis\r\nName: AlticGO.exe\r\nSize: 44.58 MB (46745644 bytes)\r\nMD5: 9a6307362e3331459d350a201ad66cd9\r\nSHA-1: 3f2c1e60b5fac4cf1013e3e1fc688be490d71a84\r\nSHA-256: 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925\r\nssdeep:\r\n786432:AptZmVDkD1mjPNDeuxOTKQqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yV7:ApzKDgqPxeuLpAU6JXnJ46X+eC\r\nCompilation timestamp: 2020-02-12 16:15:17 UTC\r\nEsilet\r\nEsilet claims to offer live cryptocurrency prices and price predictions. It contains a simpler version of TraderTraitor code in\r\na function exported as UpdateCheckSync() located in a file named update.js , which is bundled in renderer.prod.js ,\r\nwhich is in the app.asararchive. The function calls an external function located in a file\r\nnode_modules/request/index.js bundled in renderer.prod.js to make an HTTP request to\r\nhxxps://www.esilet[.]com/update/ . The response is written to disk and executed in a new shell using the\r\nchild_process.exec() method in Node.js . Unlike newer versions of TraderTraitor, there is no mechanism to decrypt a\r\npayload. Esilet has been observed delivering payloads of at least two different macOS variants of Manuscrypt,\r\n9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa and\r\ndced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 . \r\nFigure 3: Screenshot of the UpdateCheckSync() function in Esilet\r\nesilet[.]com\r\nInformation as of June 2020:\r\nIP Address: 104.168.98[.]156\r\nRegistrar: NameSilo, LLC\r\nCreated: June 12, 2020\r\nExpires: June 12, 2021\r\ngreenvideo[.]nl\r\nLikely legitimate but compromised. Information as of April 2022:\r\nIP Address: 62.84.240[.]140\r\nRegistrar: Flexwebhosting\r\nCreated: February 26, 2018\r\nExpires: Unknown\r\ndafnefonseca[.]com\r\nLikely legitimate but compromised. Information as of June 2020:\r\nIP Address: 151.101.64[.]119\r\nRegistrar: PublicDomainRegistry Created: August 27, 2019\r\nExpires: August 27, 2022\r\nhaciendadeclarevot[.]com\r\nLikely legitimate but compromised. Information as of June 2020:\r\nIP Address: 185.66.41[.]17\r\nRegistrar: cdmon, 10DENCEHISPAHARD, S.L.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 5 of 9\n\nCreated: March 2, 2005\r\nExpires: March 2, 2023\r\nsche-eg[.]org\r\nLikely legitimate but compromised. Information as of June 2020:\r\nIP Address: 160.153.235[.]20\r\nRegistrar: GoDaddy.com, LLC\r\nCreated: June 1, 2019\r\nExpires: June 1, 2022\r\nwww.vinoymas[.]ch\r\nLikely legitimate but compromised. Information as of June 2020:\r\nIP Address: 46.16.62[.]238\r\nRegistrar: cdmon, 10DENCEHISPAHARD, S.L.\r\nCreated: January 24, 2010\r\nExpires: Unknown\r\ninfodigitalnew[.]com\r\nLikely legitimate but compromised. Information as of June 2020:\r\nIP Address: 107.154.160[.]132\r\nRegistrar: PublicDomainRegistry\r\nCreated: June 20, 2020\r\nExpires: June 20, 2022\r\n9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598\r\nTags: dropper macos\r\nName: Esilet.dmg\r\nSize: 77.90 MB (81688694 bytes) MD5: 53d9af8829a9c7f6f177178885901c01\r\nSHA-1: ae9f4e39c576555faadee136c6c3b2d358ad90b9 SHA-256:\r\n9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598\r\nssdeep:\r\n1572864:lffyoUnp5xmHVUTd+GgNPjFvp4YEbRU7h8cvjmUAm4Du73X0unpXkU:lfqHBmHo+BPj9CYEshLqcuAX0I0\r\n9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa\r\nTags: trojan macho\r\nName: Esilet-tmpzpsb3\r\nSize: 510.37 KB (522620 bytes)\r\nMD5: 1ca31319721740ecb79f4b9ee74cd9b0\r\nSHA-1: 41f855b54bf3db621b340b7c59722fb493ba39a5 SHA-256:\r\n9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa\r\nssdeep:\r\n6144:wAulcT94T94T97zDj1I/BkjhkbjZ8bZ87ZMSj71obV/7NobNo7NZTb7hMT5ETZ8I:wDskT1UBg2lirFbpR9mJGpmN\r\nC2 Endpoints:\r\nhxxps://greenvideo[.]nl/wp-content/themes/top.php\r\nhxxps://dafnefonseca[.]com/wp-content/themes/top.php\r\nhxxps://haciendadeclarevot[.]com/wp-content/top.php\r\ndced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156\r\nTags: trojan macho\r\nName: Esilet-tmpg7lpp Size: 38.24 KB (39156 bytes)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 6 of 9\n\nMD5: 9578c2be6437dcc8517e78a5de1fa975\r\nSHA-1: d2a77c31c3e169bec655068e96cf4e7fc52e77b8\r\nSHA-256: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156\r\nssdeep: 384:sdaWs0fDTmKnY4FPk6hTyQUitnI/kmCgr7lUryESll4yg9RpEwrUifJ8ttJOdy:sdayCkY4Fei9mhy/L9RBrny6y\r\nC2 Endpoints: \r\nhxxps://sche-eg[.]org/plugins/top.php\r\nhxxps://www.vinoymas[.]ch/wp-content/plugins/top.php\r\nhxxps://infodigitalnew[.]com/wp-content/plugins/top.php\r\nCreAI Deck\r\nCreAI Deck claims to be a platform for “artificial intelligence and deep learning.” No droppers for it were identified, but the\r\nfilenames of the below samples, win32.bin and darwin64.bin, match the naming conventions used by other versions of\r\nTraderTraitor when downloading a payload. Both are samples of Manuscrypt that contact\r\nhxxps://aideck[.]net/board.php for C2 using HTTP POST requests with multipart/form-data Content-Types.\r\ncreaideck[.]com\r\nInformation as of March 2020:\r\nIP Address: 38.132.124[.]161\r\nRegistrar: NameCheap, Inc.\r\nCreated: March 9, 2020\r\nExpires: March 9, 2021\r\naideck[.]net\r\nInformation as of June 2020:\r\nIP Address: 89.45.4[.]151\r\nRegistrar: NameCheap, Inc.\r\nCreated: June 22, 2020\r\nExpires: June 22, 2021\r\n867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36\r\nTags: trojan peexe\r\nName: win32.bin\r\nSize: 2.10 MB (2198684 bytes)\r\nMD5: 5d43baf1c9e9e3a939e5defd8f8fbd8d\r\nSHA-1: d5ff73c043f3bb75dd749636307500b60a436550 SHA-256:\r\n867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36\r\nssdeep: 24576:y3SY+/2M3BMr7cdgSLBjbr4nzzy95VV7cEXV:ESZ2ESrHSV3D95oA\r\nCompilation timestamp: 2020-06-23 06:06:35 UTC\r\n89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957\r\nTags: trojan macho\r\nName: darwin64.bin\r\nSize: 6.44 MB (6757832 bytes)\r\nMD5: 8397ea747d2ab50da4f876a36d673272\r\nSHA-1: 48a6d5141e25b6c63ad8da20b954b56afe589031\r\nSHA-256: 89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957\r\nssdeep:\r\n49152:KIH1kEh7zIXlDYwVhb26hRKtRwwfs62sRAdNhEJNDvOL3OXl5zpF+FqBNihzTvff:KIH1kEhI1LOJtm2spB\r\nMitigations\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 7 of 9\n\nNorth Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit computer networks of interest,\r\nacquire sensitive cryptocurrency-intellectual property, and gain financial assets. The U.S. government recommends\r\nimplementing mitigations to protect critical infrastructure organizations as well as financial sector organizations in the\r\nblockchain technology and cryptocurrency industry.\r\nApply defense-in-depth security strategy. Apply security principles—such as least access models and defense-in-depth—to user and application privileges to help prevent exploitation attempts from being successful. Use network\r\nsegmentation to separate networks into zones based on roles and requirements. Separate network zones can help\r\nprevent lateral movement throughout the organization and limit the attack surface. See NSA’s Top Ten Cybersecurity\r\nMitigation Strategies for strategies enterprise organizations should use to build a defense-in-depth security posture.\r\nImplement patch management. Initial and follow-on exploitation involves leveraging common vulnerabilities and\r\nexposures (CVEs) to gain access to a networked environment. Organizations should have a timely vulnerability and\r\npatch management program in place to mitigate exposure to critical CVEs. Prioritize patching of internet-facing\r\ndevices and monitored accordingly for any malicious logic attacks.\r\nEnforce credential requirements and multifactor authentication. North Korean malicious cyber actors continuously\r\ntarget user credentials, email, social media, and private business accounts. Organizations should ensure users change\r\npasswords regularly to reduce the impact of password spraying and other brute force techniques. The U.S.\r\ngovernment recommends organizations implement and enforce multifactor authentication (MFA) to reduce the risk of\r\ncredential theft. Be aware of MFA interception techniques for some MFA implementations and monitor for\r\nanomalous logins.\r\nEducate users on social engineering on social media and spearphishing. North Korean actors rely heavily on social\r\nengineering, leveraging email and social media platforms to build trust and send malicious documents to\r\nunsuspecting users. A cybersecurity aware workforce is one of the best defenses against social engineering\r\ntechniques like phishing. User training should include how to identify social engineering techniques and awareness to\r\nonly open links and attachments from trusted senders.\r\nImplement email and domain mitigations. Maintain awareness of themed emails surrounding current events.\r\nMalicious cyber actors use current events as lure for potential victims as observed during the COVID-19 pandemic.\r\nOrganizations should have a robust domain security solution that includes leveraging reputation checks and closely\r\nmonitoring or blocking newly registered domains (NRDs) in enterprise traffic. NRDs are commonly established by\r\nthreat actors prior to malicious engagement.\r\nHTML and email scanning. Organizations should disable HTML from being used in emails and scan email\r\nattachments. Embedded scripts may be hard for an antivirus product to detect if they are fragmented. An\r\nadditional malware scanning interface product can be integrated to combine potentially malicious payloads\r\nand send the payload to the primary antivirus product. Hyperlinks in emails should also be scanned and\r\nopened with precautionary measures to reduce the likelihood of a user clicking on a malicious link.\r\nEndpoint protection. Although network security is critical, devices mobility often means traveling and connecting to\r\nmultiple different networks that offer varying levels of security. To reduce the risk of introducing exposed hosts to\r\ncritical networks, organizations should ensure mobile devices have installed security suites to detect and mitigate\r\nmalware.\r\nEnforce application security. Application allowlisting enables the organization to monitor programs and only allow\r\nthose on the approved allowlist to execute. Allowlisting helps to stop the initial attack, even if the user clicks a\r\nmalicious link or opens a malicious attachment. Implement baseline rule sets, such as NSA’s Limiting Location Data\r\nExposure guidance, to block execution of unauthorized or malicious programs.\r\nDisable macros in office products. Macros are a common method for executing code through an attached\r\noffice document. Some office products allow for the disabling of macros that originate from outside of the\r\norganization, providing a hybrid approach when the organization depends on the legitimate use of macros.\r\nWindows specific settings can be configured to block internet-originated macros from running. This\r\ncan be done in the Group Policy Administrative Templates for each of the associated Office products\r\n(specifically Word, Excel and PowerPoint). Other productivity software, such as LibreOffice and\r\nOpenOffice, can be configured to set the Macro Security Level.\r\nBe aware of third-party downloads—especially cryptocurrency applications. North Korean actors have been\r\nincreasingly active with currency generation operations. Users should always verify file downloads and ensure the\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 8 of 9\n\nsource is from a reputable or primary (preferred) source and not from a third-party vendor. Malicious cyber actors\r\nhave continuously demonstrated the ability to trojanize applications and gain a foothold on host devices.\r\nCreate an incident response plan to respond to possible cyber intrusions. The plan should include reporting incidents\r\nto both the FBI and CISA—quick reporting can reduce the severity of incidents and provide valuable information to\r\ninvestigators. Contact information can be found below. \r\nContact \r\nOrganizations can also report anomalous cyber activity and/or cyber incidents 24/7 to report@cisa.gov  or by calling 1-\r\n844-Say-CISA (1-844-729-2472) and/or to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-\r\n3937 or CyWatch@fbi.gov .\r\nDisclaimer\r\nThe information in this advisory is provided \"as is\" for informational purposes only. The FBI, CISA, and Treasury do not\r\nprovide any warranties of any kind regarding this information or endorse any commercial product or service, including any\r\nsubjects of analysis.\r\n \r\nRevisions\r\nInitial Version: April 18, 2022\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a" ], "report_names": [ "aa22-108a" ], "threat_actors": [ { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434579, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/029bf6b2c39eb2f383430ff91aff23e1ad7168a3.pdf", "text": "https://archive.orkl.eu/029bf6b2c39eb2f383430ff91aff23e1ad7168a3.txt", "img": "https://archive.orkl.eu/029bf6b2c39eb2f383430ff91aff23e1ad7168a3.jpg" } }