{ "id": "ec7eef55-ba0e-43de-924a-c00e67f750b4", "created_at": "2026-04-06T00:16:12.841119Z", "updated_at": "2026-04-10T03:32:22.174293Z", "deleted_at": null, "sha1_hash": "0493059a618c8e90a47ab84777093b070e695dfb", "title": "APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139312, "plain_text": "APT43: North Korean Group Uses Cybercrime to Fund Espionage\r\nOperations | Mandiant\r\nBy Mandiant\r\nPublished: 2023-03-28 · Archived: 2026-04-05 17:23:48 UTC\r\nWritten by: Fred Plan, Van Ta, Michael Barnhart, Jeff Johnson, Dan Perez, Joe Dobson\r\nhttps://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage\r\nPage 1 of 3\n\nToday we are releasing a report on APT43, a prolific threat actor operating on behalf of the North Korean regime\r\nthat we have observed engaging in cybercrime as a way to fund their espionage operations.\r\nMandiant tracks tons of activity throughout the year, but we don’t always have enough evidence to attribute it to a\r\nspecific group. However, as we continue to observe more activity over time and our knowledge of related threat\r\nclusters matures, we may graduate it to a named threat actor.\r\nhttps://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage\r\nPage 2 of 3\n\nSuch is the case with APT43. This report represents the culmination of endless hours of research and connecting\r\nthe dots across numerous Mandiant groups, and highlights collaboration with our new colleagues at Google Cloud\r\nas well. It also marks our first official graduation since Mandiant announced APT42 in September 2022.\r\nDive into the report now for in-depth analysis on APT43 targeting and TTPs, examples of their campaigns and\r\noperations, and an annex of malware and indicators. Here’s a little taste of what you can expect to learn:\r\nAttribution: Mandiant has tracked this group since 2018, and APT43’s collection priorities align with the\r\nmission of the Reconnaissance General Bureau (RGB), North Korea's main foreign intelligence service.\r\nActivity: APT43 steals and launders enough cryptocurrency to buy operational infrastructure in a manner\r\naligned with North Korea’s juche state ideology of self-reliance, therefore reducing fiscal strain on the\r\ncentral government.\r\nTargeting: Espionage targeting is regionally focused on South Korea, Japan, Europe, and the United\r\nStates, especially in the following sectors: government, business services, and manufacturing, along with\r\neducation, research, and think tanks focused on geopolitical and nuclear policy. The group shifted focus to\r\nhealth-related verticals throughout the majority of 2021, likely in support of pandemic response efforts.\r\nTactics: The group creates numerous spoofed and fraudulent (but convincing) personas for use in social\r\nengineering, and also masquerades as key individuals within their target area (such as diplomacy and\r\ndefense), and leveraged stolen personally identifiable information (PII) to create accounts and register\r\ndomains. APT43 has also created cover identities for purchasing operational tooling and infrastructure.\r\nProcedures: APT43 buys hash rental and cloud mining services to provide hash power, which is used to\r\nmine cryptocurrency to a wallet selected by the buyer without any blockchain-based association to the\r\nbuyer’s original payments—in other words, they use stolen crypto to mine for clean crypto.\r\nAPT43 is able to support espionage efforts with cybercrime, is willing to engage in operations over longer periods\r\nof time, and has collaborated with other North Korean espionage operators on multiple operations, underscoring\r\nthe major role APT43 plays in the regime’s cyber apparatus.\r\nDownload the report now to learn about APT43. Not enough? Seeking even more? Listen to our latest podcast\r\nembedded in this post, and register today for our APT43 webinar.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage\r\nhttps://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage" ], "report_names": [ "apt43-north-korea-cybercrime-espionage" ], "threat_actors": [ { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434572, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0493059a618c8e90a47ab84777093b070e695dfb.pdf", "text": "https://archive.orkl.eu/0493059a618c8e90a47ab84777093b070e695dfb.txt", "img": "https://archive.orkl.eu/0493059a618c8e90a47ab84777093b070e695dfb.jpg" } }