{ "id": "99f907d1-63ad-48aa-9883-5683ef94bef3", "created_at": "2026-04-06T00:16:41.300399Z", "updated_at": "2026-04-10T03:38:19.520181Z", "deleted_at": null, "sha1_hash": "0ce1eae63e681b49a35d3d50bcf5b34100b0272f", "title": "Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 763450, "plain_text": "Multiple North Korean threat actors exploiting the TeamCity\r\nCVE-2023-42793 vulnerability | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-10-18 · Archived: 2026-04-02 10:42:45 UTC\r\nSince early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet\r\nand Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions\r\nof JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application\r\nused by organizations for DevOps and other software development activities.\r\nIn past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software\r\nsupply chain attacks by infiltrating build environments. Given this, Microsoft assesses that this activity poses a\r\nparticularly high risk to organizations who are affected. JetBrains has released an update to address this\r\nvulnerability and has developed a mitigation for users who are unable to update to the latest software version.\r\nWhile the two threat actors are exploiting the same vulnerability, Microsoft observed Diamond Sleet and Onyx\r\nSleet utilizing unique sets of tools and techniques following successful exploitation. Based on the profile of victim\r\norganizations affected by these intrusions, Microsoft assesses that the threat actors may be opportunistically\r\ncompromising vulnerable servers. However, both actors have deployed malware and tools and utilized techniques\r\nthat may enable persistent access to victim environments.\r\nAs with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or\r\ncompromised and provides them with the information they need to secure their environments.\r\nWho are Diamond Sleet and Onyx Sleet?\r\nDiamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial\r\ngain, and network destruction. The actor typically targets media, IT services, and defense-related entities around\r\nthe world. Microsoft reported on Diamond Sleet’s targeting of security researchers in January 2021 and the actor’s\r\nweaponizing of open-source software in September 2022. In August 2023, Diamond Sleet conducted a software\r\nsupply chain compromise of a German software provider.\r\nOnyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT\r\nservices organizations in South Korea, the United States, and India. Onyx Sleet employs a robust set of tools that\r\nthey have developed to establish persistent access to victim environments and remain undetected. The actor\r\nfrequently exploits N-day vulnerabilities as a means of gaining initial access to targeted organizations.\r\nDiamond Sleet attack path 1: Deployment of ForestTiger backdoor\r\nFollowing the successful compromise of TeamCity servers, Diamond Sleet utilizes PowerShell to download two\r\npayloads from legitimate infrastructure previously compromised by the threat actor. These two payloads,\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 1 of 12\n\nForest64.exe and 4800-84DC-063A6A41C5C are stored in the C:ProgramData directory.\r\nWhen launched, Forest64.exe checks for the presence of the file named 4800-84DC-063A6A41C5C, then reads\r\nand decrypts the contents of that file using embedded, statically assigned key of ‘uTYNkfKxHiZrx3KJ’:\r\nc:ProgramDataForest64.exe  uTYNkfKxHiZrx3KJ\r\nInterestingly, this same value is specified as a parameter when the malware is invoked, but we did not see it\r\nutilized during our analysis. The same value and configuration name was also referenced in historical activity\r\nreported by Kaspersky’s Securelist on this malware, dubbed ForestTiger.\r\nThe decrypted content of 4800-84DC-063A6A41C5C is the configuration file for the malware, which contains\r\nadditional parameters, such as the infrastructure used by the backdoor for command and control (C2). Microsoft\r\nobserved Diamond Sleet using infrastructure previously compromised by the actor for C2.\r\nMicrosoft observed Forest64.exe then creating a scheduled task named Windows TeamCity Settings User Interface\r\nso it runs every time the system starts with the above referenced command parameter “uTYNkfKxHiZrx3KJ”.\r\nMicrosoft also observed Diamond Sleet leveraging the ForestTiger backdoor to dump credentials via the LSASS\r\nmemory. Microsoft Defender Antivirus detects this malware as ForestTiger.\r\nFigure 1. Diamond Sleet attack chain 1 using ForestTiger backdoor\r\nDiamond Sleet attack path 2: Deploying payloads for use in DLL search-order\r\nhijacking attacks\r\nDiamond Sleet leverages PowerShell on compromised servers to download a malicious DLL from attacker\r\ninfrastructure. This malicious DLL is then staged in C:ProgramData alongside a legitimate .exe file to carry out\r\nDLL search-order hijacking. Microsoft has observed these malicious DLL and legitimate EXE combinations used\r\nby the actor:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 2 of 12\n\nMalicious DLL name Legitimate binary name\r\nDSROLE.dll wsmprovhost.exe\r\nVersion.dll clip.exe\r\nDSROLE.dll attack chain\r\nWhen DSROLE.dll is loaded by wsmprovhost.exe, the DLL initiates a thread that enumerates and attempts to\r\nprocess files that exist in the same executing directory as the DLL. The first four bytes of candidate files are read\r\nand signify the size of the remaining buffer to read. Once the remaining data is read back, the bytes are reversed to\r\nreveal an executable payload that is staged in memory. The expected PE file should be a DLL with the specific\r\nexport named ‘StartAction’. The address of this export is resolved and then launched in memory.\r\nWhile the functionality of DSROLE.dll is ultimately decided by whatever payloads it deobfuscates and launches,\r\nMicrosoft has observed the DLL being used to launch wksprt.exe, which communicates with C2 domains.\r\nMicrosoft Defender Antivirus detects DSROLE.dll using the family name RollSling.\r\nVersion.dll attack chain\r\nWhen loaded by clip.exe, Version.dll loads and decrypts the contents of readme.md, a file  downloaded alongside\r\nVersion.dll from attacker-compromised infrastructure. The file readme.md contains data that is used as a multibyte\r\nXOR key to decrypt position-independent code (PIC) embedded in Version.dll. This PIC loads and launches the\r\nfinal-stage remote access trojan (RAT).\r\nFigure 2. Composition of readme.md used as multibyte XOR key by Version.dll\r\nFigure 3. Application of XOR key to expose next-stage code block\r\nFigure 4. Carving out embedded PE from code block\r\nOnce loaded in memory, the second-stage executable decrypts an embedded configuration file containing several\r\nURLs used by the malware for command and control. Shortly after the malware beacons to the callback URL,\r\nMicrosoft has observed a separate process iexpress.exe created and communicating with other C2 domains.\r\nMicrosoft Defender Antivirus detects Version.dll using the family name FeedLoad.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 3 of 12\n\nFigure 5. Diamond Sleet attack chain 2 using DLL search order hijacking\r\nAfter successful compromise, Microsoft observed Diamond Sleet dumping credentials via the LSASS memory.\r\nIn some cases, Microsoft observed Diamond Sleet intrusions that utilized tools and techniques from both paths 1\r\nand 2.\r\nOnyx Sleet attack path: User account creation, system discovery, and payload\r\ndeployment\r\nFollowing successful exploitation using the TeamCity exploit, Onyx Sleet creates a new user account on\r\ncompromised systems. This account, named krtbgt, is likely intended to impersonate the legitimate Windows\r\naccount name KRBTGT, the Kerberos Ticket Granting Ticket. After creating the account, the threat actor adds it to\r\nthe Local Administrators Group through net use:\r\nnet localgroup administrators krtbgt /add\r\nThe threat actor also runs several system discovery commands on compromised systems, including:\r\nnet localgroup 'Remote Desktop Users’\r\nnet localgroup Administrators\r\ncmd.exe \"/c tasklist | findstr Sec\"\r\ncmd.exe \"/c whoami\"\r\ncmd.exe \"/c netstat -nabp tcp\"\r\ncmd.exe \"/c ipconfig /all\"\r\ncmd.exe \"/c systeminfo\"\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 4 of 12\n\nNext, the threat actor deploys a unique payload to compromised systems by downloading it from attacker-controlled infrastructure via PowerShell. Microsoft observed these file paths for the unique payload:\r\nC:WindowsTemptemp.exe\r\nC:WindowsADFSbginetmgr.exe\r\nThis payload, when launched, loads and decrypts an embedded PE resource. This decrypted payload is then\r\nloaded into memory and launched directly. The inner payload is a proxy tool that helps establish a persistent\r\nconnection between the compromised host and attacker-controlled infrastructure. Microsoft Defender Antivirus\r\ndetects this proxy tool as HazyLoad.\r\nMicrosoft also observed the following post-compromise tools and techniques leveraged in this attack path:\r\nUsing the attacker-controlled krtbgt account to sign into the compromised device via remote desktop\r\nprotocol (RDP)\r\nStopping the TeamCity service, likely in an attempt to prevent access by other threat actors\r\nDumping credentials via the LSASS memory\r\nDeploying tools to retrieve credentials and other data stored by browsers\r\nFigure 6. Onyx Sleet attack chain with user account creation\r\nRecommended mitigation actions\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat.\r\nApply the update or mitigations released by JetBrains to address CVE-2023-42793.\r\nUse the included indicators of compromise to investigate whether they exist in your environment and\r\nassess for potential intrusion.\r\nBlock in-bound traffic from IPs specified in the IOC table.\r\nUse Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and\r\nautomatic sample submission. These capabilities use artificial intelligence and machine learning to quickly\r\nidentify and stop new and unknown threats.\r\nTake immediate action to address malicious activity on the impacted device. If malicious code has been\r\nlaunched, the attacker has likely taken complete control of the device. Immediately isolate the system and\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 5 of 12\n\nperform a reset of credentials and tokens.\r\nInvestigate the device timeline for indications of lateral movement activities using one of the compromised\r\naccounts. Check for additional tools that attackers might have dropped to enable credential access, lateral\r\nmovement, and other attack activities.\r\nEnsure that “Safe DLL Search Mode” is set.\r\nTurn on the following attack surface reduction rule:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nDetections\r\nMicrosoft 365 Defender\r\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more.\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the CVE-2023-42793\r\nvulnerability leveraged in these attacks.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus customers should look for the following family names for activity related to these\r\nattacks:\r\nForestTiger\r\nRollSling\r\nFeedLoad\r\nHazyLoad\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts could indicate activity associated with this threat. These\r\nalerts, however, can be triggered by unrelated threat activity.\r\nDiamond Sleet Actor activity detected\r\nOnyx Sleet Actor activity detected\r\nPossible exploitation of JetBrains TeamCity vulnerability\r\nSuspicious behavior by cmd.exe was observed\r\nSuspicious DLL loaded by an application\r\nSuspicious PowerShell download or encoded command execution\r\nPossible lateral movement involving suspicious file\r\nA script with suspicious content was observed\r\nSuspicious scheduled task\r\nHunting queries\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 6 of 12\n\nMicrosoft 365 Defender\r\nCommand and control using iexpress.exe or wksprt.exe\r\nDeviceNetworkEvents\r\n| where (InitiatingProcessFileName =~ \"wksprt.exe\" and InitiatingProcessCommandLine == \"wksprt.exe\")\r\nor (InitiatingProcessFileName =~ \"iexpress.exe\" and InitiatingProcessCommandLine == \"iexpress.exe\")\r\nSearch order hijack using Wsmprovhost.exe and DSROLE.dll\r\nDeviceImageLoadEvents\r\n| where InitiatingProcessFileName =~ \"wsmprovhost.exe\"\r\n| where FileName =~ \"DSROLE.dll\"\r\n| where not(FolderPath has_any(\"system32\", \"syswow64\"))\r\nSearch order hijack using clip.exe and Version.dll\r\nDeviceImageLoadEvents\r\n| where InitiatingProcessFileName =~ \"clip.exe\"\r\n| where FileName in~(\"version.dll\")\r\n| where not(FolderPath has_any(\"system32\", \"syswow64\", \"program files\", \"windows defenderplatform\",\r\n\"winsxs\", \"platform\",\r\n\"trend micro\"))\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nMicrosoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the\r\npost exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.  \r\nPowerShell downloads\r\nDumping LSASS Process into a File\r\nAnomalous Account Creation\r\nRDP Rare Connection\r\nAnomalous RDP Activity\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 7 of 12\n\nIndicators of compromise (IOCs)\r\nThe list below provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and\r\nprevent future attacks against their systems.\r\nDiamond Sleet path 1\r\nIndicator Type Description\r\nC:ProgramDataForest64.exe                                                              \r\nFile\r\npath\r\nFile path of\r\nForestTiger\r\nbinary\r\ne06f29dccfe90ae80812c2357171b5c48fba189ae103d28e972067b107e58795\r\nSHA-256Hash of\r\nForest64.exe\r\n0be1908566efb9d23a98797884f2827de040e4cedb642b60ed66e208715ed4aa\r\nSHA-256Hash of\r\nForest64.exe\r\nC:ProgramData4800-84DC-063A6A41C5C\r\nFile\r\npath\r\nForestTiger\r\nconfiguration\r\nfile\r\nhxxp://www.bandarpowder[.]com/public/assets/img/cfg.png URL\r\nStaging URL\r\nfor 4800-\r\n84DC-063A6A41C5C\r\n(compromised\r\ndomain)\r\nhxxps://www.bandarpowder[.]com/public/assets/img/cfg.png URL\r\nStaging URL\r\nfor 4800-\r\n84DC-063A6A41C5C\r\n(compromised\r\ndomain)\r\nhxxp://www.aeon-petro[.]com/wcms/plugins/addition_contents/cfg.png URL\r\nStaging URL\r\nfor 4800-\r\n84DC-063A6A41C5C\r\n(compromised\r\ndomain)\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 8 of 12\n\nIndicator Type Description\r\nhxxp://www.bandarpowder[.]com/public/assets/img/user64.png URL\r\nStaging URL\r\nfor\r\nForest64.exe\r\n(compromised\r\ndomain)\r\nhxxps://www.bandarpowder[.]com/public/assets/img/user64.png URL\r\nStaging URL\r\nfor\r\nForest64.exe\r\n(compromised\r\ndomain)\r\nhxxp://www.aeon-petro[.]com/wcms/plugins/addition_contents/user64.png URL\r\nStaging URL\r\nfor\r\nForest64.exe\r\n(compromised\r\ndomain)\r\nDiamond Sleet path 2\r\nIndicator Type Description\r\nC:ProgramDataDSROLE.dll\r\nFile\r\npath\r\nFile path of\r\nRollSling\r\nbinary  \r\nd9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca\r\nSHA-256Hash of\r\nDSROLE.dll\r\nC:ProgramDataVersion.dll\r\nFile\r\npath  \r\nFile path of\r\nFeedLoad\r\nbinary.\r\nf251144f7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486\r\nSHA-256Hash of\r\nVersion.dll\r\nC:ProgramDatareadme.md\r\nFile\r\npath  \r\nUsed as a\r\nmultibyte\r\nXOR key for\r\nFeedLoad\r\nNext Stage\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 9 of 12\n\nIndicator Type Description\r\nfa7f6ac04ec118dd807c1377599f9d369096c6d8fb1ed24ac7a6ec0e817eaab6\r\nSHA-256Hash of\r\nReadme.md\r\nC:ProgramDatawsmprovhost.exe\r\nFile\r\npath\r\nLegitimate\r\nWindows\r\nbinary is\r\ncopied to this\r\ndirectory for\r\nDLL search-order\r\nhijacking\r\nC:ProgramDataclip.exe\r\nFile\r\npath\r\nLegitimate\r\nWindows\r\nbinary is\r\ncopied to this\r\ndirectory for\r\nDLL search-order\r\nhijacking\r\ndersmarketim[.]com Domain\r\nC2 domain\r\n(compromised\r\ndomain)\r\nolidhealth[.]com Domain\r\nC2 domain\r\n(compromised\r\ndomain)\r\ngalerielamy[.]com Domain\r\nC2 domain\r\n(compromised\r\ndomain)\r\n3dkit[.]org Domain\r\nC2 domain\r\n(compromised\r\ndomain)\r\nhxxp://www.mge[.]sn/themes/classic/modules/ps_rssfeed/feed.zip URL\r\nStaging URL\r\nfor Version.dll\r\n(compromised\r\ndomain)\r\nhxxp://www.mge[.]sn/themes/classic/modules/ps_rssfeed/feedmd.zip URL Staging URL\r\nfor\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 10 of 12\n\nIndicator Type Description\r\nreadme.md\r\n(compromised\r\ndomain)\r\nhxxps://vadtalmandir[.]org/admin/ckeditor/plugins/icontact/about.php URL\r\nCallback\r\nURL from\r\nsecond-stage\r\nPE\r\n(compromised\r\ndomain)\r\nhxxps://commune-fraita[.]ma/wp-content/plugins/wp-contact/contact.php URL\r\nCallback\r\nURL from\r\nsecond-stage\r\nPE\r\n(compromised\r\ndomain)\r\nOnyx Sleet path\r\nIndicator Type Description\r\nC:WindowsTemptemp.exe\r\nFile\r\npath\r\nFile path for\r\nHazyLoad\r\nbinary\r\nC:WindowsADFSbginetmgr.exe\r\nFile\r\npath\r\nFile path for\r\nHazyLoad\r\nbinary\r\n000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee\r\nSHA-256Hash of proxy\r\ntool loader\r\nhxxp://147.78.149[.]201:9090/imgr.ico URL\r\nStaging URL\r\nfor HazyLoad\r\nbinary\r\n(compromised\r\ninfrastructure)\r\nhxxp://162.19.71[.]175:7443/bottom.gif URL Staging URL\r\nfor HazyLoad\r\nbinary\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 11 of 12\n\nIndicator Type Description\r\n(compromised\r\ninfrastructure)\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nReferences\r\nFollowing the Lazarus group by tracking DeathNote campaign | Securelist\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on Twitter\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-427\r\n93-vulnerability/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/" ], "report_names": [ "multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434601, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ce1eae63e681b49a35d3d50bcf5b34100b0272f.pdf", "text": "https://archive.orkl.eu/0ce1eae63e681b49a35d3d50bcf5b34100b0272f.txt", "img": "https://archive.orkl.eu/0ce1eae63e681b49a35d3d50bcf5b34100b0272f.jpg" } }