{ "id": "f3916a92-2fe0-4309-ab7e-e9c3479632c6", "created_at": "2026-04-06T00:09:37.50257Z", "updated_at": "2026-04-10T13:11:20.65741Z", "deleted_at": null, "sha1_hash": "1da69d02f58b3fe5d89fab7cf5cbb09ad86fbee1", "title": "Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 722926, "plain_text": "Andariel Group Exploiting Korean Asset Management Solutions\r\n(MeshAgent)\r\nBy ATCP\r\nPublished: 2024-03-10 · Archived: 2026-04-05 20:46:46 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered the Andariel group’s continuous attacks on\r\nKorean companies. It is notable that installations of MeshAgent were found in some cases. Threat actors often\r\nexploit MeshAgent along with other similar remote management tools because it offers diverse remote control\r\nfeatures.\r\nThe Andariel group exploited Korean asset management solutions to install malware such as AndarLoader and\r\nModeLoader, which are the malware used in the previous cases. Starting with Innorix Agent in the past, the group\r\nhas been continually exploiting Korean asset management solutions to distribute their malware during the lateral\r\nmovement phase [1] [2].\r\n1. AndarLoader\r\nThe ASEC team previously introduced AndarLoader in the past blog article, “Analysis of Andariel’s New Attack\r\nActivities” [3]. AndarLoader looks similar to Andardoor found in attack cases that exploited Innorix Agent, but\r\nunlike Andardoor which has most of the backdoor features (executing commands received from the C\u0026C server)\r\nimplemented in binary, AndarLoader is a downloader that downloads executable data such as .NET assembly and\r\nruns it in the memory.\r\nCommand Feature\r\nalibaba Run downloaded .NET assembly\r\nfacebook Run downloaded .NET method\r\nexit Terminate\r\nvanish Self-delete and terminate\r\nTable 1. AndarLoader’s command list\r\nUnlike the previous type that was obfuscated using Dotfuscator tool, AndarLoader found this time was obfuscated\r\nusing KoiVM. As strings for use are decrypted during the execution phase, strings identical to the ones in the past\r\nAndarLoader can be found. Note that the current AndarLoader uses the “sslClient” string when connecting with\r\nthe C\u0026C server like the AndarLoader found in previous attacks.\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 1 of 8\n\nFigure 1. AndarLoader’s command list\r\n2. MeshAgent\r\nMeshAgent can collect basic system information required for remote management and provides features such as\r\npower and account management, chat or message pop-up, file upload and download, and command execution. It\r\nalso provides web-based remote desktop features such as RDP and VNC. Users typically use this tool to use and\r\nmanage their systems remotely, but these are features good for the threat actors to abuse.\r\nThere have been actual cases in which threat actors used MeshAgent to remotely control their victims’ screens\r\n[4]. This is the first time the Andariel group used MeshAgent, and it was downloaded from the external source\r\nwith the name “fav.ico”.\r\nFigure 2. Logs of MeshAgent installation\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 2 of 8\n\nFigure 3. Behavior logs of MeshAgent discovered by AhnLab’s ASD infrastructure\r\nThe malware was not collected, but the team found the following C\u0026C server as the MeshAgent server was active\r\nat the time.\r\nFigure 4. The C\u0026C server of MeshAgent\r\n3. ModeLoader\r\nModeLoader is a JavaScript malware that the Andariel group has been using for a long time. Instead of being\r\ngenerated as a file, it is downloaded externally via Mshta and executed. One of our previous blog posted the\r\nbehavior listed on an ASD log.\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 3 of 8\n\nFigure 5. ModeLoader found in a past case\r\nThe threat actors mainly exploit asset management solutions to execute Mshta command that downloads\r\nModeLoader. When the following command is run, ModeLoader is downloaded and executed via the Mshta\r\nprocess C\u0026C, and it regularly attempts to establish communication with the C\u0026C server.\r\nFigure 6. ModeLoader installation command discovered by AhnLab’s ASD infrastructure\r\nModeLoader is developed in JavaScript and obfuscated, but it provides a simple feature. It regularly connects to\r\nthe C\u0026C server (modeRead.php), receives Base64-encoded commands, executes them, and sends the results to\r\nthe C\u0026C server (modeWrite.php).\r\nFigure 7. ModeLoader that receives commands from the C\u0026C server\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 4 of 8\n\nThe threat actors appeared to have used ModeLoader to install additional malware from the outside. Using the\r\ncommand below, AndarLoader was installed as “SVPNClientW.exe” in %SystemDirectory% and executed.\r\n\u003e cmd.exe /c tasklist\r\n\u003e cmd.exe /c c:\\windows\\system32\\SVPN*\r\n4. Other Malware Attack Cases\r\nAfter using a backdoor such as AndarLoader and ModeLoader to take control of the infected systems, the threat\r\nactors installed Mimikatz and attempted to steal the credentials inside the systems. Since plain passwords that use\r\nthe WDigest security package cannot be found in the latest Windows environment, the command that sets the\r\nUseLogonCredential registry key is found simultaneously. The threat actors also used AndarLoader to execute the\r\n“wevtutil cl security” command and delete security event logs of the infected systems.\r\nThe shared characteristic of the attacks that belong to the attack campaign found this time is that they are found\r\nalong with a keylogger.  The malware provides not only the keylogging feature but also clipboard logging, and it\r\nrecords the keylogged data and data copied to the clipboard in “C:\\Users\\Public\\game.db.”\r\nFigure 8. Keylogger used in the attacks\r\nThe Andariel group installed a backdoor like how Kimsuky group did, took control of the infected systems, and\r\nperformed additional tasks to remotely take control of their victims’ screens. To establish remote control, they\r\ninstalled MeshAgent as mentioned above, but also used RDP in some cases, and the command to activate the RDP\r\nservice was also found. Although files were not found, the threat actors are likely using fRPC in their attacks in an\r\nattempt to access infected systems located in private networks via RDP.\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 5 of 8\n\nFigure 9. The command that activates the RDP service\r\nFigure 10. The Frpc execution logs\r\n5. Conclusion\r\nAlong with Kimsuky and Lazarus, Andariel group is one of the threat actor groups who are most actively targeting\r\nSouth Korea. The group mainly attacked their victims in the early days to obtain information related to security,\r\nbut their attacks eventually aimed for gaining financial profits. The Andariel group is known to use attacks such as\r\nspear phishing attacks and watering hole attacks, and exploit software vulnerabilities to kick-start the initial\r\naccess. There have also been cases in which the group exploited installed software or utilized vulnerability attacks\r\nto distribute their malware.\r\nUsers must take extra caution when downloading attachments of emails from unknown sources or running\r\nexecutable files from unidentified websites. Corporate security administrators must upgrade the monitoring\r\ncapacity of asset management solutions and apply updates if software security vulnerabilities are found. Users\r\nshould also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest\r\nversion to prevent malware infection in advance.\r\nFile Detection\r\n– Backdoor/JS.ModeLoader.SC197310 (2024.03.01.00)\r\n– Trojan/Win.Generic.C5384741 (2023.02.19.01)\r\n– Trojan/Win.KeyLogger.C5542383 (2023.11.16.01)\r\n– Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)\r\nBehavior Detection\r\n– CredentialAceess/MDP.Mimikatz.M4367\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 6 of 8\n\nMD5\r\n29efd64dd3c7fe1e2b022b7ad73a1ba5\r\n2c69c4786ce663e58a3cc093c6d5b530\r\n4f1b1124e34894398aa423200a8ab894\r\na714b928bbc7cd480fed85e379966f95\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//panda[.]ourhome[.]o-r[.]kr/modeRead[.]php\r\nhttp[:]//panda[.]ourhome[.]o-r[.]kr/modeView[.]php\r\nhttp[:]//panda[.]ourhome[.]o-r[.]kr/view[.]php\r\nhttp[:]//www[.]ipservice[.]kro[.]kr/index[.]php\r\nhttp[:]//www[.]ipservice[.]kro[.]kr/modeRead[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n84[.]38[.]129[.]21\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 7 of 8\n\nSource: https://asec.ahnlab.com/en/63192/\r\nhttps://asec.ahnlab.com/en/63192/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/63192/" ], "report_names": [ "63192" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434177, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1da69d02f58b3fe5d89fab7cf5cbb09ad86fbee1.pdf", "text": "https://archive.orkl.eu/1da69d02f58b3fe5d89fab7cf5cbb09ad86fbee1.txt", "img": "https://archive.orkl.eu/1da69d02f58b3fe5d89fab7cf5cbb09ad86fbee1.jpg" } }