{ "id": "e6a9be54-2fb8-4432-9448-28d103e119a9", "created_at": "2026-04-06T00:10:17.464302Z", "updated_at": "2026-04-10T13:12:50.780908Z", "deleted_at": null, "sha1_hash": "300cd46b5e5a3d24e13f3a24293e336393753472", "title": "Assessed Cyber Structure and Alignments of North Korea in 2023 | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2435633, "plain_text": "Assessed Cyber Structure and Alignments of North Korea in 2023 |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2023-10-10 · Archived: 2026-04-05 22:20:31 UTC\r\nWritten by: Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez\r\nExecutive Summary\r\nThe DPRK’s offensive program continues to evolve, showing that the regime is determined to continue\r\nusing cyber intrusions to conduct both espionage and financial crime to project power and to finance both\r\ntheir cyber and kinetic capabilities.\r\nLatest DPRK nexus operations hint at an increase in adaptability and complexity, including a cascading\r\nsoftware supply chain attack seen for the first time, and consistently targeting blockchain and fintech\r\nverticals.\r\nWhile different threat groups share tooling and code, North Korean threat activity continues to adapt and\r\nchange to build tailored malware for different platforms, including Linux and macOS.\r\nMandiant’s continuous monitoring of DPRK aligned malicious cyber actors highlights a significant\r\nmultiyear shift and blend in the country’s cyber posture.\r\nOverlaps in targeting and shared tooling muddles attribution attempts for investigators while streamlining\r\nadversarial activities.\r\nHistorical examples of activity and uncategorized clustering represent a way forward for maintaining\r\nvisibility on separate groups.\r\nSummation of North Korea’s Cyber Program\r\nHistorically Mandiant has made assessments on the Democratic People’s Republic of Korea’s (DPRK) cyber\r\nprogram based on Mandiant responses to intrusions, defector accounts, and OSINT reporting, in conjunction with\r\ngovernment disclosures of DPRK units and motivation information. These assessments were generalizations and\r\nas new activity, such as cryptocurrency-focused units, emerged it blended the efforts from DPRK aligned cyber\r\noperators, and updates were needed for the now historic chart seen in Figure 1.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 1 of 16\n\nFigure 1: Previously assessed DPRK cyber organizational chart for 2020\r\nSince 2009, the DPRK cyber landscape has changed tremendously, and overlapping indicators, which would\r\ntraditionally be tracked individually to these separate organizations, seemingly signal a growing adaptability and\r\ncollaboration between the threat actors. Instances of overlap and “sharing” of tools and targeting, which are\r\ndetailed throughout this product, have occurred in the past, but the 2020 COVID-19 Pandemic marked a\r\nsignificant shift in DPRK’s operations.\r\nPrior to the pandemic, the following groups and their assessed unit alignments represented the overarching DPRK\r\ncyber organization:\r\nUNC614 (Andariel) – Reconnaissance General Bureau (RGB)\r\nAPT37 – Ministry of State Security (MSS)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 2 of 16\n\nAPT38 – RGB\r\nAPT43 – RGB (publicly referred toas Kimsuky)\r\nTEMP.Hermit – RGB\r\nIT Workers – Workers Party of Korea (KWP)\r\nDPRK conducts offensive operations relying on their military units and proxies located inside and outside the\r\nPeninsula, however, the regime was forced to modify their operations in 2020 as the COVID-19 pandemic\r\nhardened borders around the world; most notably within the Korean Peninsula and China.\r\nIt is assessed that an unknown number of DPRK operators were cut off from the support of the regime during this\r\nperiod, as Mandiant observed signs of “self-funding” operations grow, such as the publicly reported ransomware\r\nactivities of the Andariel group involving MAUI and HolyGh0st ransomware. This is also known as Ransomware\r\nas a Service (RaaS,) such as Lockbit 2.0 or Ryuk, and the cryptocurrency theft activities of APT43.\r\nDuring this same time, Mandiant began discovering campaigns that indicated newly assembled groups, or task\r\nforces, consisting of tooling and suspected personnel from multiple groups being created. One such suspected\r\noperation was a temporary. COVID-19-focused grouping of clusters active during the pandemic that targeted\r\nhealthcare and research entities investigating COVID-19 treatments.\r\nThese operations had overlaps with APT43 and TEMP.Hermit activities, as well as an unverified link to Andariel\r\nsignaling an unprecedented shift in collaborations. We believe that this reflected an increase in adaptability among\r\nthe threat actors, moving resources to these task force-like groups in moments of necessity, much like the level of\r\norganizations from very mature cyber threat groups such as Chinese APTs. Tracking APT43 actors during this\r\ntime proved difficult as tactics and tooling from the threat actors were utilized for both efforts supporting the\r\nnuclear and strategic policy Priority Intelligence Requirements (PIR), and new PIRs regarding COVID-19 vaccine\r\ninformation. Mandiant assesses that DPRK’s cyber organizational structure, post-pandemic, likely resembles\r\nFigure 2.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 3 of 16\n\nFigure 2: New organizational chart factoring in evolved, overlapped groups and removing Bureau alignment due\r\nto fluidity realignment of DPRK cyber organizations\r\nCurrent Assessment\r\nBased on the history the details that follow, Mandiant assesses that the DPRK’s cyber landscape has evolved to a\r\nstreamlined organization with shared tooling and targeting efforts.\r\nOperators within these units quickly change their current focus and begin working on separate, unrelated efforts\r\nsuch as ransomware, collecting information on conventional weapons, nuclear entity targeting, blockchain and\r\nfintech targeting efforts, among various others. This flexible approach to tasking makes it difficult for defenders to\r\ntrack, attribute, and thwart malicious activities, while enabling this now collaborative adversary to move stealthily\r\nwith greater speed and adaptability.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 4 of 16\n\nThe level of shared targeting and tooling leads Mandiant to believe that shifts are continuing to occur throughout\r\nall parts of the DPRK’s cyber apparatus. Investigations regarding the cooperation between groups not assessed to\r\nbe RGB continue to produce information, but are still largely unknown.\r\nAt this time, it is unknown whether APT37 remains focused on MSS intelligence requirements or if its priorities\r\nhave shifted. Throughout 2023, APT37 has increased activity, targeting a variety of victims, some of which align\r\nwith our current understanding of MSS PIRs, while others do not. The MSS role in monitoring business dealings\r\nwith the North Korean government and defectors, or entities outside of the country, suggest it is likely that the\r\nMSS would have some involvement in supervision of the forward deployed IT workers.\r\nIn late March 2023, public reporting described the exposure of a suspected APT37 GitHub repository containing\r\nsamples, files, and additional tooling. The repository is reportedly linked to one member of APT37 and has been\r\nused for staging infrastructure since at least 2021.\r\nThe decoy documents and files identified in the repository focused on a variety of themes, but appeared to\r\nbe focused on organizations in the education, government, and financial sectors. Many of the victims and\r\ntargets appear to be based in South Korea, based on the usage of HWP files and themes.\r\nAdditionally, several of the documents focused on resumes, CVs and references, which may be leveraged\r\nto apply to various job openings, or used to target journalists. This is prominent activity Mandiant has\r\nobserved several other actors, like APT43, conducting.\r\nIn February 2023, open-source reporting identified APT37 allegedly disguising malware as a password file\r\nand distributing it as a compressed file. Open-source reporting mentions LOGCABIN as the delivered\r\npayload, a malware Mandiant attributes to APT43.\r\nAlso in March, Mandiant responded to a series of North Korean operations we track as UNC4736 (which overlaps\r\nwith public AppleJeus reporting) that leveraged software supply chain attacks against 3CX and Trading\r\nTechnologies to steal credentials and gain access to multiple networks.\r\nThe UNC4736 supply chain attacks were sophisticated and involved the use of a variety of tools, including both\r\nopen source projects, such as DAVESHELL and SIGFLIP, and custom malware with more advanced capabilities.\r\nIn July 2023 Mandiant responded to additional North Korea nexus supply chain attacks, again tracked under\r\nUNC4899. We believe this activity was likely conducted by the same actor that has been publicly reported as\r\nTraderTraitor. Both UNC4899 and UNC4736 operations show a high level of sophistication and consistency\r\ntargeting supply chain providers as a means to gain access to arbitrary networks to expand the potential foothold\r\nof their operators in order to select networks of interest.\r\nThese most recent events suggest that DPRK operations may be evolving towards more aggressive and broader\r\nintrusions and that these threat actors are able to conduct multiple intrusions to multiple networks, leveraging the\r\nsupply chain vector.\r\nCurrent Groups\r\nMandiant maintains, tracks, and reports campaign history on North Korea’s offensive cyber operations. The\r\nfollowing are the most prevalent groups Mandiant currently tracks, along with a brief summary of each threat\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 5 of 16\n\ngroup, and primary targeting priority/priorities. Note: The groups that follow are referred to with their Mandiant\r\ndesignations (UNC numbers) alongside the names that have been used publicly to identify activity we attribute to\r\nthe underlying group. While we believe that these definitions are largely congruent, differences in visibility and\r\nanalytic tradecraft mean that an exact match is unlikely.\r\nAndariel (UNC614): This actor targets foreign businesses, government agencies, financial services infrastructure,\r\nprivate corporations, and the defense industry. UNC614 also engages in cyber crime as an extra source of income\r\nto fund their operations, including the ransoming of hospitals, using their own ransomware malware dubbed\r\nMAUI. However, their primary focus is on targeting military and government personnel.\r\nThis cyber group stands apart from the other DPRK aligned groups and typically does not fall into the blending\r\nand targeting that the others may do. Some groups have espionage and financial focuses, but Andariel is tasked to\r\nacquire information to “build” the weapons of mass destruction or research and development programs in other\r\ntargeted fields, like pharmaceuticals.\r\nThe targeting trends, such as nuclear, aerospace, high heat molds, etc. and overall successful compromises of this\r\nactor make it quite possibly the scariest of all the DPRK affiliated groups.\r\nPrimary targeting: Defense, Aerospace, Healthcare (when self-funding operations), Nuclear\r\nTEMP.Hermit: TEMP.Hermit, is an actor that has been active since at least 2013. Their operations since that time\r\nare representative of Pyongyang's efforts to collect strategic intelligence to benefit North Korean interests. This\r\nactor targets government, defense, telecommunications, and financial institutions worldwide and the term\r\n“Lazarus Group” refers most often to this cluster of activities. AppleJeus maintains overlap with this organization,\r\nbut TEMP.Hermit’s targeting continues to focus on espionage related activities and not cryptocurrency as its\r\nprimary focus.\r\nPrimary targeting: Government, Defense, Telecommunications\r\nAppleJeus (UNC1720): A threat group that has been active since at least 2018. It is assessed to primarily target the\r\ncryptocurrency industry with the goal of stealing digital assets to fund the regime’s priorities. The group uses a\r\nvariety of tactics, including spear-phishing emails and fake cryptocurrency trading software, to infiltrate target\r\nsystems and steal cryptocurrency. Like TraderTraitor, this crypto-focused group appeared to emerge after the\r\nnotoriety that came with the Bangladesh heist and issues with stealing and laundering traditional currency. This\r\ngroup’s tools overlap with TEMP.Hermit, but is not focused on the same targeting profiles, potentially indicating\r\nshared resources.\r\nPrimary targeting: Cryptocurrency\r\nAPT37: APT37's assessed primary mission is covert intelligence gathering in support of DPRK's strategic military,\r\npolitical, and economic interests. The group has been observed targeting a wide range of industries, primarily in\r\nSouth Korea. This organization is most closely aligned with the efforts of the MSS and its overarching cyber\r\nactivities highlight the monitoring of defectors abroad and foreign elements interacting with DPRK.\r\nPrimary targeting: Defectors, Governments\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 6 of 16\n\nAPT38: APT38 is a financially motivated group, known for significant financial compromises and its use of\r\ndestructive malware against financial institutions. The group has been attributed to sophisticated compromises\r\ntargeting Interbank Fund Transfer Systems to steal millions of dollars at a time across multiple countries\r\nworldwide. Current activity from this group is conducted by associated subgroups. Mandiant identified a long\r\nhiatus of activity attributed to APT38, which may be indicative of modifications and regrouping of APT38\r\noperators to other units aligned with new priorities and needs.\r\nPrimary targeting: Financials\r\nAPT43: APT43 is a prolific cyber operator that directly supports intelligence gathering interests of the North\r\nKorean regime. The group combines moderately sophisticated technical capabilities with aggressive social\r\nengineering tactics, especially against South Korean and US-based government organizations, academics, and\r\nthink tanks focused on Korean peninsula geopolitical issues.\r\nThis organization acts as an intelligence arm and seeming embassy replacement for the RGB and DPRK\r\nleadership writ large.\r\nPrimary targeting: Governments, Nuclear, Foreign Relations\r\nCryptoCore (UNC1069): A threat actor that has been active since at least 2018. UNC1069 is a cryptocurrency\r\nfocused group that may include individuals or units previously tracked as APT38, and while it has minor overlaps\r\nwith APT43, we belive it is distinct. UNC1069 has targeted a variety of financial services firms and\r\ncryptocurrency exchanges, commonly employing spear-phishing techniques that result in LONEJOGGER\r\nmalware infections. This organization appears to maintain a revenue generation priority, like its overarching\r\nAPT38 subunits, however on a much smaller financial scale.\r\nPrimary Targeting: Financials, Cryptocurrency\r\nHybrid Operations: Mandiant has observed operations that include tactics and tools from multiple groups, which\r\nsuggests that in certain cases, operations may be undertaken by multiple groups that fluidly perform ad hoc tasks\r\nin support of another group, or due to temporary tasking. This is consistent with public reporting that identified a\r\ngroup that aligns with an alleged RGB Bureau, designated ‘325’, which was publicly announced in January 2021,\r\nwhen the structure of the RGB likely shifted in response to the COVID-19 pandemic.\r\nMandiant assesses that UNC2226 is one of the collections of activity supporting the aforementioned mission.\r\nUNC2226, like other seemingly ad hoc created efforts, appears to have changed or even expanded targeting to\r\nfulfill intelligence gathering efforts. Other clusters, such as UNC3782, have a similar composition and are focused\r\non cryptocurrency theft among other seemingly ad hoc tasks.\r\nThe operations initially appeared to focus almost exclusively on intelligence gathering operations against COVID-19 research and vaccine development/manufacturing organizations. Over time, Mandiant perceived these\r\noperations shift from strictly COVID-19 efforts to the targeting of defectors, defense and governments, bloggers,\r\nmedia, cryptocurrency services, and financial institutions.\r\nIT Workers: DPRK’s IT Workers, which according the the US Treasury department, primarily fall under the\r\nKWP’s Munitions Industry Department, are made up of thousands of highly skilled IT workers from North Korea.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 7 of 16\n\nThey are reportedly deployed both domestically and abroad to generate revenue and finance the country's weapons\r\nof mass destruction and ballistic missile programs. These workers acquire freelance contracts from clients around\r\nthe world and sometimes pretend to be based in the US or other countries to secure employment. Although they\r\nmainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions\r\ncarried out by North Korea.\r\nTraderTraitor (UNC4899): TraderTraitor targets blockchain companies through spear-phishing messages. The\r\ngroup sends these messages to employees, particularly those in system administration or software development\r\nroles, on various communication platforms, intended to gain access to these start-up and high-tech companies.\r\nTraderTraitor may be the work of operators previously responsible for APT38 activity.\r\nPrimary targeting: Cryptocurrency\r\nOverlaps Emerge Over Time\r\nAPT38, Andariel, and TEMP.Hermit have historically been closely associated with each other and are assessed to\r\nbe within the RGB. Sharing of resources is believed to be within the normal course of business for select factions\r\nthat are likely in close proximity in Sinuiju, DPRK. However, the spike in overlapping infrastructure and tooling\r\nbetween these, and other groups, such as APT43, in addition to targeting overlaps amongst all groups, signals a\r\nshift in the DPRK cyber landscape. We believe that operators within North Korea may be co-located, or even\r\nsharing workstations, which can complicate attribution, as traditional tracking can potentially become misleading.\r\nProcurement of infrastructure and domain registrants are also likely shared, further complicating clustering. For\r\nexample, at the onset of the pandemic, Mandiant observed APT43 operations focusing on nuclear espionage and\r\non COVID-19 treatment espionage. Andariel operators are now observed using the same infrastructure for\r\nexfiltration of pharmaceutical research and development, along with weapons development.\r\nCryptocurrency-Related Activity\r\nThe following have been observed as part of DPRK cyber operators’ cryptocurrency usage and targeting\r\nCryptocurrency usage in ransomware operations\r\nCryptocurrency usage in hash rentals, self-funding of own operations\r\nCryptocurrency themes used as lures and weaponized documents\r\nTheft of cryptocurrency from wallets, targeting cross chain bridges (Axie Infinity), targeting of cross chain\r\nbridges (Harmony), etc.\r\nAll assessed RGB-aligned groups maintain at least some interest in the cryptocurrency industry. Andariel and\r\nAPT43 appear to have the least amount of focus on cryptocurrency efforts and have been identified using it\r\nprimarily as a means to an operational end.\r\nAPT43 has targeted cryptocurrency and cryptocurrency-related services, using crafty and stealthy techniques to\r\nfund and sustain its own operations. Mandiant identified APT43 using cryptocurrency services to launder stolen\r\ncurrency. Associated activity included identified payment methods, aliases, and addresses used for purchases.\r\nAPT43 operators also likely used hash rental and cloud mining services to launder stolen cryptocurrency into\r\nclean cryptocurrency.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 8 of 16\n\nFor a fee, these hash rental and cloud mining services provide hash power, which is used to mine\r\ncryptocurrency to a wallet selected by the buyer without any blockchain-based association to the buyer's\r\noriginal payments.\r\nSeveral payment methods were used for infrastructure and hardware purchases including PayPal, American\r\nExpress cards, and Bitcoin likely derived from previous operations.\r\nThroughout 2022 Mandiant identified Andariel using ransomware campaigns to fund additional malicious activity,\r\nespecially cyber espionage operations. These activities are part of a larger ecosystem of money making schemes,\r\nincluding cryptocurrency targeting and freelancing work. The shift to ransomware to fund operations highlights\r\nthe isolation of some groups from the rest of the regime, and the pressure to self-fund their operations.\r\nMandiant observed DPRK conducting a large-scale cryptocurrency phishing campaign targeting users of the\r\nBitcoin, Arbitrum, Binance Smart Chain, Cronos, Ethereum, and Polygon blockchains during the latter half of\r\n2022 and into 2023. This escalation in activity occurred after the DPRK successfully converted over $1 million in\r\nEthereum assets to Bitcoin via the cross-chain bridge Ren Project. Mandiant assesses that the success of this\r\nhybrid cluster’s operations likely have influenced APT43’s expansion into Web3 operations.\r\nIn line with the increased focus on cryptocurrency targeting, CryptoCore was also observed targeting financial\r\ninstitutions and cryptocurrency entities throughout 2022. This group has targeted multiple financial verticals\r\n(including investing, transaction processing, and cryptocurrency) across North America, Europe, and East Asia\r\nwith LONEJOGGER malware. In August 2022, Mandiant discovered new LONEJOGGER samples and decoy\r\nfiles that reinforced the group's interest in cryptocurrency. In the samples and malware laden decoy documents\r\nwere entities like a legitimate American hedge fund specializing in cryptocurrency and digital asset platform that\r\ndeals in the holding, investing, and infrastructure of cryptocurrency and cryptocurrency products.\r\nIn late 2022, the group was identified leveraging several lure documents relating to cryptocurrency, as well as\r\nother financial entities including investment firms and banks. In addition to targeting crypto and leveraging lure\r\nmaterial, the CryptoCore grouping of clusters has been observed masquerading as crypto institutions from around\r\nthe globe.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 9 of 16\n\nFigure 3: Bitcoin Bull Prediction.pdf, lure document\r\nDefector Targeting Highlights Consistency Across Groups and Time\r\nLee Min-Bok (LMB) is an example that highlights shared targeting between groups. Mandiant has observed\r\nAPT37, APT43, and both of DPRK’s hybrid clusters targeting Lee. Lee Min-bok is a North Korean defector who\r\npreviously worked for the Agricultural Research Institute in Pyongyang until 1991, when he began efforts to\r\ndefect to South Korea. Until 2018 Lee had sent information attached to balloons along with anti-Pyongyang\r\nleaflets into North Korea.\r\nThis consistency in targeting is mirrored by the consistency over time between the current and historic\r\norganization of DPRK cyber operations. While little is publicly reported about the North Korea’s cyber\r\norganziation, referred to as “Room 35”, and their operations prior to the 2009 reorganization, which is an\r\norganization that allegedly develops malware and intrusion tools to collect information on its targets and build\r\nintelligence reports for senior DPRK officials. The information that is available about this organization directly\r\ncorresponds to operations observed by Mandiant, and when supplemented with Mandiant intelligence, does show\r\nhints at the “why” and “how” in some instances, such as the case for LMB’s targeting. Reorganizations may take\r\nplace, tools and infrastructure may be shared, but targeting and fulfillment of PIRs remain intact at this time.\r\nTable 1 shows the identified overlaps and similarities between reported Room 35’s operations and activities, with\r\nobserved APT43 characteristics and activities.\r\nRoom 35 APT43\r\nGathers data to generate internal briefs and reports\r\nthat provide insights and recommendations to the\r\nhigher echelons of leadership in the government.\r\nAppears to gather information to answer leadership\r\nand regime level PIRs.\r\nThe main focus of its mission is directed towards\r\nseveral nations in Europe, along with the Republic\r\nof Korea (ROK), the United States, and Japan. \r\nConsists of sub teams focusing on ROK, US, and\r\nJapan, with sporadic targeting throughout Europe.\r\nThe group enables a small skilled and efficient team\r\nof hackers to create malware and hacking tools for\r\ngathering information on their targets, which is then\r\nused to compile intelligence reports.\r\nAPT43’s efforts rely on social engineering in addition\r\nto some malware that appears to be created within the\r\norganization. APT does not appear to be as large as\r\nother units such as APT38, Andariel, and\r\nTEMP.Hermit.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 10 of 16\n\nA secondary mission for Room 35 is allegedly “to\r\ngenerate profit to support and fund the tools and\r\nresources used in their primary mission.”\r\nAPT43 conducts smaller financially focused side\r\nefforts such as cryptojacking and crypto theft likely in\r\norder to fund their own operations.\r\nChain of command is grouped with KWP\r\nOperations Department, CC KWP United Front\r\nDepartment (UFD), and the MSS.\r\nMandiant and open source reporting highlight the\r\nconstant and common targeting overlaps between\r\nAPT43 and mission mandates of the UFD and MSS. \r\nTable 1: Similarities between alleged units prior to 2009 and related interests by APT43\r\nDPRK Operator Activity Examples\r\nSome of the DPRK-aligned cyber operators Mandiant tracks are highly skilled across numerous cyber endeavors.\r\nOperators have demonstrated the ability to conduct activities at high levels of sophistication and execution, then\r\nimmediately pivot to separate tasks and maintain that same level of execution (i.e. blockchain and cryptocurrency\r\ntargeting, espionage, ransomware, supply chain targeting). Highlighting past Department of Justice indictments\r\n(see Figure 4 and Figure 5) illustrates how a single individual can supplement vastly different efforts.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 11 of 16\n\nFigure 4: Park Jin Hyok FBI Wanted Poster highlighting the range of skillsets within his RGB cyber role\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 12 of 16\n\nFigure 5: Kim Il, RGB hacker, detailed in USG Indictment\r\nPark Jin Hyok’s (PJH) identified activities show adaptability and flexibility, based on mission requirements:\r\nIn 2014, PJH was involved in the attack on Sony Pictures Entertainment in retaliation for the release of\r\n\"The Interview,\" which depicted the assassination of the DPRK's leader. Operator then targeted other\r\nvictims in the entertainment industry and stole confidential data, threatened executives and employees, and\r\ndamaged thousands of computers.\r\nIn 2016, he was involved in stealing $81 million from Bangladesh Bank by compromising their computer\r\nnetwork with spear-phishing emails and sending fraudulently authenticated SWIFT messages to transfer\r\nfunds to other countries.\r\nIn 2017, he was connected to the development of the ransomware WannaCry 2.0, which infected hundreds\r\nof thousands of computers around the world.\r\nIn 2016 and 2017, he was involved in targeting US defense contractors, including Lockheed Martin, using\r\nspear-phishing emails.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 13 of 16\n\nIn the time between the Sony attack and the arrest warrant issued, PJH was observed on job seeker\r\nplatforms alongside DPRK’s IT workers.\r\nIdentified Malware Sharing Supports Public Reports of Combined Task Forces\r\nAs stated previously, open-source reporting in early 2021 described the creation of \"Bureau 325,\" a collaborative\r\neffort between separate North Korean cyber operations targeting COVID-19-related information. According\r\nto Daily NK, a new organization dubbed Bureau 325 was formalized just before North Korea's Eighth Party\r\nCongress in January 2021, and, unlike prior cyber operations, reported its COVID-19-focused efforts directly to\r\nKim Jong Un. Notably, Bureau 325 reportedly includes individuals previously assigned to existing groups.\r\nAccording to Reuters, in mid-November 2020, Microsoft observed North Korean espionage activity at\r\nvaccine makers in multiple countries. This observation match our assessment about targeting and\r\ncorresponded to CUTELOOP and PENDOWN activity Mandiant detected targeting pharmaceuticals.\r\n In some instances, defense job related lures were used against pharmaceutical entities, suggesting that a\r\nshift toward healthcare and pandemic-related targeting was abrupt and unexpected. Later, more relevant\r\nsocial engineering lures and new malware were employed suggesting a more complete shift toward the\r\nfocus on COVID-19.\r\nMandiant observed domain registrants overlap between APT43 and the COVID centric cyber campaigns.\r\nThis is further evidence that these organizations are close bureaucratically and share resources.\r\nMalware and Tooling\r\nCyber groups within the DPRK ecosystem continue sharing tooling and malware. Figure 6 is a visual breakdown\r\nof malware families and their associated actors. These malware families seem to be given in order for the newer\r\nunits to create their own group-tailored family. For example, APT43’s PENCILDOWN malware changed to the\r\nnew group’s PENDOWN malware family.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 14 of 16\n\nFigure 6: Malware tools leveraged by TEMP.Hermit and linked groups (green), APT43, and suspected linked\r\ngroups (red), and those overlapping with COVID-19 -focused operations (blue)\r\nAnother instance where resources were likely shared between groups was with ROCKHATCH malware\r\n(bcac28919fa33704a01d7a9e5e3ddf3f). ROCKHATCH was discovered being used as part of a suspected Andariel\r\noperation. \r\nThe malware uses the key 74 61 51 04 77 32 54 45 89 95 12 52 12 02 32 73, which was also used in\r\nsamples of , a HANGMAN.V2 (21cffaa7f9bf224ce75e264bfb16dd0d) malware used by APT43, and,\r\nCAKETEARS malware (1ecd83ee7e4cfc8fed7ceb998e75b996) which is primarily associated with\r\nTEMP.Hermit\r\nHANGMAN.V2 itself is a variant of TEMP.Hermit's HANGMAN malware, but has only been\r\nobserved used with APT43 infrastructure\r\nROCKHATCH uses the same uninstall script seen in TEMP.Hermit’s FALLCHILL and HANGMAN\r\nmalware.\r\nWhile Mandiant have observed DPRK operators share tools and resources, different threat actors have used\r\ntailored tools including multi-platform malware such as POOLRAT, a backdoor that allowed threat actors to\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 15 of 16\n\ncollect system data and to execute commands and that has Windows, Linux and macOS variants as well as\r\ndedicated implants for macOS like FULLHOUSE.DOORED, which shows an increased interest in the\r\ndevelopment of macOS malware to backdoor platforms of high value targets within the cryptocurrency and the\r\nblockchain industries.\r\nOutlook and Way Ahead\r\nThe years of public reporting on multiple DPRK aligned cyber units as “Lazarus Group'' moniker have come full\r\ncircle. The shifting DPRK cyber landscape is increasingly characterized by resource sharing and temporary\r\ncollaboration. We believe that this will make precise attribution more difficult. \r\nSome increased fidelity is likely to arrive as additional data is collected, and may help better scope groups and\r\nidentify any specialized in targeting specific industries or sectors. \r\nMalware infrastructure overlaps indicating resources and attribution muddled by shifting assignments show how\r\nDPRK cyber operations are changing. However, operations conducted to fulfill regime requirements remain\r\nsteadfast and we believe they will continue. While defenders may not be able to easily sort new DPRK activity\r\ninto a previously identified bucket, the malware reuse and shared resources creates opportunities for detection and\r\ncountry level attribution.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023" ], "report_names": [ "north-korea-cyber-structure-alignment-2023" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-10T02:00:03.937539Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434217, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/300cd46b5e5a3d24e13f3a24293e336393753472.pdf", "text": "https://archive.orkl.eu/300cd46b5e5a3d24e13f3a24293e336393753472.txt", "img": "https://archive.orkl.eu/300cd46b5e5a3d24e13f3a24293e336393753472.jpg" } }