{ "id": "5f7c4ec5-0ea9-499b-94cc-6b6df6d31a6f", "created_at": "2026-04-06T00:10:55.898728Z", "updated_at": "2026-04-10T13:12:53.383634Z", "deleted_at": null, "sha1_hash": "59f6074eedfe0f5dcb0c6e4054b6baaac0568587", "title": "North Korean threat actor Citrine Sleet exploiting Chromium zero-day | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 314120, "plain_text": "North Korean threat actor Citrine Sleet exploiting Chromium zero-day |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence, Microsoft Security Response Center (MSRC)\r\nPublished: 2024-08-30 · Archived: 2026-04-05 14:19:50 UTC\r\nOn August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now\r\nidentified as CVE-2024-7971, to gain remote code execution (RCE). We assess with high confidence that the observed\r\nexploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for\r\nfinancial gain. Our ongoing analysis and observed infrastructure lead us to attribute this activity with medium confidence to\r\nCitrine Sleet. We note that while the FudModule rootkit deployed has also been attributed to Diamond Sleet, another North\r\nKorean threat actor, Microsoft previously identified shared infrastructure and tools between Diamond Sleet and Citrine\r\nSleet, and our analysis indicates this might be shared use of the FudModule malware between these threat actors.\r\nCVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of\r\nChromium prior to 128.0.6613.84. Exploiting the vulnerability could allow threat actors to gain RCE in the sandboxed\r\nChromium renderer process. Google released a fix for the vulnerability on August 21, 2024, and users should ensure they are\r\nusing the latest version of Chromium. We would like to thank the Chromium team for their collaboration in addressing this\r\nissue. CVE-2024-7971 is the third exploited V8 type confusion vulnerability that has been patched in V8 this year, after\r\nCVE-2024-4947 and CVE-2024-5274. As with any observed nation-state actor activity, Microsoft has directly notified\r\ntargeted or compromised customers, providing them with important information to help secure their environments.\r\nIn this blog, we share details on the North Korean threat actor Citrine Sleet and the observed tactics, techniques, and\r\nprocedures (TTPs) used to exploit CVE-2024-7971, deploy the FudModule rootkit, and compromise systems. We further\r\nprovide recommended mitigations, detection details, hunting guidance, and indicators of compromise (IOCs) to help\r\ndefenders identify, respond to, and improve defenses against these attacks.\r\nWho is Citrine Sleet?\r\nThe threat actor that Microsoft tracks as Citrine Sleet is based in North Korea and primarily targets financial institutions,\r\nparticularly organizations and individuals managing cryptocurrency, for financial gain. As part of its social engineering\r\ntactics, Citrine Sleet has conducted extensive reconnaissance of the cryptocurrency industry and individuals associated with\r\nit. The threat actor creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to\r\ndistribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application\r\nbased on legitimate applications. Citrine Sleet most commonly infects targets with the unique trojan malware it developed,\r\nAppleJeus, which collects information necessary to seize control of the targets’ cryptocurrency assets. The FudModule\r\nrootkit described in this blog has now been tied to Citrine Sleet as shared tooling with Diamond Sleet.\r\nThe United States government has assessed that North Korean actors, like Citrine Sleet, will likely continue targeting\r\nvulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to\r\nsupport the North Korean regime. One of the organizations targeted by the CVE-2024-7971 exploitation was also previously\r\ntargeted by Sapphire Sleet.\r\nCitrine Sleet is tracked by other security companies as AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra, and\r\nhas been attributed to Bureau 121 of North Korea’s Reconnaissance General Bureau.\r\nExploiting CVE-2024-7971\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 1 of 9\n\nThe observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets\r\nwere directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how\r\nthe targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the\r\ndomain, the zero-day RCE exploit for CVE-2024-7971 was served.\r\nAfter the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a\r\nWindows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox\r\nescape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before\r\nMicrosoft discovered this North Korean threat actor activity. CVE-2024-38106 was reported to Microsoft Security Response\r\nCenter (MSRC) as being exploited; however, our investigations so far have not suggested any link between the reported\r\nCVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability. This may\r\nsuggest a “bug collision,” where the same vulnerability is independently discovered by separate threat actors, or knowledge\r\nof the vulnerability was shared by one vulnerability researcher to multiple actors.\r\nOnce the sandbox escape exploit was successful, the main FudModule rootkit ran in memory. This rootkit employs direct\r\nkernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms, executes exclusively from user\r\nmode, and performs kernel tampering through a kernel read/write primitive. We did not observe any additional malware\r\nactivity on the target devices.\r\nCVE-2024-7971 zero-day exploitation attack chain leading to FudModule rootkit\r\nFudModule rootkit\r\nFudModule is a sophisticated rootkit malware that specifically targets kernel access while evading detection. Threat actors\r\nhave been observed using the FudModule data-only rootkit to establish admin-to-kernel access to Windows-based systems\r\nto allow read/write primitive functions and perform DKOM.\r\nDiamond Sleet has been observed using FudModule since October 2021. The earliest variant of FudModule was reported\r\npublicly in September 2022 by ESET and AhnLAB researchers, when threat actors exploited known vulnerable drivers to\r\nestablish admin-to-kernel access in the technique known as bring your own vulnerable driver (BYOVD). In February 2024,\r\nAvast researchers published analysis on an updated FudModule variant that is significantly more advanced and difficult to\r\ndetect, since it exploits a zero-day vulnerability in appid.sys, an AppLocker driver that is installed by default into Windows\r\n(CVE-2024-21338).\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 2 of 9\n\nFurther research by Avast uncovered a full attack chain deploying the updated variant of FudModule known as “FudModule\r\n2.0,” which includes malicious loaders and a late-stage remote access trojan (RAT). This attack chain revealed the\r\npreviously unknown malware Kaolin RAT was responsible for loading the FudModule rootkit to targeted devices. Kaolin\r\nRAT established a secure, AES-encrypted connection with the command and control (C2) server and had capabilities to\r\nexecute a robust list of commands, such as downloading and uploading files to the C2 server and creating or updating\r\nprocesses. The updated variant of FudModule exhibited an attack chain similar to that seen in Citrine Sleet’s zero-day\r\nexploit of CVE-2024-7971.\r\nOn August 13, Microsoft released a security update to address a zero-day vulnerability in the AFD.sys driver in Windows\r\n(CVE-2024-38193) identified by Gen Threat Labs. In early June, Gen Threat Labs identified Diamond Sleet exploiting this\r\nvulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing\r\nfrom the previously seen admin-to-kernel access. Gen Threat Labs released this information publicly on August 16.\r\nRecommendations\r\nThe CVE-2024-7971 exploit chain relies on multiple components to compromise a target, and this attack chain fails if any of\r\nthese components are blocked, including CVE-2024-38106. Microsoft released a security update on August 13, 2024, for the\r\nCVE-2024-38106 vulnerability exploited by Diamond Sleet, thus also blocking attempts to exploit the CVE-2024-7971\r\nexploit chain on updated systems. Customers who have not implemented these fixes yet are urged to do so as soon as\r\npossible for their organization’s security.\r\nZero-day exploits necessitate not only keeping systems up to date, but also security solutions that provide unified visibility\r\nacross the cyberattack chain to detect and block post-compromise attacker tools and malicious activity following\r\nexploitation. Microsoft recommends the following mitigations to reduce the impact of this threat.\r\nStrengthen operating environment configuration\r\nKeep operating systems and applications up to date. Apply security patches as soon as possible. Ensure that Google\r\nChrome web browser is updated at version 128.0.6613.84 or later, and Microsoft Edge web browser is updated at\r\nversion 128.0.2739.42 or later to address the CVE-2024-7971 vulnerability.\r\nEncourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which\r\nidentifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.\r\nStrengthen Microsoft Defender for Endpoint configuration\r\nEnsure that tamper protection is turned on in Microsoft Defender for Endpoint.\r\nEnable network protection in Microsoft Defender for Endpoint.\r\nRun endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can help block\r\nmalicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender\r\nAntivirus is running in passive mode. EDR in block mode works behind the scenes to help remediate malicious\r\nartifacts that are detected post-breach.\r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take\r\nimmediate action on alerts to help resolve breaches, significantly reducing alert volume.\r\nStrengthen Microsoft Defender Antivirus configuration\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to\r\nhelp cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block majority\r\nof new and unknown variants.\r\nTurn on Microsoft Defender Antivirus scanning of downloaded files and attachments.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 3 of 9\n\nTurn on real-time protection in Microsoft Defender Antivirus.\r\nDetection details\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alert might also indicate threat activity related to this threat. Note, however,\r\nthat this alert can also be triggered by unrelated threat activity.\r\nEmerging threat activity group Citrine Sleet detected\r\nMicrosoft Defender Vulnerability Management\r\nMicrosoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in\r\nthis threat:\r\nCVE-2024-7971\r\nCVE-2024-38106\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide intelligence and protection\r\ninformation, and recommend actions to help prevent, mitigate, or respond to associated threats found in customer\r\nenvironments.\r\nMicrosoft Defender Threat Intelligence\r\nActor profile: Citrine Sleet\r\nActor profile: Diamond Sleet\r\nTool profile: AppleJeus\r\nHunting queries\r\nMicrosoft Defender XDR\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nCitrine Sleet domain activity\r\nMicrosoft Defender XDR customers may query for devices that may have interacted with Citrine Sleet domains related to\r\nthis activity. Note that Microsoft Defender for Endpoint customers may surface related events with the alert title “Emerging\r\nthreat activity group Citrine Sleet detected”.\r\nlet domainList = dynamic([\"weinsteinfrog.com\", \"voyagorclub.space\"]);\r\nunion\r\n(\r\nDnsEvents\r\n| where QueryType has_any(domainList) or Name has_any(domainList)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 4 of 9\n\n| project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\r\n),\r\n(\r\nIdentityQueryEvents\r\n| where QueryTarget has_any(domainList)\r\n| project Timestamp, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\r\n),\r\n(\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any(domainList)\r\n| project Timestamp, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\r\n),\r\n(\r\nDeviceNetworkInfo\r\n| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)\r\n| mv-expand DnsAddresses, ConnectedNetworks\r\n| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)\r\n| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable =\r\n\"DeviceNetworkInfo\"\r\n),\r\n(\r\nVMConnection\r\n| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames =\r\nparse_json(RemoteDnsCanonicalNames)\r\n| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\r\n| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable =\r\n\"VMConnection\"\r\n),\r\n(\r\nW3CIISLog\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 5 of 9\n\n| where csHost has_any(domainList) or csReferer has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\r\n),\r\n(\r\nEmailUrlInfo\r\n| where UrlDomain has_any(domainList)\r\n| project Timestamp, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\r\n),\r\n(\r\nUrlClickEvents\r\n| where Url has_any(domainList)\r\n| project Timestamp, Domain = Url, SourceTable = \"UrlClickEvents\"\r\n)\r\n| order by TimeGenerated desc\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.\r\nSearch for domain IOCs\r\nlet domainList = dynamic([\"weinsteinfrog.com\", \"voyagorclub.space\"]);\r\nunion\r\n(\r\nDnsEvents\r\n| where QueryType has_any(domainList) or Name has_any(domainList)\r\n| project TimeGenerated, Domain = QueryType, SourceTable = \"DnsEvents\"\r\n),\r\n(\r\nIdentityQueryEvents\r\n| where QueryTarget has_any(domainList)\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 6 of 9\n\n| project TimeGenerated, Domain = QueryTarget, SourceTable = \"IdentityQueryEvents\"\r\n),\r\n(\r\nDeviceNetworkEvents\r\n| where RemoteUrl has_any(domainList)\r\n| project TimeGenerated, Domain = RemoteUrl, SourceTable = \"DeviceNetworkEvents\"\r\n),\r\n(\r\nDeviceNetworkInfo\r\n| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)\r\n| mv-expand DnsAddresses, ConnectedNetworks\r\n| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable =\r\n\"DeviceNetworkInfo\"\r\n),\r\n(\r\nVMConnection\r\n| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames =\r\nparse_json(RemoteDnsCanonicalNames)\r\n| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames\r\n| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable =\r\n\"VMConnection\"\r\n),\r\n(\r\nW3CIISLog\r\n| where csHost has_any(domainList) or csReferer has_any(domainList)\r\n| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = \"W3CIISLog\"\r\n),\r\n(\r\nEmailUrlInfo\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 7 of 9\n\n| where UrlDomain has_any(domainList)\r\n| project TimeGenerated, Domain = UrlDomain, SourceTable = \"EmailUrlInfo\"\r\n),\r\n(\r\nUrlClickEvents\r\n| where Url has_any(domainList)\r\n| project TimeGenerated, Domain = Url, SourceTable = \"UrlClickEvents\"\r\n),\r\n(\r\nCommonSecurityLog\r\n| where DestinationDnsDomain has_any(domainList)\r\n| project TimeGenerated, Domain = DestinationDnsDomain, SourceTable = \"CommonSecurityLog\"\r\n),\r\n(\r\nEmailEvents\r\n| where SenderFromDomain has_any (domainList) or SenderMailFromDomain has_any (domainList)\r\n| project TimeGenerated, SenderfromDomain = SenderFromDomain,SenderMailfromDomain = SenderMailFromDomain,\r\nSourceTable = \"EmailEvents\"\r\n)\r\n| order by TimeGenerated desc\r\nAssess presence of vulnerabilities used by Citrine Sleet\r\nDeviceTvmSoftwareVulnerabilities\r\n| where CveId has_any (\"CVE-2024-7971\",\"CVE-2024-38106\",\"CVE-2024-38193\",\"CVE-2024-21338\")\r\n| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,\r\nCveId,VulnerabilitySeverityLevel\r\n| join kind=inner ( DeviceTvmSoftwareVulnerabilitiesKB | project CveId,\r\nCvssScore,IsExploitAvailable,VulnerabilitySeverityLevel,PublishedDate,VulnerabilityDescription,AffectedSoftware\r\n) on CveId\r\n| project DeviceId,DeviceName,OSPlatform,OSVersion,SoftwareVendor,SoftwareName,SoftwareVersion,\r\nCveId,VulnerabilitySeverityLevel,CvssScore,IsExploitAvailable,PublishedDate,VulnerabilityDescription,AffectedSoftwar\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 8 of 9\n\nIndicators of compromise\r\nDuring the attacks, Microsoft observed the following IOCs:\r\nvoyagorclub[.]space\r\nweinsteinfrog[.]com\r\nReferences\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7971\r\nhttps://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-4947\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5274\r\nhttps://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/\r\nhttps://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf\r\nhttps://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf\r\nhttps://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/\r\nhttps://www.gendigital.com/blog/news/innovation/protecting-windows-users\r\nhttps://www.google.com/chrome/update/\r\nhttps://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html\r\nLearn more\r\nRead our blogs on threat actors, including Sleet actors. For the latest security research from the Microsoft Threat\r\nIntelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/" ], "report_names": [ "north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59f6074eedfe0f5dcb0c6e4054b6baaac0568587.pdf", "text": "https://archive.orkl.eu/59f6074eedfe0f5dcb0c6e4054b6baaac0568587.txt", "img": "https://archive.orkl.eu/59f6074eedfe0f5dcb0c6e4054b6baaac0568587.jpg" } }