Subgroup: Bluenoroff, APT 38, Stardust Chollima Archived: 2026-04-05 22:37:42 UTC Home > List all groups > Subgroup: Bluenoroff, APT 38, Stardust Chollima APT group: Subgroup: Bluenoroff, APT 38, Stardust Chollima Names Bluenoroff (Kaspersky) APT 38 (Mandiant) Stardust Chollima (CrowdStrike) CTG-6459 (SecureWorks) Nickel Gladstone (SecureWorks) TEMP.Hermit (FireEye) T-APT-15 (Tencent) ATK 117 (Thales) Black Alicanto (PWC) Copernicium (Microsoft) TA444 (Proofpoint) Sapphire Sleet (Microsoft) TAG-71 (Recorded Future) Alluring Pisces (Palo Alto) Selective Pisces (Palo Alto) G0082 (MITRE) Country North Korea Motivation Financial crime First seen 2014 Description A subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima. (Kaspersky) The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures Entertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself. Observed Tools used Operations performed Oct 2015 Duuzer backdoor Trojan targets South Korea to take over computers Symantec has found that South Korea is being impacted by an active https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a979f6ac-99b3-4810-9362-94187db06784 Page 1 of 4 back door Trojan, detected as Backdoor.Duuzer. While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers looking to obtain valuable information. 2015 SWIFT Attack on a bank in the Philippines Dec 2015 Attempted Vietnamese TPBank SWIFT Attack May 2016 SWIFT Attack on Banco del Austro in Ecuador Oct 2016 Mexican and Polish Financial Attack Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks. 2017 In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them. Oct 2017 SWIFT Attack on Far Eastern International Bank (FEIB) in Taiwan Jan 2018 Attempted heist at Bancomext in Mexico https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a979f6ac-99b3-4810-9362-94187db06784 Page 2 of 4 May 2018 SWIFT attack on Banco de Chile in Chile Aug 2018 SWIFT attack on Cosmos Bank in India Dec 2018 ATM breach of Redbanc in Chile Nov 2021 The BlueNoroff cryptocurrency hunt is still on 2022 TA444: The APT Startup Aimed at Acquisition (of Your Funds) Sep 2022 North Korean hackers spoof venture capital firms in Japan, Vietnam and US Oct 2022 BlueNoroff introduces new methods bypassing MoTW Dec 2022 Bluenoroff’s RustBucket campaign Apr 2023 BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence Jun 2023 The DPRK strikes using a new variant of RUSTBUCKET Sep 2023 BlueNoroff strikes again with new macOS malware https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a979f6ac-99b3-4810-9362-94187db06784 Page 3 of 4 Oct 2023 BlueNoroff: new Trojan attacking macOS users Nov 2023 Microsoft: BlueNoroff hackers plan new crypto-theft attacks Jun 2025 Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion Counter operations Apr 2023 Prison Time for 11 Involved in India's Cosmos Bank Heist Feb 2025 OpenAI bans ChatGPT accounts used by North Korean hackers Information MITRE ATT&CK Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a979f6ac-99b3-4810-9362-94187db06784 https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a979f6ac-99b3-4810-9362-94187db06784 Page 4 of 4