{ "id": "a42bbf82-bb6e-4657-9fb9-f64d793ccc32", "created_at": "2026-04-06T00:17:46.053563Z", "updated_at": "2026-04-10T03:38:20.6752Z", "deleted_at": null, "sha1_hash": "7cc6d00e992b5cb07353fe26be042d94fc46eac3", "title": "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 212149, "plain_text": "FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA\r\nPublished: 2020-10-24 · Archived: 2026-04-05 14:42:08 UTC\r\nSummary\r\nThis Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework.\r\nSee the ATT\u0026CK for Enterprise framework for all referenced threat actor techniques.\r\nThis joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency\r\n(CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber\r\nCommand (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and\r\nUSCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government\r\nin an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0:\r\nNorth Korea's BeagleBoyz Robbing Banks.”\r\nCISA, Treasury, FBI, and USCYBERCOM highlight the cyber threat posed by North Korea—formally known as\r\nthe Democratic People’s Republic of Korea (DPRK)—and provide recommended steps to mitigate the threat.\r\nRefer to the following Malware Analysis Reports for associated IOCs: CROWDEDFLOUNDER,\r\nECCENTRICBANDWAGON, ELECTRICFISH, FASTCash for Windows, HOPLIGHT, and VIVACIOUSGIFT.\r\nClick here for a PDF version of this report.\r\n!!!WARNING!!!\r\nSince February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent\r\ninternational money transfers and ATM cash outs. The recent resurgence follows a lull in bank targeting since late\r\n2019. This advisory provides an overview of North Korea’s extensive, global cyber-enabled bank robbery scheme,\r\na short profile of the group responsible for this activity, in-depth technical analysis, and detection and mitigation\r\nrecommendations to counter this ongoing threat to the Financial Services sector.\r\n!!!WARNING!!!\r\nTechnical Details\r\nNorth Korea's intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet\r\naccess. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to\r\nthis team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to\r\nvarying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38\r\n(APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in\r\nOctober 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and\r\nlucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel\r\nof Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 1 of 17\n\nNorth Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs.\r\nAdditionally, this activity poses significant operational risk to the Financial Services sector and erodes the\r\nintegrity of the financial system.\r\nThe BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational\r\nharm and financial loss from theft and recovery costs. The BeagleBoyz have attempted to steal nearly $2\r\nbillion since at least 2015, according to public estimates. Equally concerning, these malicious actors have\r\nmanipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions.\r\n \r\nIn 2018, a bank in Africa could not resume normal ATM or point of sale services for its customers for\r\nalmost two months following an attempted FASTCash incident.\r\nThe BeagleBoyz often put destructive anti-forensic tools onto computer networks of victim institutions.\r\nAdditionally, in 2018, they deployed wiper malware against a bank in Chile that crashed thousands of\r\ncomputers and servers to distract from efforts to send fraudulent messages from the bank’s compromised\r\nSWIFT terminal.\r\nNorth Korea’s widespread international bank robbery scheme that exploits critical banking systems may\r\nerode confidence in those systems and presents risks to financial institutions across the world. Any\r\nBeagleBoyz robbery directed at one bank implicates many other financial services firms in both the theft and the\r\nflow of illicit funds back to North Korea. BeagleBoyz activity fits a known North Korean pattern of abusing the\r\ninternational financial system for profit.\r\nFraudulent ATM cash outs have affected upwards of 30 countries in a single incident. The conspirators\r\nhave withdrawn cash from ATM machines operated by various unwitting banks in multiple countries,\r\nincluding in the United States.\r\nThe BeagleBoyz also use unwitting banks, including banks in the United States, for their SWIFT fraud\r\nscheme. These banks are custodians of accounts belonging to victim banks or unknowingly serve as a pass-through for the fraud. Most infamously, the BeagleBoyz stole $81 million from the Bank of Bangladesh in\r\n2016. The Federal Reserve Bank of New York stopped the remainder of this attempted $1 billion theft after\r\ndetecting anomalies in the transfer instructions they had received.\r\nFASTCash Update\r\nNorth Korea’s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified\r\npublicly as “FASTCash” in October 2018. Since 2016, the BeagleBoyz have perpetrated the FASTCash scheme,\r\ntargeting banks’ retail payment system infrastructure (i.e., switch application servers processing International\r\nStandards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging).\r\nSince the publication of the in October 2018, there have been two particularly significant developments in the\r\ncampaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on\r\nWindows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors.\r\nIn October 2018, the U.S. Government identified malware used in the FASTCash scheme that has the\r\ncapability to manipulate AIX servers running a bank's switch application to intercept financial request\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 2 of 17\n\nmessages and reply with fraudulent, but legitimate-looking, affirmative response messages to enable\r\nextensive ATM cash outs. The U.S. Government has since identified functionally equivalent malware for\r\nthe Windows operating system. Please see the Technical Analysis section below for more information\r\nabout the ISO 8583 malware for Windows.\r\nThe BeagleBoyz initially targeted switch applications at individual banks with FASTCash malware but,\r\nmore recently, have targeted at least two regional interbank payment processors. This suggests the\r\nBeagleBoyz are exploring upstream opportunities in the payments ecosystem.\r\nFor more information about FASTCash, please see https://www.us-cert.gov/ncas/alerts/TA18-275A.\r\nBEAGLEBOYZ Profile\r\nThe BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, have likely been\r\nactive since at least 2014. As opposed to typical cybercrime, the group likely conducts well-planned, disciplined,\r\nand methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have\r\nnetted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime.\r\nThe group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and\r\nprocedures while evading detection. Over time, their operations have become increasingly complex and\r\ndestructive. The tools and implants employed by this group are consistently complex and demonstrate a strong\r\nfocus on effectiveness and operational security.\r\nCommunity Identifiers\r\nThe BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38\r\n(FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).\r\nTargeted Nations\r\nThe BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020:\r\nArgentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India,\r\nIndonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria,\r\nPakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo,\r\nTurkey, Uganda, Uruguay, Vietnam, Zambia (figure 1).\r\nFigure 1: Nations probably targeted by BeagleBoyz since 2015\r\nAnatomy of a BeagleBoyz Bank Heist\r\nFigure 2 provides a graphical depiction of a BeagleBoyz bank heist. The next section describes in detail the end-to-end actions the BeagleBoyz take to rob financial institutions with a malicious cyber operation.\r\nFigure 2: BeagleBoyz Bank Heist overview\r\nTechnical Analysis\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 3 of 17\n\nThe BeagleBoyz use a variety of tools and techniques to gain access to a financial institution’s network, learn the\r\ntopology to discover key systems, and monetize their access. The technical analysis below represents an\r\namalgamation of multiple known incidents, rather than details of a single operation. These findings are presented\r\nto highlight the group’s ability to tailor their techniques to different targets and to adapt their methods over time.\r\nConsequently, there is a need for layered mitigations to effectively defend against this activity, as relying solely on\r\nnetwork signature detection will not sufficiently protect against North Korea’s BeagleBoyz.\r\nInitial Access\r\nThe BeagleBoyz have used a variety of techniques, such as spearphishing and watering holes, to enable initial\r\naccess into targeted financial institutions. Towards the end of 2018 through 2019 and in early 2020, the\r\nBeagleBoyz demonstrated the use of social engineering tactics by carrying out job-application themed phishing\r\nattacks using the following publicly available malicious files.\r\nMD5: b484b0dff093f358897486b58266d069\r\nMD5: f34b72471a205c4eee5221ab9a349c55\r\nMD5: 4c26b2d0e5cd3bfe0a3d07c4b85909a4\r\nMD5: 52ec074d8cb8243976963674dd40ffe7\r\nMD5: d1d779314250fab284fd348888c2f955\r\nMD5: cf733e719e9677ebfbc84a3ab08dd0dc\r\nMD5: 01d397df2a1cf1d4c8e3615b7064856c\r\nThe BeagleBoyz may also be working with or contracting out to criminal hacking groups, like TA505, for initial\r\naccess development. The third party typically uses commodity malware to establish initial access on a victim’s\r\nnetwork and then turns over the access to the BeagleBoyz for follow-on exploitation, which may not occur until\r\nmonths later.\r\nThe BeagleBoyz have also used the following techniques to gain an initial foothold on a targeted computer\r\nnetwork (Initial Access [TA0001 ]).\r\nEmail an attachment with malware to a specific individual, company, or industry (Phishing: Spearphishing\r\nAttachment [T1566.001 ])\r\nCompromise a website visited by users in specific communities, industries, or regions (Drive-by\r\nCompromise [T1189 ])\r\nExploit a weakness (a bug, glitch, or design vulnerability) in an internet-facing computer system (such as a\r\ndatabase or web server) (Exploit Public Facing Application [T1190 ])\r\nSteal the credentials of a specific user or service account to bypass access controls and gain increased\r\nprivileges (Valid Accounts [T1078 ])\r\nBreach organizations that have access to the intended victim’s organization and exploit their trusted\r\nrelationship (Trusted Relationship [T1199 ])\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 4 of 17\n\nUse remote services to initially access and persist within a victim’s network (External Remote Services\r\n[T1133 ])\r\nExecution\r\nThe BeagleBoyz selectively exploit victim computer systems after initially compromising a computer connected\r\nto a financial institution’s corporate network. After gaining initial access to a financial institution’s corporate\r\nnetwork, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety\r\nof techniques to run their code on local and remote victim systems [Execution [TA0002 ]).\r\nUse command-line interfaces to interact with systems and execute other software (Command and Scripting\r\nInterpreter [T1059 ])\r\nUse scripts (e.g., VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain\r\naccess to critical resources, and bypass process monitoring mechanisms by directly interacting with the\r\noperating system (OS) at an Application Programming Interface (API) level instead of calling other\r\nprograms (Command and Scripting Interpreter: PowerShell [T1059.001 ], Command and Scripting\r\nInterpreter: Visual Basic [T1059.005 ])\r\nRely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204 ])\r\nExploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203 ])\r\nCreate new services or modify existing services to execute executables, commands, or scripts (System\r\nServices: Service Execution [T1569.002 ])\r\nEmploy the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or\r\narbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system\r\n(Shared Modules [T1129 ])\r\nUse the Windows API to execute arbitrary code on the victim's system (Native API [T1106 ])\r\nUse a system's graphical user interface (GUI) to search for information and execute files (Remote Services\r\n[T1021 ])\r\nUse the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct\r\nremote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process\r\nunder the context of a specified account (Scheduled Task/Job [T1053 ])\r\nAbuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the\r\nMicrosoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled\r\nHTML File [T1218.001 ])\r\nAbuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute\r\ncode via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001 ])\r\nExploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs\r\n(Scheduled Task/Job: Cron [T1053.003 ], Scheduled Task/Job: Launchd [T1053.004 ])\r\nPersistence\r\nThe BeagleBoyz use many techniques to maintain access on compromised networks through system restarts,\r\nchanged credentials, and other interruptions that could affect their access (Persistence [TA0003 ]).\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 5 of 17\n\nAdd an entry to the “run keys” in the Registry or an executable to the startup folder to execute malware as\r\nthe user logs in under the context of the user’s associated permissions levels (Boot or Logon Autostart\r\nExecution: Registry Run Keys / Startup Folder [T1547.001 ])\r\nInstall a new service that can be configured to execute at startup using utilities to interact with services or\r\nby directly modifying the Registry (Create or Modify System Process: Windows Service [T1543.003 ])\r\nCompromise an openly accessible web server with a web script (known as web shell) to use the web server\r\nas a gateway into a network and to serve as redundant access or persistence mechanism (Server Software\r\nComponent: Web Shell [T1505.003 ])\r\nManipulate accounts (e.g., modifying permissions, modifying credentials, adding or changing permission\r\ngroups, modifying account settings, or modifying how authentication is performed) to maintain access to\r\ncredentials and certain permission levels within an environment (Account Manipulation [T1098 ])\r\nSteal the credentials of a specific user or service account to bypass access controls and retain access to\r\nremote systems and externally available services (Valid Accounts [T1078 ])\r\nUse the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct\r\nremote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process\r\nunder the context of a specified account (Scheduled Task/Job [T1053 ])\r\nAbuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege\r\nescalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1056.004 ])\r\nExploit hooking to load and execute malicious code within the context of another process to mask the\r\nexecution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture:\r\nCredential API Hooking [T1574.001 ])\r\nUse remote services to persist within a victim’s network (External Remote Services [T1133 ])\r\nPrivilege Escalation\r\nThe BeagleBoyz often seek access to financial institutions’ systems that have tiered user and system accounts with\r\ncustomized privileges. The BeagleBoyz must overcome these restrictions to access necessary systems, monitor\r\nnormal user behavior, and install and execute additional malicious tools. To do so, the BeagleBoyz have used the\r\nfollowing techniques to gain higher-level permissions on a system or network (Privilege Escalation [TA0004 ]).\r\nInject code into processes to evade process-based defenses and elevate privileges (Process Injection\r\n[T1055 ])\r\nInstall a new service that can be configured to execute at startup using utilities to interact with services or\r\nby directly modifying the Registry (Create or Modify System Process: Windows Service [T1543.003 ])\r\nCompromise an openly accessible web server with web shell to use the web server as a gateway into a\r\nnetwork (Server Software Component: Web Shell [T1505.003 ])\r\nUse the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct\r\nremote execution as part of lateral movement, gain SYSTEM privileges for privilege escalation, or run a\r\nprocess under the context of a specified account (Scheduled Task/Job [T1053 ])\r\nSteal the credentials of a specific user or service account to bypass access controls and grant increased\r\nprivileges (Valid Accounts [T1078 ])\r\nExploit hooking to load and execute malicious code within the context of another process to mask the\r\nexecution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 6 of 17\n\nCredential API Hooking [T1574.001 ])\r\nPerform Sudo (sometimes referred to as “super user do”) caching or use the Soudoers file to elevate\r\nprivileges in Linux and macOS systems (Abuse Elevation Control Mechanism: Sudo and Sudo Caching\r\n[T1548.003 ])\r\nExecute malicious payloads by hijacking the search order used to load DLLs (Hijack Execution Flow: DLL\r\nSearch Order Hijacking [T1574.001 ])\r\nDefense Evasion\r\nThroughout their exploitation of a financial institution’s computer network, the BeagleBoyz have used different\r\ntechniques to avoid detection by OS security features, system and network security software, and system audits\r\n(Defense Evasion [TA0005 ]).\r\nExploit code signing certificates to masquerade malware and tools as legitimate binaries and bypass\r\nsecurity policies that allow only signed binaries to execute on a system (Subvert Trust Controls Signing\r\n[T1553.002 ])\r\nRemove malware, tools, or other non-native files dropped or created throughout an intrusion to reduce their\r\nfootprint or as part of the post-intrusion cleanup process (Indicator Removal on Host: File Deletion\r\n[T1070.004 ])\r\nInject code into processes to evade process-based defenses (Process Injection [T1055 ])\r\nUse scripts (such as VBScript and PowerShell) to bypass process monitoring mechanisms by directly\r\ninteracting with the OS at an API level instead of calling other programs (Command and Scripting\r\nInterpreter: PowerShell [T1059.001 ], Command and Scripting Interpreter: Visual Basic [T1059.005 ])\r\nAttempt to make an executable or file challenging to discover or analyze by encrypting, encoding, or\r\nobfuscating its contents on the system or in transit (Obfuscated Files or Information [T1027 ])\r\nUse external previously compromised web services to relay commands to a victim system (Web Service\r\n[T1102 ])\r\nUse software packing to change the file signature, bypass signature-based detection, and decompress the\r\nexecutable code in memory (Unsecured Credentials: Private Keys [T1552.004 ])\r\nUse obfuscated files or information to hide intrusion artifacts (Deobfuscate/Decode Files or Information\r\n[T1140 ])\r\nModify the data timestamps (the modify, access, create, and change times fields) to mimic files that are in\r\nthe same folder, making them appear inconspicuous to forensic analysts or file analysis tools (Indicator\r\nRemoval on Host: Remove Timestamp [T1070.006 ])\r\nAbuse Windows utilities to implement arbitrary execution commands and subvert detection and mitigation\r\ncontrols (such as Group Policy) that limit or prevent the usage of cmd.exe or file extensions commonly\r\nassociated with malicious payloads (Indirect Command Execution [T1202 ])\r\nUse various methods to prevent their commands from appearing in logs and clear command history to\r\nremove activity traces (Indicator Removal on Host: Clear Command History [T1070.003 ])\r\nDisable security tools to avoid possible detection of tools and events (Impair Defenses: Disable or Modify\r\nTools [T1562.001 ])\r\nSteal the credentials of a specific user or service account to bypass access controls and grant increased\r\nprivileges (Valid Accounts [T1078 ])\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 7 of 17\n\nDelete or alter generated artifacts on a host system, including logs and potentially captured files, to remove\r\ntraces of activity (Indicator Removal on Host: File Deletion [T1070.004 ])\r\nAbuse compiled HTML files (.chm), commonly distributed as part of the Microsoft HTML Help system, to\r\nconceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001 ])\r\nPrepend a space to all their terminal commands to operate without leaving traces in the HISTCONTROL\r\nenvironment, which is configured to ignore commands that start with a space (Impair Defenses:\r\nHISTCONTROL [T1562.003 ])\r\nModify malware so it has a different signature and re-use it in cases when the group determines it was\r\nquarantined (Obfuscated Files or Information: Indicator Removal from Tools [T1027.005 ])\r\nAttempt to block indicators or events typically captured by sensors from being gathered and analyzed\r\n(Impair Defenses: Indicator Blocking [T1562.006 ])\r\nUse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege\r\nescalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1574.001 ])\r\nManipulate or abuse the attributes or location of an executable (masquerading) to better blend in with the\r\nenvironment and increase the chances of deceiving a security analyst or product (Masquerading [T1036\r\n])\r\nExploit rootkits to hide programs, files, network connections, services, drivers, and other system\r\ncomponents (Rootkit [T1014 ])\r\nAbuse the Windows rundll32.exe to execute binaries, scripts, and .CPL files, and execute code via proxy to\r\navoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001 ])\r\nCredential Access\r\nThe BeagleBoyz may use malware like ECCENTRICBANDWAGON to log key strokes and take screen captures.\r\nThe U.S. Government has identified some ECCENTRICBANDWAGON samples that have the ability to RC4\r\nencrypt logged data, but the tool has no network functionality. The implant uses specific formatting for logged\r\ndata and saves the file locally; another tool obtains the logged data. The implant also contains no mechanism for\r\npersistence or self-loading and expects a specific configuration file to be present on the system. A full technical\r\nreport for ECCENTRICBANDWAGON is available at https://us-cert.cisa.gov/northkorea.\r\nThe BeagleBoyz may not always need to use custom keyloggers like ECCENTRICBANDWAGON or other tools\r\nto obtain credentials from a compromised system. Depending on the victim’s environment, the BeagleBoyz have\r\nused the following techniques to steal credentials (Credential Access [TA0006 ]).\r\nCapture user input, such as keylogging (the most prevalent type of input capture), to obtain credentials for\r\nvalid accounts and information collection (Input Capture [T1056 ])\r\nObtain account login and password information, generally in the form of a hash or a clear text password,\r\nfrom the operating system and software (OS Credential Dumping [T1056 ])\r\nGather private keys from compromised systems to authenticate to remote services or decrypt other\r\ncollected files (Unsecured Credentials: Private Keys [T1552.004 ])\r\nManipulate default, domain, local, and cloud accounts to maintain access to credentials and certain\r\npermission levels within an environment (Account Manipulation [T1098 ])\r\nAbuse hooking to load and execute malicious code within the context of another process to mask the\r\nexecution, allow access to the process's memory, and, possibly, gain elevated privileges (Input Capture:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 8 of 17\n\nCredential API Hooking [T1056.004 ])\r\nUse brute force techniques to attempt account access when passwords are unknown or when password\r\nhashes are unavailable (Brute Force [T1110 ])\r\nDiscovery\r\nOnce inside a financial institution’s network, the BeagleBoyz appear to seek two specific systems—the SWIFT\r\nterminal and the server hosting the institution’s payment switch application. As they progress through a network,\r\nthey learn about the systems they have accessed in order to map the network and gain access to the two goal\r\nsystems. To do so, the BeagleBoyz have used the following techniques to gain knowledge about the systems and\r\ninternal network (Discovery [TA0007 ]).\r\nAttempt to get detailed information about the operating system and hardware, such as version, patches,\r\nhotfixes, service packs, and architecture (System Information Discovery [T1082 ])\r\nEnumerate files and directories or search in specific locations of a host or network share for particular\r\ninformation within a file system (File and Directory Discovery [T1083 ])\r\nGet a list of security software, configurations, defensive tools, and sensors installed on the system\r\n(Software Discovery: Security Software Discovery [T1518.001 ])\r\nProcure information about running processes on a system to understand standard software running on\r\nnetwork systems (Process Discovery [T1057 ])\r\nIdentify primary users, currently logged in users, sets of users that commonly use a system, or active or\r\ninactive users (System Owner/User Discovery [T1033 ])\r\nEnumerate browser bookmarks to learn more about compromised hosts, reveal personal information about\r\nusers, and expose details about internal network resources (Browser Bookmark Discovery [T1217 ])\r\nLook for information on network configuration and system settings on compromised systems, or perform\r\nremote system discovery (System Network Configuration Discovery [T1016 ])\r\nInteract with the Windows Registry to gather information about the system, configuration, and installed\r\nsoftware (Query Registry [T1012 ])\r\nGet a list of open application windows to learn how the system is used or give context to data collected\r\n(Application Window Discovery [T1010 ])\r\nAttempt to get a listing of local system or domain accounts in the compromised system (Account Discovery\r\n[T1087 ])\r\nObtain a list of network connections to and from the compromised system or remote system by querying\r\nfor information over the network (System Network Connections Discovery [T1049 ])\r\nLateral Movement\r\nTo access a compromised financial institution’s SWIFT terminal and the server hosting the institution’s payment\r\nswitch application, the BeagleBoyz leverage harvested credentials and take advantage of the accessibility of these\r\ncritical systems from other systems in the institution’s corporate network. Specifically, the BeagleBoyz have been\r\nknown to create firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. Depending on\r\nthe configuration of compromised systems and the security environment of the victim’s computer network, the\r\nBeagleBoyz have used the following techniques to enter and control remote systems on a compromised network\r\n(Lateral Movement [TA0008 ]).\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 9 of 17\n\nCopy files from one system to another to stage adversary tools or other files throughout an operation\r\n(Ingress Tool Transfer [T1105 ])\r\nUse Remote Desktop Protocol (RDP) to log into an interactive session with a system desktop GUI on a\r\nremote system (Remote Services: Remote Desktop Protocol [T1021.001 ])\r\nEmploy hidden network shares, in conjunction with administrator-level valid accounts, to remotely access\r\na networked system over Server Message Block (SMB) in order to interact with systems using remote\r\nprocedure calls (RPCs), transfer files, and run transferred binaries through remote execution (Remote\r\nServices: SMB/Windows Admin Shares [T1021.002 ])\r\nExploit valid accounts to log into a service specifically designed to accept remote connections and perform\r\nactions as the logged-on user (Remote Services [T1021 ])\r\nCollection\r\nDepending on various environmental attributes the BeagleBoyz encounter during their exploitation, they may\r\ndeploy a variety of reconnaissance tools or use commonly available administrative tools for malicious purposes.\r\nThe BeagleBoyz, like other sophisticated cyber actors, also appear to use resident, legitimate administrative tools\r\nfor reconnaissance purposes when they are available; this is commonly known as “living off the land.” PowerShell\r\nappears to be a popular otherwise-legitimate tool the BeagleBoyz favor for reconnaissance activities. For example,\r\nthe BeagleBoyz often use publicly available code from PowerShell Empire for malicious purposes.\r\nThe BeagleBoyz have used the following techniques to gather information from exploited systems (Collection\r\n[TA0009 ]).\r\nUse automated methods, such as scripts, for collecting data (Automated Collection [T1119 ])\r\nCapture user input to obtain credentials and collect information (Input Capture [T1056 ])\r\nCollect local systems data from a compromised system (Data from Local System [T1005 ])\r\nTake screen captures of the desktop (Screen Capture [T1113 ])\r\nCollect data stored in the Windows clipboard from users (Clipboard Data [T1115 ])\r\nCommand and Control\r\nThe BeagleBoyz likely change tools—such as CROWDEDFLOUNDER and HOPLIGHT—over time to maintain\r\nremote access to financial institution networks and to interact with those systems.\r\nAnalysis of the following CROWDEDFLOUNDER samples was first released in October 2018 as part of the\r\nFASTCash campaign.\r\nMD5 hash: 5cfa1c2cb430bec721063e3e2d144feb\r\nMD5 hash: 4f67f3e4a7509af1b2b1c6180a03b3e4\r\nThe BeagleBoyz have used CROWDEDFLOUNDER as a remote access trojan (RAT) since at least 2018. The\r\nimplant is designed to operate on Microsoft Windows hosts and can upload and download files, launch a remote\r\ncommand shell, inject into victim processes, obtain user and host information, and securely delete files. The\r\nimplant may be packed with Themida to degrade or prevent effective reverse engineering or evade detection on a\r\nWindows host. It can be set to act in beacon or listening modes, depending on command line arguments or\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 10 of 17\n\nconfiguration specifications. The implant obfuscates network communications using a simple encoding algorithm.\r\nThe listening mode of CROWDEDFLOUNDER facilitates proxies like ELECTRICFISH (discussed below) with\r\ntunneling traffic in a victim’s network.\r\nMore recently, the U.S. Government has found HOPLIGHT malware on victim systems, suggesting the\r\nBeagleBoyz are using HOPLIGHT for similar purposes. HOPLIGHT has the same basic RAT functionality as the\r\nCROWDEDFLOUNDER implant. In addition, HOPLIGHT has the capability to create fraudulent Transport\r\nLayer Security (TLS) sessions to obfuscate command and control (C2) connections, making detection and\r\ntracking of the malware’s communications difficult.\r\nFull technical reports for CROWDEDFLOUNDER and HOPLIGHT are available at https://us-cert.cisa.gov/northkorea.\r\nThe BeagleBoyz use network proxy tunneling tools—including VIVACIOUSGIFT and ELECTRICFISH—to\r\ntunnel communications from non-internet facing systems like an ATM switch application server or a SWIFT\r\nterminal to internet-facing systems. The BeagleBoyz use these network proxy tunneling tools, likely placed at or\r\nnear a victim’s network boundary, to tunnel other protocols such as RDP and Secure Shell or other implant traffic\r\nout from the internal network.\r\nIt appears that as the BeagleBoyz change proxy tools, there is some overlap between their use of older and newer\r\nmalware. For example, the BeagleBoyz appear to have begun using ELECTRICFISH as they wound down use of\r\nVIVACIOUSGIFT. There has been a noticeable decline in ELECTRICFISH use following the U.S. Government’s\r\ndisclosure of it in May 2019.\r\nFull technical reports for VIVACIOUSGIFT and ELECTRICFISH are available at https://us-cert.cisa.gov/northkorea.\r\nIn addition to these tools, the BeagleBoyz have used the following techniques to communicate with financial\r\ninstitution victim systems under their control (Command and Control [TA0011 ]).\r\nEmploy known encryption algorithms to conceal C2 traffic (Encrypted Channel [T1573 ])\r\nCommunicate over commonly used standard application layer protocols and ports to avoid detection or\r\ndetailed inspection and to blend with existing traffic (Application Layer Protocol [T1071 ])\r\nEncode C2 information using standard data encoding systems such as the American Standard Code for\r\nInformation Interchange (ASCII), Unicode, Base64, Multipurpose Internet Mail Extensions, and 8-bit\r\nUnicode Transformation Format systems or other binary-to-text and character encoding systems (Data\r\nEncoding: Standard Encoding [T1132.001 ])\r\nCopy files between systems to stage adversary tools or other files (Ingress Transfer Tool [T1105 ])\r\nUse external previously compromised web services to relay commands to victim systems (Web Service\r\n[T1102 ])\r\nEmploy a custom C2 protocol that mimics well-known protocols, or develop custom protocols (including\r\nraw sockets) to supplement protocols provided by another standard network stack (Non-Application Layer\r\nProtocol [T1095 ])\r\nObfuscate C2 communications (but not necessarily encrypt them) to hide commands and make the content\r\nless conspicuous and more challenging to discover or decipher (Data Obfuscation [T1101 ])\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 11 of 17\n\nEmploy connection proxies to direct network traffic between systems, act as an intermediary for network\r\ncommunications to a C2 server, or avoid direct connections to its infrastructure (Proxy [T1090 ])\r\nExploit legitimate desktop support and remote access software to establish an interactive C2 channel to\r\ntarget systems within networks (Remote Access Software [T1219 ])\r\nCryptocurrency Exchange Heists\r\nIn addition to robbing traditional financial institutions, the BeagleBoyz target cryptocurrency exchanges to steal\r\nlarge amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident.\r\nCryptocurrency offers the BeagleBoyz an irreversible method of theft that can be converted into fiat currency\r\nbecause the permanent nature of cryptocurrency transfers do not allow for claw-back mechanisms. Working with\r\nU.S. Government partners, CISA, Treasury, FBI, and USCYBERCOM identified COPPERHEDGE as the tool of\r\nchoice for the BeagleBoyz to exploit cryptocurrency exchanges. COPPERHEDGE is a full-featured remote access\r\ntool capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Full\r\ntechnical analysis of COPPERHEDGE is available at https://us-cert.cisa.gov/northkorea.\r\nExfiltration\r\nDuring a cyber operation, the BeagleBoyz need to exfiltrate a variety of data from compromised systems. In\r\naddition to the C2 tools noted that have built-in exfiltration features, such as CROWDEDFLOUNDER and\r\nHOPLIGHT, the BeagleBoyz use the following techniques to steal data from a network (Exfiltration [TA0010 ]).\r\nCompress and encrypt collected data before exfiltration to minimize the amount of data sent over the web\r\nand make it portable, less conspicuous, and less detectable (Archive Collected Data [T1560 ])\r\nSteal collected data via scripts (although this may require other exfiltration techniques) (Automated\r\nExfiltration [T1020 ])\r\nEncode data using the same protocol as the C2 channel and exfiltrate it over the C2 channel (Exfiltration\r\nOver C2 Channel [T1041 ])\r\nImpact\r\nThe U.S. Government has observed the BeagleBoyz successfully monetize illicit access to financial institutions’\r\nSWIFT terminals to enable wire fraud and gain access to the institutions’ payment switch application servers,\r\nwhich allowed fraudulent ATM cash outs. After gaining access to either one or both of these operationally critical\r\nsystems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and\r\nthen they deploy bespoke tools to facilitate illicit monetization.\r\nThe cybersecurity community and Financial Services sector have released substantial information on the\r\nBeagleBoyz manipulation of compromised SWIFT terminals, describing their ability to monitor these systems,\r\nsend fraudulent messages, and attempt to hide the fraudulent activity from detection. The discussion below\r\nfocuses on the custom tools used to manipulate payment switch applications for ATM cash outs.\r\nThe BeagleBoyz use FASTCash malware to intercept financial request messages and reply with fraudulent but\r\nlegitimate-looking affirmative response messages in the ISO 8583 format. The BeagleBoyz have functionally\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 12 of 17\n\nequivalent FASTCash malware for both UNIX and Windows that they deploy depending on the operating system\r\nrunning on the server hosting the bank’s payment switch application.\r\nFASTCash for UNIX is composed of AIX executable files designed to inject code and libraries into a currently\r\nrunning process. One AIX executable provides export functions, which allows an application to manipulate\r\ntransactions on financial systems using the ISO 8583 international standard for financial transaction card-originated interchange messaging. The injected executables interpret financial request messages and construct\r\nfraudulent financial response messages. For more details on FASTCash for UNIX malware, please see the\r\nFASTCash report at https://www.us-cert.gov/ncas/alerts/TA18-275A.\r\nThe BeagleBoyz use FASTCash for Windows to manipulate transactions processed by a switch application\r\nrunning on a Windows box. FASTCash for Windows is also specific to the ISO 8583 message format. The\r\nBeagleBoyz appear to have modified publicly available source code to write parts of the tool, likely to speed\r\ndevelopment. The malware contains code probably taken from open-source repositories on the internet to create\r\nhashmaps and hook functions and to parse ISO 8583 messages.\r\nFASTCash for Windows injects itself into software running on a Windows platform. The malware then takes\r\ncontrol of the software’s network send and receive functions, allowing it to manipulate ISO 8583 messages. The\r\nU.S. Government has identified two variants of FASTCash for Windows. One variant supports ASCII encoding.\r\nThe BeagleBoyz appear to have modified the second variant’s message parsing code to support Extended Binary\r\nCoded Decimal Interchange Code (EBCIDC) encoding. Both ASCII and EBCDIC are character encoding formats.\r\n \r\nFASTCash for Windows malware uses code from github.com/petewarden/c_hashmap for hashmaps, code from\r\nMicrosoft's Detours Library at github.com/Microsoft/Detours for hooking, and code from to parse ISO 8583\r\nmessages.\r\nThe malware hooks onto the send and receive function of the switch application so that it can process inbound\r\nrequest messages as they are received. FASTCash for Windows inspects the inbound message, probably looking\r\nfor specific account numbers. If the account number matches an expected number, the malware constructs a\r\nfraudulent response message. If the account number does not match an expected number, the malware allows the\r\nrequest to pass through normally. If the malware constructs a fraudulent response message, it then sends it back to\r\nthe acquirer without any further processing by the switch application, leaving the issuer without any awareness of\r\nthe fraudulent transaction.\r\nFull technical reports for FASTCash and FASTCash for Windows malware are available at https://us-cert.cisa.gov/northkorea.\r\nThe BeagleBoyz have used the following techniques to manipulate business and operational processes for\r\nmonetary or destructive purposes (Impact [TA0040 ]).\r\nCorrupt or wipe data storage, data structures, and Master Boot Records (MBR) to interrupt network\r\navailability, services, and resources (Disk Wipe: Disk Structure Wipe [T1561.002 ], Data Destruction\r\n[T1485 ])\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 13 of 17\n\nEncrypt data on target systems and withhold access to the decryption key until a ransom is paid, or render\r\ndata permanently inaccessible if the ransom is not paid (Data Encrypted for Impact [T1486 ])\r\nStop, disable, or render services unavailable on a system to damage the environment or inhibit incident\r\nresponse (Service Stop [T1489 ])\r\nInsert, delete, or modify data at rest, in transit, or in use to manipulate outcomes, hide activity, and affect\r\nthe business process, organizational understanding, and decision-making (Data Manipulation: Stored Data\r\nManipulation [T1565.001 ], Data Manipulation: Transmitted Data Manipulation [T1565.002 ], Data\r\nManipulation: Runtime Data Manipulation [T1565.003 ])\r\nMitigations\r\nContact law enforcement, CISA, or Treasury immediately regarding any identified activity related to\r\nBeagleBoyz. (Refer to the Contact Information section.)\r\nIncorporate IOCs identified in CISA’s Malware Analysis Reports on https://us-cert.cisa.gov/northkorea into\r\nintrusion detection systems and security alert systems to enable active blocking or reporting of suspected\r\nmalicious activity.\r\nRecommendations for all Financial Institutions\r\nVerify compliance with Federal Financial Institutions Examination Council (FFIEC) handbooks, especially\r\nthose related to Information Security and Payment Systems.\r\nhttps://ithandbook.ffiec.gov/\r\nVerify compliance with industry security standards for critical systems, such as those available at:  \r\nhttps://www.pcisecuritystandards.org\r\nhttps://www.swift.com/myswift/customer-security-programme-csp/swift-customer-security-controls-framework\r\nRecommendations for Institutions with Retail Payment Systems\r\nRequire chip and personal identification number (PIN) cryptogram validation.\r\nImplement chip and PIN requirements for debit cards.\r\nValidate card-generated authorization request cryptograms.\r\nUse issuer-generated authorization response cryptograms for response messages.\r\nRequire card-generated authorization response cryptogram validation to verify legitimate response\r\nmessages.\r\nIsolate payment system infrastructure.\r\nRequire multi-factor authentication for any user to access the switch application server.\r\nConfirm perimeter security controls prevent internet hosts from accessing the private network\r\ninfrastructure servicing your payment switch application server.\r\nConfirm perimeter security controls prevent all hosts outside of authorized endpoints from accessing your\r\nsystem, especially if your payment switch application server is internet accessible.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 14 of 17\n\nLogically segregate your operating environment.\r\nUse firewalls to divide your operating environment into enclaves.\r\nUse access control lists to permit/deny specific traffic from flowing between those enclaves.\r\nGive special considerations to segregating enclaves holding sensitive information (e.g., card management\r\nsystems) from enclaves requiring internet connectivity (e.g., email).\r\nEncrypt data in transit.\r\nSecure all links to payment system engines with a certificate-based mechanism, such as Mutual Transport\r\nLayer Security, for all external and internal traffic external.\r\nLimit the number of certificates that can be used on the production server and restrict access to those\r\ncertificates.\r\nMonitor for anomalous behavior as part of layered security.\r\nConfigure the switch application server to log transactions and routinely audit transaction and system logs.\r\nDevelop a baseline of expected software, users, and logons and monitor switch application servers for\r\nunusual software installations, updates, account changes, or other activities outside of expected behavior.\r\nDevelop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag\r\nanomalous transactions for suspected fraudulent activity.\r\nRecommendations for Organizations with ATM or Point of Sale Devices\r\nValidate issuer responses to financial request messages.\r\nImplement chip and PIN requirements for debit cards.\r\nRequire and verify message authentication codes on issuer financial request response messages.\r\nPerform authorization response cryptogram validation for chip and PIN transactions.\r\nRecommendations for All Organizations\r\nUsers and administrators should use the following best practices to strengthen the security posture of their\r\norganization’s systems:\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up to date.\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nRestrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to\r\nthe local administrators’ group unless required.\r\nEnforce a strong password policy and require regular password changes.\r\nExercise caution when opening email attachments even if the attachment is expected and the sender\r\nappears to be known.\r\nEnable a personal firewall on agency workstations and configure it to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 15 of 17\n\nScan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type”\r\n(i.e., the extension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the internet before executing.\r\nMaintain situational awareness of the latest threats.\r\nImplement appropriate access control lists.\r\nAdditional information on malware incident prevention and handling can be found in National Institute of\r\nStandards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for\r\nDesktops and Laptops.\r\nContact Information\r\nRecipients of this report are encouraged to contribute any additional information that they may have related to this\r\nthreat.\r\nFor any questions related to this report or to report an intrusion and request resources for incident response or\r\ntechnical assistance, please contact:\r\nCISA (1-844-Say-CISA or Central@cisa.dhs.gov ),\r\nThe FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov ) or a local field office, or\r\nTreasury Office of Cybersecurity and Critical Infrastructure Protection (Treasury OCCIP) (202-622-3000\r\nor OCCIP-Coord@treasury.gov ).\r\nDISCLAIMER\r\nThis information is provided \"as is\" for informational purposes only. The United States Government does not\r\nprovide any warranties of any kind regarding this information. In no event shall the United States Government or\r\nits contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special\r\nor consequential damages, arising out of, resulting from, or in any way connected with this information, whether\r\nor not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or\r\nnot injury was sustained from, or arose out of the results of, or reliance upon the information.\r\nThe United States Government does not endorse any commercial product or service, including any subjects of\r\nanalysis. Any reference to specific commercial products, processes, or services by service mark, trademark,\r\nmanufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the\r\nUnited States Government.\r\nRevisions\r\nAugust 26, 2020: Initial Version|September 3, 2020: Updated PDF template|October 10, 2020: Updated Initial\r\nAccess section\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 16 of 17\n\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-239a\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa20-239a" ], "report_names": [ "aa20-239a" ], "threat_actors": [ { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434666, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7cc6d00e992b5cb07353fe26be042d94fc46eac3.pdf", "text": "https://archive.orkl.eu/7cc6d00e992b5cb07353fe26be042d94fc46eac3.txt", "img": "https://archive.orkl.eu/7cc6d00e992b5cb07353fe26be042d94fc46eac3.jpg" } }