Subgroup: Andariel, Silent Chollima - Threat Group Cards: A Threat Actor Encyclopedia Archived: 2026-04-06 01:05:15 UTC Home > List all groups > Subgroup: Andariel, Silent Chollima APT group: Subgroup: Andariel, Silent Chollima Names Andariel (FSI) Silent Chollima (CrowdStrike) Stonefly (Symantec) Plutonium (Microsoft) Onyx Sleet (Microsoft) APT 45 (Mandiant) Jumpy Pisces (Palo Alto) G0138 (MITRE) Country North Korea Motivation Information theft and espionage First seen 2009 Description A subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima. Observed Tools used Operations performed 2014 Operation “BLACKMINE” Target: South Korean organizations. Method: Information theft and espionage. 2014 Operation “GHOSTRAT” Target: Defense industry. Method: Information theft and espionage. 2014 Operation “XEDA” Target: Foreign defense industries. Method: Information theft and espionage. 2015 Operation “INITROY”/Phase 1 Target: South Korean organizations. Method: Information theft/early phase operation. https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00089621-cabc-421a-b2ce-3fd18f6bfa9c Page 1 of 4 2015 Operation “DESERTWOLF”/Phase 3 Target: South Korean defense industry. Method: Information theft and espionage. 2015 Operation “BLACKSHEEP”/Phase 3. Target: Defense industry. Method: Information theft and espionage. 2016 Operation “INITROY”/Phase 2 Target: South Korean organizations. Method: Information theft/early phase operation. 2016 Operation “VANXATM” Target: ATM companies. Method: Financial theft/BPC. 2017 Operation “Mayday” Target: South Koran Financial Company. Method: Information theft and espionage. Jun 2018 Operation “GoldenAxe” Apr 2021 Lazarus APT conceals malicious code within BMP image to drop its RAT Jun 2021 Andariel evolves to target South Korea with ransomware Feb 2022 Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets Aug 2022 Andariel deploys DTrack and Maui ransomware Oct 2022 DPRK hacking groups breach South Korean defense contractors https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00089621-cabc-421a-b2ce-3fd18f6bfa9c Page 2 of 4 Mar 2023 Operation “Blacksmith” Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang Jun 2023 Andariel’s silly mistakes and a new malware family Oct 2023 Multiple North Korean threat actors exploiting the TeamCity CVE-2023- 42793 vulnerability Nov 2023 Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group) Nov 2023 Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) Dec 2023 North Korean hackers stole anti-aircraft system data from South Korean firm Mar 2024 Andariel Group Exploiting Korean Asset Management Solutions (MeshAgent) Apr 2024 North Korean hackers exploit VPN update flaw to install malware May 2024 Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) Aug 2024 Stonefly: Extortion Attacks Continue Against U.S. Targets Mid 2024 Analysis of Attack Cases Against Korean Solutions by the Andariel Group (SmallTiger) https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00089621-cabc-421a-b2ce-3fd18f6bfa9c Page 3 of 4 Oct 2024 Jumpy Pisces Engages in Play Ransomware Counter operations Jul 2024 Rewards for Justice – Reward Offer for Information on North Korean Malicious Cyber Actor Targeting U.S. Critical Infrastructure Information MITRE ATT&CK Last change to this card: 16 August 2025 Download this actor card in PDF or JSON format Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00089621-cabc-421a-b2ce-3fd18f6bfa9c https://apt.etda.or.th/cgi-bin/showcard.cgi?u=00089621-cabc-421a-b2ce-3fd18f6bfa9c Page 4 of 4