{ "id": "44e38549-2b32-4a6b-b96b-ef7e9b5bb283", "created_at": "2026-04-06T00:10:36.725224Z", "updated_at": "2026-04-10T03:38:19.298102Z", "deleted_at": null, "sha1_hash": "ad9e4f7adc2f7811d5076af75920df2e7cf44295", "title": "Threat Assessment: North Korean Threat Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3434632, "plain_text": "Threat Assessment: North Korean Threat Groups\r\nBy Unit 42\r\nPublished: 2024-09-09 · Archived: 2026-04-02 10:51:07 UTC\r\nExecutive Summary\r\nLazarus has been used in public reporting as an umbrella term for threat actors from the Democratic People's\r\nRepublic of Korea (DPRK), commonly referred to as North Korea. However, many of these threat actors can be\r\nclassified into different groups under the Reconnaissance General Bureau (RGB) of the Korean People's Army.\r\nOver the years, the RGB has revealed at least six threat groups that we designate as:\r\nAlluring Pisces (Bluenoroff [PDF])\r\nGleaming Pisces (Citrine Sleet)\r\nJumpy Pisces (Andariel)\r\nSelective Pisces (TEMP.Hermit [PDF])\r\nSlow Pisces (TraderTraitor)\r\nSparkling Pisces (Kimsuky)\r\nThese groups develop their own distinct set of malware that they have used to facilitate diverse types of\r\noperations, including:\r\nIntelligence gathering missions\r\nAsset recruitment\r\nDestructive attacks\r\nFinancial crime\r\nNorth Korean threat groups are a focus area in the 2024 MITRE ATT\u0026CK enterprise evaluation.\r\nThis threat assessment reviews the different North Korean threat groups under the RGB that we track. We’ll also\r\nreview 10 malware families observed in recent attacks carried out by North Korean threat groups. This includes\r\nmalware for all three major operating systems: Windows, macOS and Linux.\r\nIn addition to describing each type of malware’s functionality and history, we will present their execution through\r\nthe lens of Palo Alto Networks Cortex XDR. We will show how Cortex protects against known North Korean\r\nmalware.\r\nPalo Alto Networks customers receive better protections from the North Korean threat groups' arsenal and the\r\ntechniques discussed in this blog through Cortex XDR. Cortex XDR provides a multi-layer defense that includes\r\nbehavioral threat protection and exploit protection.\r\nOur Advanced WildFire cloud-delivered malware analysis service accurately identifies samples related to these\r\nNorth Korean groups as malicious. Cloud-Delivered Security Services, including Advanced URL Filtering and\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 1 of 20\n\nAdvanced DNS Security, identify domains associated with this group as malicious. Prisma Cloud leverages the\r\npower of XSIAM through the Cloud Security Agent (CSA) to better protect against novel malware.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nNorth Korean Threat Groups Under the RGB\r\nNorth Korean threat group activity is often referred to as Lazarus or the Lazarus Group in public reports.\r\nHowever, most of this activity is reportedly conducted by groups under the RGB, an organization that falls under\r\nthe General Staff Bureau of the DPRK Korean People's Army.\r\nThese groups support the North Korean government through a combination of espionage, financial gain and\r\ngeopolitical disruption. Some of the significant operations executed by these groups across the years include:\r\nThe Sony Pictures Hack in 2014 [PDF]\r\nThe WannaCry ransomware attacks in 2017\r\nOperation Dream Job [PDF]\r\nNumerous cryptocurrency exchange attacks\r\nThese groups have been reportedly active as early as 2007 [PDF]. Activity under the RGB can be categorized into\r\nat least six threat groups:\r\nAlluring Pisces (aka APT38 [PDF], Bluenoroff, Sapphire Sleet): This group has targeted financial\r\ninstitutions, cryptocurrency businesses and ATMs. It has also conducted significant cyber heists.\r\nGleaming Pisces (aka Citrine Sleet): This group performed attacks targeting the cryptocurrency industry\r\nand is known for its association with the AppleJeus campaign.\r\nJumpy Pisces (aka Andariel, Hidden Cobra, Onyx Sleet): This group has primarily conducted\r\ncyberespionage, but it has also conducted ransomware activity.\r\nSelective Pisces (aka Diamond Sleet, TEMP.Hermit [PDF], ZINC): This group has targeted media, defense\r\nand IT organizations. It focuses on espionage, financial gain and network destruction.\r\nSlow Pisces (aka Jade Sleet, UNC4899): This group has targeted blockchain and cryptocurrency\r\ncompanies. It was also involved in a supply chain attack targeting a U.S.-based software platform and is\r\nknown for distributing a series of malicious applications called TraderTraitor.\r\nSparkling Pisces (aka APT43 [PDF], Emerald Sleet, Kimsuky, THALLIUM): This group conducts\r\nintelligence collection and has used cybercrime to fund espionage.\r\nThese groups have evolved over the years, and we often find overlaps in the tactics, techniques and tools. Figure 1\r\nshows a simplified organizational chart for these groups under the RGB.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 2 of 20\n\nFigure 1. Organizational chart for North Korean threat groups under the RGB, showing both Unit\r\n42 names and other akas.\r\nFigure 1 does not include all North Korean state-sponsored threat actors, only those under the RGB. Other threat\r\ngroups that operate outside of the RGB also conduct malicious cyber activity for North Korea.\r\nThese North Korean threat groups use a wide arsenal of tools that span across the Windows, Linux and macOS\r\nplatforms.\r\nMITRE ATT\u0026CK Enterprise Evaluation\r\nMITRE chose North Korean threat groups as one of the focus areas for this year’s MITRE ATT\u0026CK enterprise\r\nevaluation. In this threat assessment, we focus on North Korean threat groups due to their worldwide reach and\r\nthe impact of their operation on multiple industries and across multiple regions.\r\nWe chose the top 10 most recently active types of malware from North Korean threat groups. This threat\r\nassessment includes a brief technical analysis for each type of malware, and it shows how Cortex XDR detects\r\nand prevents these threats.\r\nRecent North Korean Malware Arsenal Analysis\r\nMacOS Malware\r\nRustBucket\r\nMalware type: Backdoor\r\nGroup affiliation: Alluring Pisces\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 3 of 20\n\nFirst seen: 2023\r\nOS type: macOS\r\nDescription:\r\nRustBucket is macOS malware first reported in 2023. Since then, multiple variants of the malware have been\r\nobserved in the wild. Most RustBucket infections are composed of three stages.\r\nThe first stage usually is an AppleScript file contained inside an application or inside a ZIP archive masquerading\r\nas a legitimate file. This AppleScript file is responsible for retrieving the second stage downloader.\r\nThe second stage downloader masquerades as a PDF viewer application. Some variants of this second stage\r\ndownloader are written in Swift, while others are written in Objective-C.\r\nThe third stage is the final payload retrieved by the second stage downloader. Figure 2 shows an alert from Cortex\r\nXDR that blocks a RustBucket sample from downloading the next stage of malware.\r\nFigure 2. Cortex XDR alert on preventing RustBucket download activity.\r\nThe third stage payloads are Mach-O binaries written in Rust, hence the name RustBucket. Later variants of stage\r\nthree employ persistence via a LaunchAgent, a feature that did not exist in older variants. Stage three has two\r\nmain commands:\r\nDownload and execute a file\r\nSelf-terminate the malware\r\nKANDYKORN\r\nMalware type: Backdoor\r\nGroup affiliation: Alluring Pisces\r\nFirst seen: 2023\r\nOS type: macOS\r\nDescription:\r\nFirst discovered in 2023, KANDYKORN is the payload of a five-stage infection chain targeting macOS systems.\r\nKnown infections of KANDYKORN start with social engineering, tricking the victim into downloading a\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 4 of 20\n\nmalicious ZIP archive containing a malicious Python script. If the victim executes the Python file, it downloads\r\nstage two of the infection, which is a second Python script that is saved into a folder named _log.\r\nThe second stage of the infection involves two additional Python scripts. The first Python script saved to the _log\r\ndirectory downloads another script saved to the /Users/Shared/ directory, which in turn downloads a stage three\r\nfile, saving it as /Users/shared/.sld.\r\nStage three of the infection is a downloader and loader dubbed SUGARLOADER. For persistence,\r\nSUGARLOADER saves itself as /Users/shared/.log.\r\nUpon execution, SUGARLOADER checks for the existence of a configuration file at\r\n/Library/Caches/com.apple.safari.ck. If that configuration file is missing, SUGARLOADER downloads it using a\r\ndefault IP address provided in the command line.\r\nThe configuration file at /Library/Caches/com.apple.safari.ck contains the location to download the next stage\r\nfrom. In Figure 3, we see part of a Cortex XDR alert that reveals the installation of this configuration file.\r\nFigure 3. Section of a Cortex XDR alert revealing SUGARLOADER installing its configuration\r\nfile.\r\nCortex XDR detects SUGARLOADER installing its configuration file and alerts on staged malware activity as\r\nshown below in Figure 4.\r\nFigure 4. Staged malware activity alert in Cortex XDR for SUGARLOADER.\r\nAfter installing its configuration file, SUGARLOADER downloads a malware binary for HLOADER.\r\nHLOADER functions as the persistence mechanism for KANDYKORN. HLOADER attempts to masquerade as\r\nDiscord by replacing the legitimate application and renaming itself Discord. Figure 5 shows the Cortex XDR\r\npreventing this name change by HLOADER.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 5 of 20\n\nFigure 5. Alert from Cortex XDR preventing HLOADER from naming itself Discord for\r\npersistence.\r\nIf the legitimate Discord application already exists on the victim's host, HLOADER will rename the legitimate\r\nDiscord file to a different name, so it can take over the Discord file name. Figure 6 shows two actions from a\r\nCortex XDR alert where HLOADER renamed the legitimate Discord app to a new name (the bottom file event). It\r\nthen renamed itself to take the place of the legitimate Discord file (the top file event).\r\nFigure 6. File events from a Cortex XDR alert showing HLOADER renaming itself and the\r\nlegitimate Discord file.\r\nBecause Discord usually boots with the operating system, if this file renaming is successful, HLOADER will run\r\ninstead of the legitimate Discord application upon booting or rebooting. If Discord is already installed on the\r\nvictim's system, HLOADER will also execute the newly renamed legitimate Discord application when booting or\r\nrebooting.\r\nIn the final stage of the attack, SUGARLOADER downloads KANDYKORN and loads it into memory by using\r\nreflective loading. KANDYKORN is the final payload and possesses several capabilities, including information\r\ngathering, data exfiltration and arbitrary command execution.\r\nSmoothOperator\r\nMalware type: Backdoor\r\nGroup affiliation: Undetermined, under RGB\r\nFirst seen: 2023\r\nOS type: macOS\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 6 of 20\n\nDescription:\r\nIn the beginning of 2023, multiple vendors discovered Trojanized macOS installers for the legitimate 3CX client\r\napplication known as 3CXDesktopApp. These Trojanized installers contained multi-staged malware called\r\nSmoothOperator.\r\nSmoothOperator can execute payloads and extract data related to 3CX from infected hosts. It is written in\r\nObjective-C and targets 64-bit Intel-based macOS users.\r\nThe Trojanized component of SmoothOperator inside the 3CXDesktopApp application is a module called\r\nlibffmpeg.dylib, which is a legitimate dependency that appears to have been altered or tampered with by the threat\r\nactors. The main purpose of this tampered libffmpeg.dylib file is to collect the infected device’s environment\r\ninformation and to deliver additional payloads.\r\nWhen downloading an additional payload, the module writes the payload into a file named UpdateAgent and\r\nexecutes it. Below, Figure 7 shows disassembled code from a tampered libffmpeg.dylib file related to saving the\r\nfollow-up payload as UpdateAgent.\r\nFigure 7. Code snippet from libffmpeg.dylib showing how it writes data and changes permission for\r\nthe UpdateAgent file.\r\nUpdateAgent collects the victim's 3CX account information, then it removes itself. The relatively limited\r\ncapabilities of UpdateAgent likely prevent it from deploying a wide variety of payloads, and we have only noted\r\nSmoothOperator as the final payload from this infection chain. Figure 8 shows a Cortex XDR alert detecting a\r\n3CX desktop app for SmoothOperator.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 7 of 20\n\nFigure 8. Alert from Cortex XDR detecting a Trojanized version of the 3CX desktop app.\r\nObjCShellz\r\nMalware type: Backdoor\r\nGroup affiliation: Alluring Pisces\r\nFirst seen: 2023\r\nOS type: macOS\r\nDescription:\r\nObjCShellz is a relatively simple backdoor Jamf Threat Labs discovered and named in November 2023. It serves\r\nas a remote shell and allows an attacker to execute arbitrary commands. Attackers reportedly deliver ObjCShellz\r\nas a second stage payload to an already compromised system.\r\nLike other macOS malware, ObjCShellz is written in Objective-C. Jamf Threat Labs reported attackers using it as\r\na part of the RustBucket campaign. Figure 9 below shows a Cortex XDR alert detecting a sample of ObjCShellz.\r\nFigure 9. Cortex XDR alert detecting ObjCShellz activity.\r\nFullhouse\r\nMalware type: Backdoor\r\nGroup affiliation: Slow Pisces\r\nFirst seen: 2023\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 8 of 20\n\nOS type: macOS\r\nDescription:\r\nReported by Mandiant in 2023, Fullhouse is an HTTP backdoor written in C/C++, and it was seen as a part of a\r\nsupply chain attack. Delivered as a first-stage backdoor, Fullhouse supports the execution of arbitrary commands\r\nand in turn delivers other second-stage backdoors.\r\nDisassembled code from a Fullhouse sample reveals some unimplemented functions, such as\r\nMyFunctionStealthCodeArea, shown in Figure 10. Parts of this code also retrieve the shell environment variable,\r\nnoted in the line containing getenv(\"SHELL\").\r\nFigure 10. Fullhouse code snippet showing unimplemented functions.\r\nBelow, Figure 11 shows a Cortex XDR alert blocking Fullhouse activity.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 9 of 20\n\nFigure 11. Fullhouse malware prevented by Cortex XDR.\r\nMulti-Platform Malware\r\nPOOLRAT\r\nMalware type: Backdoor\r\nGroup affiliation: Gleaming Pisces\r\nFirst seen: 2021\r\nOS type: macOS and Linux\r\nDescription:\r\nPOOLRAT is a macOS and Linux backdoor first reported by CISA in 2021 as a file named prtspool, likely the\r\nfinal payload in an AppleJeus attack. Mandiant named this malware family POOLRAT and identified a newer\r\nsample in its analysis of the 2023 3CX supply chain attack.\r\nCortex XDR detects and blocks POOLRAT as shown below in Figure 12.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 10 of 20\n\nFigure 12. Alert showing Cortex XDR detecting and blocking a POOLRAT sample.\r\nPondRAT\r\nMalware type: Remote Administration Tool (RAT)\r\nGroup affiliation: Gleaming Pisces\r\nFirst seen: 2021\r\nOS type: macOS and Linux\r\nDescription:\r\nPondRAT is the name we use for a RAT family with variants for Linux and macOS. CISA reported the earliest\r\nsample we identify as PondRAT as part of a cryptocurrency-themed Kupay Wallet macOS malware package\r\nduring an AppleJeus campaign in 2021.\r\nAnalysis of malicious packages uploaded to the Python Package Index (PyPI) in February 2024 revealed another\r\nsample we identify as PondRAT. Since it first appeared in 2021, we have identified seven macOS or Linux\r\nsamples as PondRAT. The Indicators of Compromise section of this article has further details.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 11 of 20\n\nFigure 13 depicts an alert from Cortex XDR detecting and blocking a PoolRAT sample.\r\nFigure 13. Cortex XDR Agent alerting to a blocked PondRAT Linux sample.\r\nLinux Malware\r\nOdicLoader\r\nMalware type: Downloader\r\nGroup affiliation: Selective Pisces\r\nFirst seen: 2023\r\nOS type: Linux\r\nDescription:\r\nOdicLoader is an ELF downloader that masquerades as a PDF file by using the U+2024 Unicode character\r\n(hexadecimal 0xE2 0x80 0xA4) instead of a period (hexadecimal 0x2e) with a pdf file extension. This technique\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 12 of 20\n\ncan deceive the file manager in a graphical Linux environment, causing the fake PDF file to execute as an ELF\r\nwhen double-clicked instead of opening with a PDF viewer.\r\nWhen executed, OdicLoader opens a decoy PDF with the system's default PDF viewer using xdg-open, then it\r\ndownloads and executes the next stage payload.\r\nESET reported OdicLoader as part of a North Korean threat campaign named Operation DreamJob. Figure 14\r\nbelow shows a Cortex XDR alert detecting OdicLoader.\r\nFigure 14. Cortex XDR alert on OdicLoader execution.\r\nWindows Malware\r\nComebacker\r\nMalware type: Backdoor and downloader\r\nGroup affiliation: Selective Pisces\r\nFirst seen: 2020\r\nOS type: Windows\r\nDescription:\r\nAttackers originally used Comebacker malware as part of a campaign targeting security researchers in 2020. Like\r\nPondRAT, attackers have also distributed Comebacker as malicious packages to PyPI.\r\nComebacker communicates with its command and control (C2) server by sending randomly generated parameter\r\nnames through HTTP POST requests. During the initial connection, the client exchanges keys with the server and\r\nsends the current local time. The server then responds with multiple values, including the encrypted payload,\r\nexecution instructions and an MD5 hash to verify the authenticity of the payload.\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 13 of 20\n\nFigure 15 shows a prevention alert from Cortex XDR blocking a Comebacker sample.\r\nFigure 15. Alert from Cortex XDR blocking Comebacker malware.\r\nCollectionRAT\r\nMalware type: Remote Administration Tool (RAT)\r\nGroup affiliation: Jumpy Pisces\r\nFirst seen: 2023\r\nOS type: Windows\r\nDescription:\r\nCollectionRAT is a Windows-based RAT first announced by a Cisco Talos report in 2023 that lists samples dating\r\nas early as 2021. This malware communicates with its C2 server over HTTP and uses the Microsoft Foundation\r\nClass (MFC) library as a wrapper to decrypt its malicious code.\r\nWhen executed on a vulnerable host, CollectionRAT first collects system information to fingerprint the victim's\r\nenvironment and sends it to the C2 server. The server responds with commands for the malware that provide the\r\nattacker a wide range of capabilities.\r\nThese capabilities include:\r\nManipulating processes and files\r\nExecuting arbitrary commands\r\nExfiltrating data\r\nDownloading and executing additional payloads\r\nRemoving itself from an infected host upon instruction from the C2 server\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 14 of 20\n\nFigure 16 below shows Cortex XDR blocking a CollectionRAT sample.\r\nFigure 16. Cortex XDR blocking a CollectionRAT sample.\r\nConclusion\r\nNorth Korean groups have been documented targeting various sectors worldwide, using a wide range of custom-built malware. In this article, we examined the top 10 malware families from North Korean threat groups and\r\ndemonstrated how Palo Alto Networks Cortex XDR detects and prevents these threats.\r\nDue to the severity of the risks posed by North Korean threat actors, we encourage organizations to prioritize\r\ncomprehensive security strategies and invest in multi-layer security measurements. This helps safeguard against\r\nthe growing threat from these types of state-sponsored threat groups.\r\nProtections and Mitigations\r\nPalo Alto Networks customers receive better protections against the arsenal of malware related to the DPRK threat\r\ngroups described in this article.\r\nWe have implemented prevention and detection alerts for each type of malware: RustBucket, KANDYKORN,\r\nSmoothOperator, ObjCShellz, Fullhouse, POOLRAT, PondRAT, OdicLoader, Comebacker and CollectionRAT.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup include Cortex XDR and XSIAM. Cortex XDR detects user and credential-based threats by analyzing user\r\nactivity from multiple data sources including the following:\r\nEndpoints\r\nNetwork firewalls\r\nActive Directory\r\nIdentity and access management solutions\r\nCloud workloads\r\nCortex XDR, Prisma Cloud and XSIAM build behavioral profiles of user activity over time with machine\r\nlearning. By comparing new activity to past activity, peer activity and the expected behavior of the entity, we can\r\ndetect anomalous activity indicative of credential-based attacks. Prisma Cloud leverages the power of XSIAM\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 15 of 20\n\nthrough the Cloud Security Agent (CSA) ensuring that your cloud endpoints are better protected from novel\r\nmalware.\r\nThis combination of services also offers the following protections related to the attacks discussed in this post:\r\nPrevents the execution of known malicious malware and also prevents the execution of unknown malware\r\nusing Behavioral Threat Protection machine learning based on the Local Analysis module\r\nProtects against credential gathering tools and techniques using the new Credential Gathering Protection\r\navailable from Cortex XDR\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using the\r\nAnti-Exploitation modules as well as Behavioral Threat Protection\r\nCortex XDR Pro detects post exploitation activity, including credential-based attacks, with behavioral\r\nanalytics\r\nAdvanced WildFire cloud-delivered malware analysis service accurately identifies the known samples as\r\nmalicious. Advanced URL Filtering and Advanced DNS Security identify known URLs and domains associated\r\nwith this activity as malicious.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nRustBucket\r\nSHA256 hashes:\r\nc9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8\r\nc7f4aa77be7f7afe9d0665d3e705dbf7794bc479bb9c44488c7bf4169f8d14fe\r\nSUGARLOADER\r\nSHA256 hash:\r\n3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 16 of 20\n\nIP address:\r\n23.254.226[.]90\r\nHLOADER\r\nSHA256 hashes:\r\n2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1\r\n689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94\r\nc6a48365c3db9761bd60981bdcdd87aced23d8e60067caa30fee501bf4b47b84\r\na03d13c9825e150810e6e6aaf053d71ec5a53b86581414dd982a74d4a8bc5475\r\nKANDYKORN\r\nSHA256 hash:\r\n927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6\r\nSmoothOperator\r\nMalicious 3CX DMG\r\nSHA256 hash:\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec\r\nlibffmpeg.dy\r\nSHA256 hashes:\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67\r\n479038eb12ed07893ee0dcc04fbdcf182489bbb271f5a4f90f83874881a80ce3\r\n2546d239a262c24a6f8ea01d890cbc459a22db79b379b6ec3b24fbb56efb5381\r\n5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a\r\n87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c\r\n99dbc6fe3c3e465052fcefa1642861747dc9e069eeb244589b605bd710b1e0d1\r\nfee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7\r\n7667d1b8fcc4f712084e3e3f8b4ab505ab150c52aea7b219249ec508b4b0e224\r\nUpdateAgent\r\nSHA256 hash:\r\n6c121f2b2efa6592c2c22b29218157ec9e63f385e7a1d7425857d603ddef8c59\r\nDomains:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 17 of 20\n\nmsstorageazure[.]com\r\nofficestoragebox[.]com\r\nvisualstudiofactory[.]com\r\nazuredeploystore[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nsourceslabs[.]com\r\nzacharryblogs[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\nakamaitechcloudservices[.]com\r\nazureonlinestorage[.]com\r\nmsedgepackageinfo[.]com\r\nglcloudservice[.]com\r\npbxsources[.]com\r\nsbmsa[.]wiki\r\nObjCShellz\r\nSHA256 hashes:\r\n8bfa4fe0534c0062393b6a2597c3491f7df3bf2eabfe06544c53bdf1f38db6d4\r\n15d53bb839e00405a34a8b690ec181f5555fc4f891b8248ae7fa72bad28315a9\r\nf1713afaf5958bdf3e975ebbab8245a98a84e03f8ce52175ef1568de208116e0\r\nDomain:\r\nswissborg[.]blog\r\nFullhouse Backdoor\r\nSHA256 hash:\r\n081804b491c70bfa63ecdbe9fd4618d3570706ad8b71dba13e234069648e5e48\r\nDomains:\r\ncontortonset[.]com\r\nrelysudden[.]com\r\nprimerosauxiliosperu[.]com\r\nrentedpushy[.]com\r\nbasketsalute[.]com\r\nprontoposer[.]com\r\nIP addresses:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 18 of 20\n\n146.19.173[.]125\r\n23.227.202[.]54\r\n38.132.124[.]88\r\n88.119.174[.]148\r\n198.244.135[.]250\r\nPOOLRAT\r\nSHA256 hashes:\r\nf3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703\r\n5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456\r\n5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8\r\nURLs:\r\nwww.talesseries[.]com/write.php\r\nrgedist[.]com/sfxl.php\r\nDomains:\r\nairbseeker[.]com\r\nglobalkeystroke[.]com\r\nglobalkeystroke[.]com\r\nPondRAT\r\nSHA256 hashes:\r\n973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c\r\n0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7\r\n3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e\r\nbce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80\r\nbfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b\r\ncbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86\r\n91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd\r\nDomains:\r\njdkgradle[.]com\r\nrebelthumb[.]net\r\nlevelframeblog[.]com\r\nOdicLoader\r\nSHA256 hashes:\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 19 of 20\n\nc83c7b000a955f2b8cb92bb112ed606ffd9fbebbe3422f80d90d06b167f2f37b\r\n492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd\r\nComebacker\r\nSHA256 hash:\r\n63fb47c3b4693409ebadf8a5179141af5cf45a46d1e98e5f763ca0d7d64fb17c\r\nCollectionRAT\r\nSHA256 hashes:\r\ndb6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984\r\nd8565d58ad8e4f5558b5cd70df0ad12be9cf44e32ad07aaac6f65b816edbf414\r\nUpdated Sept. 11, 2024, at 11:55 a.m. PT for clarifying language on which threat groups this piece covers.\r\nSource: https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nhttps://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "report_names": [ "threat-assessment-north-korean-threat-groups-2024" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad9e4f7adc2f7811d5076af75920df2e7cf44295.pdf", "text": "https://archive.orkl.eu/ad9e4f7adc2f7811d5076af75920df2e7cf44295.txt", "img": "https://archive.orkl.eu/ad9e4f7adc2f7811d5076af75920df2e7cf44295.jpg" } }