{ "id": "301da3ef-2127-4f53-8b92-bc6fbc221810", "created_at": "2026-04-06T00:18:25.674145Z", "updated_at": "2026-04-10T03:38:20.785459Z", "deleted_at": null, "sha1_hash": "efcbb14f8ef15621c8601482e2b24e394aa0cf33", "title": "Analysis of Andariel’s New Attack Activities - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3708786, "plain_text": "Analysis of Andariel’s New Attack Activities - ASEC\r\nBy ATCP\r\nPublished: 2023-08-21 · Archived: 2026-04-05 13:35:35 UTC\r\nContents\r\n1. Past attack cases\r\n…. 1.1. Cases of Innorix Agent abuse\r\n…….. 1.1.1. NukeSped variant – Volgmer\r\n…….. 1.1.2. Andardoor\r\n…….. 1.1.3. 1th Troy Reverse Shell\r\n…. 1.2. Cases of attacks against Korean corporations\r\n…….. 1.2.1. TigerRat\r\n…….. 1.2.2. Black RAT\r\n…….. 1.2.3. NukeSped variants\r\n2. Cases of recent attacks\r\n…. 2.1. Cases of Innorix Agent abuse\r\n…….. 2.1.1. Goat RAT\r\n…. 2.2. Cases of attacks against Korean corporations\r\n…….. 2.2.1. AndarLoader\r\n…….. 2.2.2. DurianBeacon\r\n3. Connections to recent attack cases\r\n4. Connections to past attack cases of the Andariel group\r\n5. Conclusion\r\nThe Andariel threat group which usually targets Korean corporations and organizations is known to be affiliated\r\nwith the Lazarus threat group or one of its subsidiaries. Attacks against Korean targets have been identified since\r\n2008. Major target industries are those related to national security such as national defense, political organizations,\r\nshipbuilding, energy, and communications. Various other companies and institutes in Korea including universities,\r\nlogistics, and ICT companies are also becoming attack targets. [1] (this report only supports the Korean version)\r\nDuring the initial compromise stage, the Andariel threat group usually employs spear phishing, watering hole, and\r\nsupply chain attacks. Additionally, there are cases where the group abuses central management solutions during\r\nthe malware installation process. [2] A notable fact about the group is its creation and use of various malware\r\ntypes in its attacks. There are many backdoor types, including Andarat, Andaratm, Phandoor, and Rifdoor used in\r\nthe past attacks, as well as TigerRAT [3] and MagicRAT [4] which have been detected for the past few years.\r\nAhnLab Security Emergency response Center (ASEC) is continuously monitoring the attacks of the Andariel\r\nthreat group. This blog post will cover details surrounding the recently identified attacks deemed to be perpetrated\r\nby the Andariel group. Note that because the malware strains and C\u0026C servers identified in past attack cases were\r\nnot used in the aforementioned attacks, there is no direct connection. Thus, in order to identify the connection\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 1 of 20\n\nbetween the recent attacks and the Andariel threat group, this post will first analyze the cases of attacks by the\r\nAndariel group in the first half of 2023. Then the analysis will be used to identify the possible link between the\r\nattacks and the threat group. Details confirmed in the past attack cases will be included if necessary.\r\nOne characteristic of the attacks identified in 2023 is that there are numerous malware strains developed in the Go\r\nlanguage. In an attack case where Innorix Agent was used, a Reverse Shell developed in Go was used. Black RAT\r\nwas used in attacks targeting Korean companies afterward. Such trends continued into the recent cases, where\r\nother malware strains developed in Go such as Goat RAT and DurianBeacon are being used in attacks. Besides the\r\nGo version, DurianBeacon has a version developed in the Rust language as well.\r\nFiguare 1. Source code information of DurianBeacon develooped in Go\r\nBecause the initial distribution case could not be identified directly, this post will conduct an analysis based on the\r\nmalware strains used in the attacks. Note that various malware types are being used in the attacks. When a name\r\ngiven by the malware creator can be confirmed, the said name will be used. If not, the names of similar malware\r\ntypes or AhnLab’s detection name will be used.\r\n1. Past attack cases\r\n1.1. Cases of Innorix Agent abuse\r\nIn February 2023, ASEC shared the case where the Andariel threat group distributed malware to users with a\r\nvulnerable version of Innorix Agent in the blog post “Distribution of Malware Exploiting Vulnerable Innorix:\r\nAndariel.” [5] The Innorix Agent program abused in distribution is a file transfer solution client program.\r\nAccording to the post regarding the vulnerability by the Korea Internet \u0026 Security Agency (KISA), the affected\r\nversions were found to be INNORIX Agent 9.2.18.450 or earlier, which were advised to be applied with the\r\nsecurity update. [6] (this content only supports the Korean version)\r\nFigure 2. Malware being distributed using Innorix Agent which had been vulnerable in the past\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 2 of 20\n\nAn investigation of the malware strains used in the attacks based on past attack cases revealed that multiple\r\nKorean universities were infected with malware strains. Most malware types used in the attacks were backdoors,\r\nand no previously identified type was present. However, because there is a connection with other malware strains\r\nused in the past or those used in subsequent attacks, a brief summary of their characteristics will be given.\r\n1.1.1. NukeSped variant – Volgmer\r\nAs covered in the ASEC Blog before, this malware strain uses the following 0x10 byte key in the process of\r\ncommunicating with the C\u0026C server to encrypt packets. The key value in question is the same as the one\r\nemployed in Volgmer used by the Hidden Cobra (Lazarus) threat group, as stated in a report by the United States\r\nCybersecurity \u0026 Infrastructure Security Agency (CISA). [7] (page currently unavailable)\r\nKey: 74 61 51 04 77 32 54 45 89 95 12 52 12 02 32 73\r\nVolgmer was also used in comparatively recent attacks. It runs by reading the configuration data saved in the\r\nregistry key “HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security” and uses the HTTP protocol to\r\ncommunicate with the C\u0026C server. Such characteristics are highly similar to the type mentioned in the CISA\r\nreport in the past, which means that the malware continues to be used in attacks with no significant variants being\r\nreleased. While the same key value was used in both the malware mentioned in this post and Volgmer, there is a\r\ndifference: the malware used in the current attack cases uses the key value to encrypt the packets used to\r\ncommunicate with the C\u0026C server. Meanwhile, Volgmer uses the value to decrypt the encrypted configuration\r\ndata saved in the registry.\r\nAccordingly, it is not entirely accurate to categorize the above malware strain as a type of Volgmer, so it was\r\ncategorized as a variant of NukeSped instead. The malware is a comparatively simple backdoor that only provides\r\nbasic features. Notably, the Batch script used in the self-deletion process is similar to the one used in NukeSped\r\ntypes in the past.\r\nFigure 3. Batch script used in the self-deletion process\r\n1.1.2. Andardoor\r\nDeveloped in .NET, this malware is a backdoor that uses the name TestProgram. Based on AhnLab’s detection\r\nname, it is classified as Andardoor. It is notable for being obfuscated using the Dotfuscator tool. It offers various\r\nfeatures for controlling the infected system, such as file and process tasks, executing commands, and capturing\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 3 of 20\n\nscreenshots. SSL encryption is used for communication with the C\u0026C server. For the server name, it designated\r\nthe “clientName” string.\r\nFigure 4. SSL communications routine with the C\u0026C server\r\n1.1.3. 1th Troy Reverse Shell\r\n1th Troy is a Reverse Shell malware developed in Go. The following string included in the binary shows that the\r\nmalware has the simple name of “Reverse_Base64_Pipe” and the malware’s creator classified the malware as “1th\r\nTroy”.\r\nG:/Code/01__1th Troy/Go/Reverse_Base64_Pipe/Client/client.go\r\nBeing a Reverse Shell that only provides basic commands, the commands supported include “cmd”, “exit”, and\r\n“self delete”. They support the command execution, process termination, and self-deletion features respectively.\r\nFigure 5. Reverse Shell with a simple structe\r\n1.2. Cases of attacks against Korean corporations\r\nThe Andariel group also distributed malware in March 2023 in its attacks against the Korean defense industry and\r\nan electronics device manufacturer. The method of initial compromise has not yet been identified, but logs of the\r\nmshta.exe process installing TigerRat and the mshta.exe process being terminated were confirmed through the\r\nAhnLab Smart Defense (ASD) infrastructure. This means that the malware strains were installed through a script-type malware with the spear phishing attack method.\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 4 of 20\n\nFigure 6. Mshta process installing TigerRat\r\nMalware strains used in attacks were generally backdoor types. TigerRat, which has been used by the Andariel\r\ngroup since the past, was also included.\r\n1.2.1. TigerRat\r\nTiger Rat is a RAT-type malware with its name given by KISA [8] and has been consistently employed by the\r\nAndariel threat group since 2020. It is known to be generally distributed through malicious document files\r\ncontaining macros that are attached to spear phishing emails, or through watering hole attacks. [9] There are also\r\ncases where the Andariel group targeted Korean corporations that use vulnerable versions of VMware Horizon and\r\nlaunched Log4Shell vulnerability attacks to install TigerRat. [10]\r\nBesides offering basic features such as file tasks and executing commands, TigerRat is a backdoor that supports\r\nother various features such as collecting information, keylogging, capturing screenshots, and port forwarding. One\r\nof its characteristics is that there is an authentication process upon the first communication session with the C\u0026C\r\nserver. In past versions, the string shown below disguised as SSL communications was used in the authentication\r\nprocess. Depending on the malware version, either the string “HTTP 1.1 /member.php SSL3.4” or “HTTP 1.1\r\n/index.php?member=sbi2009 SSL3.3.7” must be sent to the C\u0026C server, and the string “HTTP 1.1 200 OK\r\nSSL2.1” should be sent in return for authentication to be successful.\r\nFigure 7. String used in the authentication process for the C\u0026C server – past version\r\nHowever, in the recently identified TigerRat type, the following random strings 0x20 in size are used. These\r\nstrings are thought to be the MD5 hash for “fool” (dd7b696b96434d2bf07b34f9c125d51d) and “iwan”\r\n(01ccce480c60fcdb67b54f4509ffdb56). It seems that the threat actor used random strings in the authentication\r\nprocess to evade network detection.\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 5 of 20\n\nFigure 8. String used in authentication to the C\u0026C server – latest version\r\nC\u0026C request string: dd7b696b96434d2bf07b34f9c125d51d\r\nC\u0026C response string: 01ccce480c60fcdb67b54f4509ffdb56\r\n1.2.2. Black RAT\r\nBlack Rat is a backdoor-type malware that is likely created by the threat actor. Like other malware strains, it was\r\ndeveloped in Go. While the 1th Troy Reverse Shell identified in the previous case only supports a basic command\r\nexecution feature, Black Rat provides many additional features such as downloading files and capturing\r\nscreenshots.\r\nFigure 9. Features supported by Black RAT\r\nExamining the following string included in the binary shows that the malware creator classified the malware as a\r\nRAT type and named it Black.\r\nI:/01___Tools/02__RAT/Black/Client_Go/Client.go\r\n1.2.3. NukeSped variants\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 6 of 20\n\nA typical NukeSped-type backdoor was also used in this attack. Supported features include network scanning,\r\nprocess and file lookup, file upload/download, and command execution. The names of the APIs to be used are\r\nencrypted as shown below. These are decrypted and the API names are taken from somewhere else. A key with a\r\nsize of 0x26 is used for decryption.\r\nFigure 10. Obfuscated API string\r\nKey value used for decryption: i\u003c6fu\u003e-0|HSLRCqd.xHqMB]4H#axZ%5!5!?SQ\u0026\r\nThis NukeSped variant also uses a Batch script for self-deletion, but it is slightly different from the one used in the\r\nprevious attacks.\r\nFigure 11. Batch script used in the self-deletion process\r\nThere are two types of identified NukeSped variants: Reverse Shell and Bind Shell types. Both listen to port\r\nnumber 10443. This NukeSped variant has an authentication process before communicating with the C\u0026C server\r\nlike TigerRat. Yet whereas TigerRat disguised the process as SSL communications, NukeSped disguised it as\r\nHTTP communications. Thus, after sending the following POST request, an accurately matching HTTP response\r\nmust be received for the malware to commence communications with the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 7 of 20\n\nFigure 12. HTTP packet used in authentication\r\n2. Cases of Recent Attacks\r\nASEC is monitoring attacks of the Andariel group and has recently identified cases of Innorix Agent being abused\r\nto install malware. Unlike past cases where Innorix Agent was downloading malware strains, the recent case\r\ndirectly creates the malware file, so it is not certain whether the attacks are vulnerability attacks or if Innorix\r\nAgent was simply abused.\r\nMalware strains identified in these attacks are not those that had been used by the Andariel group in the past, but\r\naside from the fact that Innorix was used in the attacks, the current attack is similar to past attack cases in that the\r\nattack targets are Korean universities. While the attack was being perpetrated, attack cases against Korean ICT\r\ncompanies, electronic device manufacturers, the shipbuilding industry, and the manufacturing industry were\r\nidentified as well. Analysis showed that there was a connection with the malware strains used in attack cases\r\nwhere Innorix was abused.\r\nThis part will analyze each attack case and malware strains used in the attacks. Afterward, a summary will be\r\ngiven of the conclusion that the same threat actor is behind these attacks and the basis behind the claim, as well as\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 8 of 20\n\nthe relationship between the current attacks and past attack cases of the Andariel threat group.\r\n2.1. Cases of Innorix Agent abuse\r\n2.1.1. Goat RAT\r\nIn recent attacks against Korean universities, there were cases where Innorix Agent installed malware strains.\r\nInnorix Agent installed the malware strains under the name “iexplorer.exe”. This is one of the names that has been\r\noften used by the Andariel group.\r\nFigure 13. Using Innorix Agent to install Goat RAT\r\nE:/Projects/Malware/6_Goat_23/Goat/Goat.go\r\nE:/Projects/Malware/6_Goat_23/Goat/define.go\r\nE:/Projects/Malware/6_Goat_23/Goat/anti-vaccine.go\r\nE:/Projects/Malware/6_Goat_23/Goat/command.go\r\nAlthough the recent version is obfuscated unlike the Go-based backdoor-type malware used in past attacks, basic\r\nfile tasks, self-deletion features, etc. can be identified. There are also logs where the following commands were\r\nexecuted.\r\n\u003e cmd /c tasklist\r\n\u003e cmd /c ipconfig /all\r\nFigure 14. Obfuscated function name\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 9 of 20\n\n2.2. Cases of attacks against Korean corporations\r\n2.2.1. AndarLoader\r\nAside from the attack cases where Innorix Agent was abused, ASEC identified another type of attack in a similar\r\nperiod of time. While the initial distribution route has not yet been ascertained, the malware strains used in the\r\nattacks were obfuscated with a tool called Dotfuscator like the .NET malware strains classified as Andardoor.\r\nAnother common trait is that both types use SSL communications with the C\u0026C server. Unlike Andardoor which\r\nused “clientName” when connecting to the C\u0026C server, this attack case used the string “sslClient”.\r\nFigure 15. SSL connectjion process with the C\u0026C server\r\nWhereas Andardoor had most of its features already implemented, this malware strain only has a downloader\r\nfeature to download and execute executable data such as .NET assemblies from external sources. Out of the\r\ncommands sent from the C\u0026C server, the commands shown below can be used to execute or terminate the\r\nreceived code. Behaviors performed by the threat actor using AndarLoader include installing Mimikatz in the\r\ninfected system, which has been confirmed through a recorded log.\r\nAt the time of analysis, the C\u0026C server was unavailable for access and the part in charge of the actual features\r\ncould not be investigated, so no direct similarity with Andardoor could be confirmed. However, the use of the\r\nsame obfuscation tool or the similarities in the communication process with the C\u0026C server led AhnLab to\r\ncategorize this malware as the AndarLoader type.\r\nCommand Feature\r\nalibaba Execute the downloaded .NET assemblies\r\nfacebook Execute the downloaded .NET method\r\nexit Terminate\r\nvanish Self-delete and terminate\r\nTable 1. List of commands that can be executed\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 10 of 20\n\nAmong the commands given by the treat actor that AndarLoader executes, there is a command to terminate the\r\nmshta.exe process. The fact that AndarLoader was installed via PowerShell and the mshta.exe process was\r\ninvolved leaves the possibility that this is a spear phishing attack like the cases of attacks covered above.\r\nFigure 16. Commands executed by AndarLoader\r\nAdditionally, logs of the mshta.exe process connecting to the C\u0026C server can be found in systems infected with\r\nAndarLoader.\r\nFigure 17. Network communications log\r\nThe domain kro.kr was used as the C\u0026C and download URLs. This is a domain generally used by the Kimsuky\r\nthreat group. Also, the fact that Ngrok was installed for RDP connection during the attack process shows how the\r\ncase is similar to the attack pattern of the Kimsuky group.\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 11 of 20\n\nFigure 18. Log showing the installed Ngrok bveing executed\r\n2.2.2. DurianBeacon\r\nWhile investigating the AndarLoader malware, AhnLab identified that a malware strain named DurianBeacon was\r\nalso used in the attack process. There are two versions of DurianBeacon, one developed in Go and the other\r\ndeveloped in Rust. Both are backdoors that can perform malicious behaviors by receiving the threat actor’s\r\ncommands from the C\u0026C server.\r\nA. Go Version\r\nExamining the following strings included in the binary indicates that the malware creator named this malware\r\nstrain DurianBeacon.\r\nG:/Dev/Go/DurianBeacon/Command.go\r\nG:/Dev/Go/DurianBeacon/SSL.go\r\nG:/Dev/Go/DurianBeacon/Utils.go\r\nG:/Dev/Go/DurianBeacon/main.go\r\nThe Go version of DurianBeacon uses the SSL protocol to communicate with the C\u0026C server. After initial access,\r\nit sends the infected system’s IP information, user name, desktop name, architecture, and file names before\r\nawaiting commands. When a command is sent, it returns a result. Supported features besides collecting basic\r\ninformation about the infected system include file download/upload, lookup, and command execution features.\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 12 of 20\n\nFigure 19. Features supported by DurianBeacon\r\nBecause the SSL protocol is used, communications packets are encrypted. The following packet structure is used\r\ninternally.\r\nOffset Size Description\r\n0x00 0x04 Command number\r\n0x04 0x04 Size of the command argument\r\n0x08 Variable Command argument\r\nTable 2. Command packet structure of DurianBeacon\r\nThe features corresponding to each command code are as follows.\r\nCommand Feature\r\n0x00 Hibernate\r\n0x01 Interval\r\n0x02 Execute commands (return results)\r\n0x03 Look up directories\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 13 of 20\n\nCommand Feature\r\n0x04 Drive information\r\n0x05, 0x06, 0x07, 0x08 Upload files\r\n0x09, 0x0A, 0x0B Download files\r\n0x0C Create directories\r\n0x0D Delete files\r\n0x0E Run commands\r\n0x0F Terminate\r\nTable 3. List of DurianBeacon commands\r\nAfter executing commands, the malware sends the success status or the command execution results to the threat\r\nactor’s C\u0026C server. The response is also similar to the command packet.\r\nOffset Size Description\r\n0x00 0x04 Response number\r\n0x04 0x04 Size of the command execution results\r\n0x08 Variable Command execution results\r\nTable 4. Structure of the DurianBeacon response packet\r\nResponse Description\r\n0x00 Return command results\r\n0x01, 0x02, 0x03 Look up directories (start, terminate, etc.)\r\n0x04 Drive information\r\n0x05, 0x06, 0x07 Upload files (error, success, etc.)\r\n0x08, 0x09, 0x0A Download files (error, success, etc.)\r\n0x0B, 0x0C Create directories (failure or success)\r\n0x0D, 0x0E Delete files (failure or success)\r\n0x0F, 0x10 Run commands (failure or success)\r\nTable 5. DurianBeacon’s response list\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 14 of 20\n\nB. Rust Version\r\nInvestigation of related files revealed that the Rust version of DurianBeacon was also used in attacks.\r\nPDB information: C:\\Users\\Anna\\Documents\\DurianBeacon\\target\\x86_64-pc-windows-msvc\\release\\deps\\DurianBeacon.pdb\r\nDurianBeacon supports packet encryption using XOR aside from SSL to communicate with the C\u0026C server, using\r\nthe key 0x57.\r\nFigure 20. Rust version of DurianBeacon supporting XOR encryption\r\nThe packet structure and commands are also the same as the Go version. The Rust version of DurianBeacon sends\r\nthe keyword “durian2023” alongside the infected system’s IP information, user name, desktop name, architecture,\r\nand file names before awaiting command. When a command is sent, it returns the results.\r\nFigure 21. Communications packet of the Rust version – test\r\n3. Connections to recent attack cases\r\nThe above section covered the recently identified two cases where universities in Korea were attacked through\r\nabusing Innorix Agent and where malware strains were installed in Korean corporations through presumably spear\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 15 of 20\n\nphishing attacks. This part will explain why AhnLab considers the same threat actor to be behind both types of\r\nattacks.\r\nFirst, there are cases in AhnLab’s ASD logs where Durian, Goat RAT, and AndarLoader were collected together in\r\na similar period. The system in question is thought to be the threat actor’s test PC because the path name of\r\nAndarLoader was as follows.\r\nAndarLoader collection pathZ : d:\\01__developing\\99__c#_obfuscated\\runtime broker.exe\r\nThere are also cases where the C\u0026C servers of backdoor-type malware strains were the same. When the threat\r\nactor used Innorix Agent to install malware, Goat RAT was mainly employed, but there is a significant portion\r\nwhere other malware strains were installed. While such malware samples could not be collected, there are\r\nrecorded communications logs with the C\u0026C server. Also, the URL in question was the same as the DurianBeacon\r\nC\u0026C server URL used in other attacks.\r\nFigure 22. C\u0026C communications log of the malware installed through Innorix Agent\r\nFinally, there was a log where DurianBeacon installed AndarLoader. This means that these attacks happened\r\naround a similar time period, and the attacks might be related to each other as the installation processes and the\r\nC\u0026C server URLs used tend to be similar.\r\nFigure 23. Log showing DurianBeacon creating AndarLoader\r\n4. Connections to past attack cases of the Andariel group\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 16 of 20\n\nThe recently identified two attack cases are likely done by the same threat actor. This section will cover the\r\nrelationship between these attacks and the Andariel threat group.\r\nA. Attack Targets\r\nAttacked universities, the national defense industry, electronic device manufacturers, ICT companies, etc.\r\nin Korea.\r\nB. Attack Methods\r\nAbused Innorix Agent like in past cases\r\nProbably employed spear phishing method like in past cases\r\nSimilarities between the path and file names used when installing the malware strains\r\nC. Malware Types Used\r\nMalware strains developed in Go were used\r\nSimilarities between Andardoor and AndarLoader\r\nMalware types similar to the Infostealer used in previous attacks were identified\r\nFirst, there are the facts that the industries and sectors that became attack targets were the same as the targets\r\nidentified in past attack cases and the same attack methods used in previous attacks were employed in recent\r\ncases. AhnLab identified cases where Innorix Agent was used. While not confirmed, many logs showed\r\ncircumstances of spear phishing attacks.\r\nThe file name “iexplorer.exe” used to install malware has been identified from Andariel’s past attack cases to the\r\npresent. Besides “iexplorer.exe”, names including the “svc” keyword such as “authsvc.exe” and “creditsvc.exe”\r\nhas been continuously used. Also, aside from “mainsvc.exe” and “certsvc.exe”, there are cases where similar\r\nnames such as “netsvc.exe” and “srvcredit.exe” were used.\r\nAs covered in the corresponding section, AndarLoader was obfuscated with the trial version of Dotfuscator, the\r\ntool used in Andardoor in previous attacks. It also uses SSL encryption to communicate with the C\u0026C server,\r\nagain showing similarities with past attack cases. Two other malware strains developed in Go were used as well.\r\nThese align with the trend of malware strains developed in Go such as 1th Troy Reverse Shell and Black RAT\r\ncontinuously being used since the early part of this year.\r\nFinally, there is also the system thought to be the threat actor’s test PC and Infostealer strains presumably created\r\nby the threat actor during the attack process. In fact, the Andariel group in the past installed malware strains\r\nresponsible for stealing account credentials during the attack process, exfiltrating account credentials saved in\r\nInternet Explorer, Chrome, and Firefox web browsers. Such malware strains are command line tools that output\r\nthe extracted account credentials via command lines. It seems that the threat actor used a backdoor to send the\r\nresults to the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 17 of 20\n\nFigure 24. Infostealer identified in past attack cases\r\nThe Infostealer used in the recent attacks has a similar format. The only difference is that it only targets web\r\nbrowsers and steals account credentials and histories. Additionally, unlike the past cases where results were\r\noutputted by command lines, the recent version saves the stolen information in the same path under the file name\r\n“error.log”.\r\nFigure 25. Infostealer identifed in recent attack cases\r\n5. Conclusion\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 18 of 20\n\nThe Andariel group is one of the highly active threat groups targeting Korea along with Kimsuky and Lazarus.\r\nThe group launched attacks to gain information related to national security in the early days but now carries out\r\nattacks for financial gains. [11] The group is known to employ spear phishing attacks, watering hole attacks, and\r\nvulnerability exploits for their initial infiltration process. There have also been cases where it used other\r\nvulnerabilities in the attack process to distribute malware strains.\r\nUsers must be particularly cautious about attachments to emails with unknown sources or executable files\r\ndownloaded from websites. Users should also apply the latest patch for OS and programs such as internet\r\nbrowsers and update V3 to the latest version to prevent malware infection in advance.\r\nFile Detection\r\n– Backdoor/Win.Agent.R562183 (2023.03.14.00)\r\n– Backdoor/Win.Andardoor.C5381120 (2023.02.16.01)\r\n– Backdoor/Win.Andardoor.R558252 (2023.02.16.01)\r\n– Backdoor/Win.AndarGodoor.C5405584 (2023.04.05.03)\r\n– Backdoor/Win.DurianBeacon.C5472659 (2023.08.18.02)\r\n– Backdoor/Win.DurianBeacon.C5472662 (2023.08.18.02)\r\n– Backdoor/Win.DurianBeacon.C5472665 (2023.08.18.03)\r\n– Backdoor/Win.Goat.C5472627 (2023.08.18.02)\r\n– Backdoor/Win.Goat.C5472628 (2023.08.18.02)\r\n– Backdoor/Win.Goat.C5472629 (2023.08.18.02)\r\n– Backdoor/Win.NukeSped.C5404471 (2023.04.03.02)\r\n– Backdoor/Win.NukeSped.C5409470 (2023.04.12.00)\r\n– Backdoor/Win.NukeSped.C5409543 (2023.04.12.00)\r\n– Infostealer/Win.Agent.C5472631 (2023.08.18.02)\r\n– Trojan/Win.Agent.C5393280 (2023.03.11.00)\r\n– Trojan/Win.Agent.C5451550 (2023.07.11.00)\r\n– Trojan/Win.Andarinodoor.C5382101 (2023.02.16.01)\r\n– Trojan/Win.Andarinodoor.C5382103 (2023.02.16.01)\r\n– Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)\r\nBehavior Detection\r\n– Suspicious/MDP.Download.M1004\r\n– Infostealer/MDP.Behavior.M1965\r\nMD5\r\n0211a3160cc5871cbcd4e5514449162b\r\n0a09b7f2317b3d5f057180be6b6d0755\r\n1ffccc23fef2964e9b1747098c19d956\r\n3ec3c9e9a1ad0e6a6bd75d00d616936b\r\n426bb55531e8e3055c942a1a035e46b9\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 19 of 20\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//13[.]76[.]133[.]68[:]10443/\r\nhttp[:]//13[.]76[.]133[.]68[:]8080/\r\nhttp[:]//139[.]177[.]190[.]243/update[.]exe\r\nhttp[:]//27[.]102[.]107[.]224/update[.]exe\r\nhttp[:]//27[.]102[.]107[.]224[:]5443/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/56405/\r\nhttps://asec.ahnlab.com/en/56405/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://asec.ahnlab.com/en/56405/" ], "report_names": [ "56405" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434705, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efcbb14f8ef15621c8601482e2b24e394aa0cf33.pdf", "text": "https://archive.orkl.eu/efcbb14f8ef15621c8601482e2b24e394aa0cf33.txt", "img": "https://archive.orkl.eu/efcbb14f8ef15621c8601482e2b24e394aa0cf33.jpg" } }