{ "id": "faa92fc4-8522-42cf-a6cf-aabceba5fed5", "created_at": "2026-04-06T00:16:19.837956Z", "updated_at": "2026-04-10T03:38:20.265595Z", "deleted_at": null, "sha1_hash": "f3324c79f4fdd01c3a4db6be1844c3a13f3cac7a", "title": "Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47270, "plain_text": "Stonefly: North Korea-linked Spying Operation Continues to Hit\r\nHigh-value Targets\r\nBy About the Author\r\nArchived: 2026-04-05 12:55:17 UTC\r\nThe North Korean-linked Stonefly group is continuing to mount espionage attacks against highly specialized\r\nengineering companies with a likely goal of obtaining sensitive intellectual property.\r\nStonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to\r\nassist strategically important sectors such as energy, aerospace, and military equipment. Virtually all of the\r\ntechnologies it appears to be interested in have military as well as civilian uses and some could have applications\r\nin the development of advanced weaponry.\r\nHistory of ambitious attacks\r\nStonefly (aka DarkSeoul, BlackMine, Operation Troy, and Silent Chollima) first came to notice in July 2009,\r\nwhen it mounted distributed denial-of-service (DDoS) attacks against a number of South Korean, U.S.\r\ngovernment, and financial websites.\r\nIt reappeared again in 2011, when it launched more DDoS attacks, but also revealed an espionage element to its\r\nattacks when it was found to be using a sophisticated backdoor Trojan (Backdoor.Prioxer) against selected targets.\r\nIn March 2013, the group was linked to the Jokra (Tojan.Jokra) disk-wiping attacks against a number of South\r\nKorean banks and broadcasters. Three months later, the group was involved in a string of DDoS attacks against\r\nSouth Korean government websites.\r\nIn recent years, the group’s capabilities have grown markedly and, since at least 2019 Symantec has seen its focus\r\nshift solely to espionage operations against select, high-value targets. It now appears to specialize in targeting\r\norganizations that hold classified or highly sensitive information or intellectual property. Stonefly’s operations\r\nappear to be part of a broader North Korean-sponsored campaign to acquire information and intellectual property,\r\nwith Operation Dream Job, a more wider-ranging trawl across multiple sectors, being carried out by another North\r\nKorean group, Pompilus.\r\nLatest target\r\nThe most recent attack discovered by Symantec, a division of Broadcom Software, was against an engineering\r\nfirm that works in the energy and military sectors. The attackers breached the organization in February 2022, most\r\nlikely by exploiting the Log4j vulnerability (CVE-2021-44228) vulnerability on a public-facing VMware View\r\nserver. The attackers then moved across the network and compromised 18 other computers.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage\r\nPage 1 of 3\n\n17 hours later: Shortly after compromising the initial server, the attackers installed an updated version of\r\nStonefly’s Backdoor.Preft malware (aka Dtrack, Valefor). The attackers then used a masqueraded version (file\r\nname: pvhost.exe) of PuTTY’s PSCP command line application, presumably to exfiltrate data from the infected\r\nmachine. Shortly after PSCP was executed, the credential-dumping tool Mimikatz (masquerading under the file\r\nname pl.exe) was run.\r\nDay 2: Malicious activity resumed when 3proxy tiny proxy server, a publicly available proxy tool (file name:\r\nsvhost.exe) was executed. Use of this tool continued for the next four days. A second suspected proxy tool was\r\ninstalled two days into this four day period (file name: tapi.exe). Several hours afterwards, a copy of the Preft\r\nbackdoor (file name: svchost.exe) was installed. Two days later, WinSCP, an open-source SSH file-transfer tool\r\nwas used, presumably to exfiltrate or upload data to the compromised computer.\r\nDay 3: The next phase of the intrusion began on the following day, when Preft was executed and the attackers\r\nbegan moving latterly across the organization’s network, using Invoke-TheHash, a publicly available PowerShell\r\npass-the-hash utility (file name: rev.ps1), and wmiexec.py, a publicly available Impacket tool used to run WMI\r\ncommands (file name: notepad.exe).\r\nUpdated Preft backdoor\r\nThe attackers used an updated version of Stonefly’s custom Preft backdoor. Analysis of the backdoor revealed that\r\nit is a multistage tool:\r\nStage 1 is the main binary. A python script is used to unpack the binary and shellcode.\r\nStage 2 is shellcode. It performs the following actions:\r\nSleeps for 19,999 seconds, probably in an attempt to evade sandbox detection\r\nOpens a mutex, with the name specified in the Stage 3 shellcode\r\nInstead of loading an executable file, it starts Internet Explorer (iexplore.exe) or explorer.exe and injects\r\nthe Stage 3 shellcode into either. It sets up a named pipe (\"\\.\\pipe\\pipe\") for communication. The file name\r\nof the main binary is sent over the pipe.\r\nStage 3 is more shellcode.\r\nStage 4 is the payload. It is an HTTP remote access tool (RAT) that supports various commands, including:\r\n1. Download (Download a file and save locally)\r\n2. Upload (Upload a file to a C\u0026C server)\r\n3. Set Interval (Change C\u0026C server query interval - in minutes)\r\n4. Shell Execute (Execute a command in the shell)\r\n5. Download Plugin\r\n6. Update (Download a new version and replace)\r\n7. Info (Return debug information about the current infection)\r\n8. Uninstall\r\n9. Download Executable\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage\r\nPage 2 of 3\n\nThe malware can support four different kinds of plugins: executable files, VBS, BAT, and shellcode. It supports\r\nthree different persistence modes: Startup_LNK, Service, Registry, and Task Scheduler.\r\nCustom information stealer\r\nAlong with the Preft backdoor, Stonefly also deployed what appears to be a custom developed information stealer\r\n(infostealer). Analysis of this malware revealed that it is a three-staged threat. The main binary extracts and\r\ndecrypts the encrypted shellcode with a modified RC4 algorithm.\r\nStage 2 is shellcode which retrieves the payload and decrypts it with the same modified RC4 algorithm. The\r\ndecrypted payload is an executable file that is loaded in-memory. It is designed to search the infected computer for\r\nfiles using pre-configured parameters. These are then copied to temporary files before being copied to a single .zip\r\nfile and the temporary files are removed. The ZIP file path is %TEMP/~[XXXXXXXX].tmp, where\r\nXXXXXXXX is a simple hash of the computer name (eight uppercase hex digits).\r\nCuriously, this ZIP file is not automatically exfiltrated. It is possible that the exfiltration functionality was\r\nremoved and the attackers planned to use an alternative means of exfiltration.\r\nWhile Stonefly’s tools and tactics continue to evolve, there are some common threads between this recent activity\r\nand previous attacks, such as its ongoing development of the Preft backdoor and heavy reliance on open-source\r\ntools.\r\nThe group’s capabilities and its narrow focus on acquiring sensitive information make it one of the most potent\r\nNorth Korean cyber threat actors operating today.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage" ], "report_names": [ "stonefly-north-korea-espionage" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434579, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3324c79f4fdd01c3a4db6be1844c3a13f3cac7a.pdf", "text": "https://archive.orkl.eu/f3324c79f4fdd01c3a4db6be1844c3a13f3cac7a.txt", "img": "https://archive.orkl.eu/f3324c79f4fdd01c3a4db6be1844c3a13f3cac7a.jpg" } }