{ "id": "dc05ecee-e01b-46a3-ac60-3fddba04af54", "created_at": "2026-04-06T00:09:33.929024Z", "updated_at": "2026-04-10T03:38:19.278813Z", "deleted_at": null, "sha1_hash": "f4c785a94ccc871d6cebf5c8fe93f8a368b5a339", "title": "DPRK Job Opportunity Phishing via WhatsApp | PuTTY Utility", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 827660, "plain_text": "DPRK Job Opportunity Phishing via WhatsApp | PuTTY Utility\r\nBy Mandiant\r\nPublished: 2022-09-14 · Archived: 2026-04-05 18:13:47 UTC\r\nWritten by: James Maclachlan, Mathew Potaczek, Nino Isakovic, Matt Williams, Yash Gupta\r\nIn July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense\r\nidentified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Mandiant has identified\r\nseveral overlaps between this group and those we suspect have a North Korea nexus.\r\nUNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package\r\nregarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the\r\nPuTTY utility.\r\nThe Managed Defense Threat Hunting Mindset\r\nOne of the cornerstones of the Mandiant Managed Defense service offering is its proactive threat hunting program that\r\nprotects our customers from advanced threat actor’s tools, tactics and techniques that bypass traditional detection\r\nmechanisms. Managed Defense threat hunters leverage Mandiant’s deep adversary research and exposure to threat actor\r\nbehaviors to continually enhance and expand our threat hunting capabilities.\r\nThis activity was identified by our Mandiant Intelligence: Staging Directories mission, which searches for anomalous files\r\nwritten to directories commonly used by threat actors.\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 1 of 11\n\nThe techniques used by UNC4034 in this compromise, along with the techniques used in countless intrusions investigated\r\nby Mandiant, are used to continuously develop and refine threat hunting hypotheses within Managed Defense. These\r\nprovide high fidelity and actionable leads that are informed by evolving threat actor tradecraft.\r\nInitial Lead\r\nThe initial lead was a file downloaded to the host named amazon_assessment.iso . ISO and IMG archives have become\r\nattractive to threat actors because, from Windows 10 onwards, double-clicking these files automatically mounts them as a\r\nvirtual disk drive and makes their content easily accessible. This reduces the effort needed to view the embedded files\r\ncompared to other formats such as RAR archives. Detecting malicious IMG and ISO archives served via phishing\r\nattachments is routine for Mandiant Managed Defense. The payloads contained within such archives range from commodity\r\nmalware to advanced backdoors like the sample analyzed in this blog post.\r\nPhishing Lure\r\nMandiant Managed Defense performed an investigation on the host to determine how the file amazon_assessment.iso was\r\ncreated. Based on the available data, Mandiant assesses that UNC4034 initiated communication with the victim by offering\r\nthem a job opportunity at Amazon via email. Subsequently, UNC4034 communicated with them over WhatsApp and shared\r\nthe file amazon_assessment.iso , which the user downloaded using the web version of WhatsApp.\r\nThe amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had\r\nconnection details for use with the second file: PuTTY.exe .\r\nServer: 137.184.15[.]189\r\nUser: test\r\nPass: [Redacted by Mandiant]\r\nFigure 1: Contents of Readme.txt\r\nPuTTY is an open source SSH and Telnet client. Legitimate, compiled versions of the tool downloaded from the publisher’s\r\nwebsite will have a valid digital signature. However, as shown in Figure 2, the PuTTY.exe binary in the malicious archive\r\ndoes not havea digital signature\r\nFigure 2: Digital signatures of the officially distributed PuTTY utility (left) and the malicious version (right)\r\nThe size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer\r\ninspection, it has a large, high entropy .data section in comparison to the officially distributed version (Figure 3). Sections\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 2 of 11\n\nlike these are typically indicative of packed or encrypted data.\r\nFigure 3: Comparing the .data section in the officially distributed PuTTY utility (left) and the malicious sample (right)\r\nThe suspicious nature of the PuTTY.exe embedded in the ISO file prompted Managed Defense to perform a deeper\r\ninvestigation on the host and the file itself.\r\nThe execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host. The deployed backdoor\r\nis an evolution of the malware family Mandiant tracks as AIRDRY. Mandiant Managed Defense successfully investigated\r\nthe compromise and contained the host before follow-on activity resulting from the deployed backdoor could occur. While\r\nMandiant detected and responded to the compromise on 2022-07-05, the same PuTTY executable was seen on VirusTotal as\r\nearly as 2022-06-27.\r\nIn addition, Mandiant discovered a second ISO archive named amazon_test.iso uploaded to VirusTotal on 2022-06-17.\r\nMandiant found the second archive by pivoting from the IP address contained in the Readme.txt file. This ISO file also\r\nhad a Readme.txt with the same IP address and a similar trojanized PuTTY executable.\r\nBoth ISO files found by Mandiant appear to use the same lure theme by posing as a recruitment assessment for Amazon.\r\nThey also contained similarly constructed malware that resulted in a final AIRDRY.V2 backdoor payload.\r\nMalware Analysis\r\nTrojanized PuTTY\r\nThe executable embedded in each ISO file is a fully functional PuTTY application (Figure 4) compiled using publicly\r\navailable PuTTY version 0.77 source code.\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 3 of 11\n\nFigure 4: PuTTY interface displayed when executing the malicious samples\r\nEach sample contains malicious code that writes an embedded payload to disk and launches it. However, the malicious code\r\nwas inserted at different locations in each of the trojanized PuTTY samples. In the PuTTY sample discovered by Mandiant,\r\nthe code resides in the connect_to_host function, which is in the source file putty-0.77\\ssh\\ssh.c . To trigger the code,\r\nthe user must attempt an SSH connection to the host IP address provided in the Readme.txt file (Figure 1).\r\nIn the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue\r\nfunction (source file: putty-0.77\\ssh\\userauth2-client.c ). The code resides in the part of the function responsible for\r\nperforming password authentication, as opposed to other methods such as public key or keyboard-interactive authentication.\r\nOnce the user establishes a connection and enters their username and password, the malicious code is executed regardless of\r\nthe authentication result. These execution guardrails are likely an attempt by UNC4034 to avoid unnecessarily dropping the\r\nnext stage of their malware.\r\nThe part of the malicious code that drops and executes a payload is nearly identical between the two samples. The legitimate\r\nWindows executable C:\\Windows\\System32\\colorcpl.exe is copied to the new directory C:\\ProgramData\\PackageColor\r\nand the embedded payload is written to C:\\ProgramData\\PackageColor\\colorui.dll . The PuTTY binary observed in the\r\ncompromise launches colorui.dll via DLL search order hijacking using the command shown in Figure 5.\r\nC:\\Windows\\System32\\cmd.exe /c start /b C:\\ProgramData\\PackageColor\\colorcpl.exe\r\n0CE1241A44557AA438F27BC6D4ACA246\r\nFigure 5: Observed colorcpl.exe execution\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 4 of 11\n\nIn the VirusTotal sample, cmd.exe is not used to launch colorcpl.exe . Instead, the Windows API function WinExec\r\nlaunches the process shown in Figure 6.\r\nC:\\ProgramData\\PackageColor\\colorcpl.exe C8E71F4613ABFCA10B6330C9\r\nFigure 6: VirusTotal sample execution\r\nIn both instances, the command-line argument passed to colorcpl.exe is not related to the legitimate function of the\r\nWindows executable. Instead, each argument is utilized by the malicious DLL as described below.\r\nPersistence is established for C:\\ProgramData\\PackageColor\\colorcpl.exe via schtasks.exe . A scheduled task named\r\nPackageColor executes colorcpl.exe at 10:30AM local time every day.\r\nMalicious DLL\r\nThe colorui.dll samples were packed using the commercial software protector Themida. The unpacked samples contain\r\nfile paths that reveal their purpose. An example path is shown in Figure 7.\r\nW:\\Develop\\aTool\\ShellCodeLoader\\App\\libressl-2.6.5\\crypto\\cryptlib.c\r\nFigure 7: Embedded file path that has the string “ShellCodeLoader”\r\nBoth samples contain an identical shellcode payload named DAVESHELL. The payload is decrypted using a custom XOR-based algorithm with a dynamically generated key. The key is the result of concatenating the following strings:\r\n1. Parent process name ( COLORCPL.EXE )\r\n2. Malicious DLL filename ( COLORUI.DLL )\r\n3. Command-line argument passed to colorcpl.exe by the PuTTY executable\r\nThe necessary decryption key for the VirusTotal sample is shown in Figure 8.\r\nCOLORCPL.EXECOLORUI.DLLC8E71F4613ABFCA10B6330C96CA3D3B1\r\nFigure 8: Decryption key for the PuTTY sample found on VirusTotal\r\nThe inclusion of this key also serves as an anti-analysis mechanism: without the correct key, nothing of significance happens\r\nwhen the DLL is executed.\r\nThe command-line argument passed to colorcpl.exe also dictates how the decrypted shellcode is executed. Based on this\r\nargument, colorui.dll may execute the shellcode from within colorcpl.exe or inject it into a new instance of a\r\nlegitimate Windows process. In the case of process injection, the injection target is chosen randomly between credwiz.exe\r\nor iexpress.exe .\r\nThe injected shellcode payload is DAVESHELL, a publicly available dropper in the form of shellcode that executes an\r\nembedded payload in memory. The embedded payload is a VMProtect-packed evolution of the AIRDRY backdoor.\r\nAIRDRY.V2\r\nThe AIRDRY backdoor, also known as BLINDINGCAN, has been thoroughly documented in reports published by CISA\r\nand JPCERT. These earlier versions of AIRDRY supported numerous backdoor commands including file transfer, file\r\nmanagement, and command execution. In the most recent version, however, the traditional backdoor commands have been\r\nremoved in favor of a plugin-based approach that supports multiple communication modes. The details that follow address\r\nthe evolution to AIRDRY.V2 and highlight similarities with previous versions.\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 5 of 11\n\nThe backdoor’s configuration is AES-128 encrypted in CBC mode with the hard-coded key KAA5M8MNDKLJB8PI . An\r\nintegrity check is performed on both the encrypted and decrypted configuration. The backdoor exits if the check fails.\r\nThe decrypted configuration contains the backdoor’s communication mode. Supported modes are listed in Table 1 along\r\nwith their corresponding internal class names, where applicable. All three modes are centralized around a class named\r\nCSinSocket .\r\nMode Class Name Description\r\nHTTP CHTTP_Protocol Communication via HTTP\r\nFile CFileRW Communication via a file\r\nSMB N/A Communication via SMB over a named pipe\r\nTable 1: AIRDRY.V2 communication modes\r\nThe structure of the embedded configuration is dependent on the communication mode. The observed sample is configured\r\nto use HTTP. The structure of its 0x24B0-byte configuration is outlined in Table 2. No SMB or file mode versions of\r\nAIRDRY.V2 have been identified and thus their configuration structure is unknown.\r\nOffset Description\r\n0x0000 Operation mode\r\n0x0002 C2 URL count\r\n0x0006 C2 URL #1\r\n0x020E C2 URL #2\r\n0x0416 C2 URL #3\r\n0x061E C2 URL #4\r\n0x0826 C2 URL #5\r\n0x0A2E Proxy enabled flag\r\n0x0A32 Proxy server\r\n0x0C3A Proxy port\r\n0x0C3C Proxy credentials available\r\n0x0C40 Proxy username\r\n0x0E48 Proxy password\r\n0x1050 Unknown\r\n0x1054 Maximum beacon count\r\n0x1056 Report if disk space is available\r\n0x105A Report if there is an active RDP session\r\n0x105E Beacon interval in seconds\r\n0x1060 Start date and time (empty)\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 6 of 11\n\n0x1068 System ID\r\n0x106C Unknown\r\n0x18A0 c:\\windows\\system32\\cmd.exe\r\n0x1AA8 %temp%\r\n0x1CB0 Unknown\r\nTable 2: HTTP-mode configuration structure\r\nThe configuration layout above is like the one outlined in Appendix A of the JPCERT report. The maximum beacon count\r\nstored at offset 0x1054 reflects the number of times the backdoor attempts to connect to a command and control (C2)\r\nserver before waiting the amount of time stored at offset 0x105E . The current sample is configured to beacon up to five\r\ntimes before sleeping for 60 seconds.\r\nBy default, the backdoor is not configured to use a proxy server. It is also not configured to report the status of available disk\r\nspace (offset 0x1056 ) or the presence of an active RDP session (offset 0x105E ). However, these features could be enabled\r\nvia a configuration update issued by a C2 server.\r\nThe configuration strings at offsets 0x18A0 and 0x1AA8 are not referenced in the code but have been seen in previous\r\nAIRDRY configurations. It’s possible these strings remain in the configuration for use by a downloaded plugin.\r\nThe configuration value at offset 0x1060 reflects the date and time after which the backdoor should begin communicating\r\nwith its C2 servers. This value is empty in the current configuration, which results in communication beginning\r\nimmediately. However, the value can be updated via a command from a C2 server, which could result in the backdoor being\r\ninactive for a period of time.\r\nThe backdoor’s C2 URL count is five; however, the configuration only has three distinct URLs (Figure 9).\r\nhxxps://hurricanepub[.]com/include/include.php\r\nhxxps://turnscor[.]com/wp-includes/contacts.php\r\nhxxps://www.elite4print[.]com/support/support.asp\r\nFigure 9: Configured C2 URLs\r\nThe backdoor issues an HTTP POST request to a randomly selected C2 URL. An example request is shown in Figure 10.\r\nbbs=VkxXU1lPvBGI7BJ40K4=shD5nhF+2amakV9H\u0026article=EAAAABIAAAAgAAAAAAAAAAAAAAAAAAAAgu\r\nPGZC0NvqYJ/yy4qGzW98G5M6Ab5UDNTt3lna8k/O8=\r\nFigure 10: Example HTTP POST request\r\nThe bbs and article field names in the request body are hard-coded. The decoded Base64 data assigned to the bbs field\r\naligns closely with the format outlined in the JPCERT report, including the same custom RC4 implementation. Where\r\nAIRDRY.V2’s request structure differs from its predecessor is the second field, which is used to send command-related data.\r\nPrior to being Base64 encoded, the article data is compressed using LZ4 and then encrypted with AES. The AES-256\r\nkey is derived using the SHA256 hash of a hard-coded 32-byte sequence.\r\nAIRDRY.V2’s file mode uses the same HTTP request format but writes each request to a file. The file path is built based on\r\nelements found in the backdoor’s configuration. Because a file mode version of AIRDRY.V2 has not been identified, the\r\npurpose behind writing HTTP requests to a file has yet to be determined. In SMB mode, the backdoor communicates by\r\nsending an SMB2 WRITE request to a named pipe. The host name and pipe name are specified in the configuration.\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 7 of 11\n\nLike previous AIRDRY backdoors, AIRDRY.V2 utilizes the value 0x2040 to request a command from a C2 server.\r\nSupported command IDs are listed in Table 3.\r\nCommand ID Description\r\n0x2009 Upload basic system information\r\n0x2028 Update the beacon interval based on a value provided by the C2 server\r\n0x2029 Deactivate until new start date and time\r\n0x2031 Upload the current configuration\r\n0x2032 Update the configuration\r\n0x2037 Keep-alive\r\n0x2038 Update the beacon interval based on a value in the configuration\r\n0x2052 Update the AES key used to encrypt C2 requests and configuration data\r\n0x2057 Download and execute a plugin in memory\r\nTable 3: Supported command IDs\r\nAIRDRY.V2 supports nine commands. Prior versions of AIRDRY supported nearly thirty commands. Of the nine\r\ncommands, only two were not present in previous AIRDRY samples: 0x2052 and 0x2057 . Command 0x2052 can be\r\nused to update the 32-byte sequence used to derive the AES-256 key described above. Command ID 0x2057 represents the\r\nshift from a backdoor that supports numerous commands to the new plugin-based approach in AIRDRY.V2.\r\nDownloaded plugins are executed in memory and provided with a structure that includes a copy of the decrypted\r\nconfiguration, the system ID, and an object that facilitates communication with the configured C2 servers. Notably the\r\nbackdoor itself has the necessary logic to function as a plugin.\r\nThreat Actor Spotlight: UNC4034\r\nMandiant identified several overlaps between UNC4034 and threat clusters we suspect have a North Korean nexus. The\r\nAIRDRY.V2 C2 URLs belong to compromised website infrastructure previously leveraged by these groups and reported in\r\nseveral OSINT sources. Of note is the prior use of this compromised infrastructure to deliver the AIRDRY backdoor via\r\nCUTELOOP downloaders embedded in malicious documents.\r\nBased on the identified overlaps and the social engineering tactics used, Mandiant suspects this activity represents an\r\nextension of enduring “Operation Dream Job” campaigns that leverage a different attack chain with ISO files and trojanized\r\nbinaries rather than weaponized documents. This is likely one of several malware delivery techniques being employed by\r\nNorth Korean actors after a target has responded to a fabricated job lure. Recent public reporting also details the usage of\r\nother social media platforms to pose as legitimate companies and post fake job advertisements that target cryptocurrency\r\ndevelopers.\r\nThe use of ISO files has become increasingly popular in the delivery of both commodity and targeted malware. Mandiant\r\nhas observed well-known actors, such as APT29, adopting the use of ISO files to deliver their malware.\r\nDetection Opportunities\r\nThe investigation into this compromise revealed new leads and indicators to pivot from in future hunting efforts. An\r\nimportant caveat to these hunting leads is that they are not indicators of compromise. Instead, they are interesting activity\r\nthat may call for further investigation by an analyst.\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 8 of 11\n\nThese include ISO and IMG archive files downloaded from sources such as WhatsApp, email providers, and cloud storage\r\nservices. On Windows 10 and later, the origin URL of a downloaded file is stored in the Zone.Identifier alternate data\r\nstream. Mandiant routinely observes archive files delivered as phishing attachments that originate from those sources.\r\nThe second hunting lead is the execution of colorcpl.exe from an unusual directory like C:\\ProgramData\\PackageColor .\r\nMost often, the executable runs from its standard location in C:\\Windows\\System32 or C:\\Windows\\SysWOW64 .\r\nThe third hunting lead found for future hunting efforts is the execution of colorcpl.exe with command-line arguments. By\r\ndefault, colorcpl.exe executes with no command line arguments. In this scenario, colorcpl.exe was executed with a\r\ncommand-line argument that consisted of hexadecimal characters. The argument was ultimately evaluated by a malicious\r\nDLL that was loaded into the process.\r\nMandiant consistently finds new and novel threat actor activity such as the one described in this blog post. To ensure our\r\ncustomers are protected, Mandiant’s detection and threat hunting capabilities are continuously evolving and are fueled by\r\nour experiences on the frontlines.\r\nMalware Family Definitions\r\nDAVESHELL\r\nDAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory and\r\nexecuted.\r\nAIRDRY\r\nAIRDRY is a backdoor written in C++ that communicates via HTTP. Its capabilities include shell command execution, file\r\ntransfer, secure file deletion, file management, process termination, and process enumeration.\r\nAIRDRY.V2\r\nAIRDRY.V2 is an evolution of the AIRDRY backdoor that supports three communication modes: HTTP, file-based, and\r\nSMB. AIRDRY.V2 does not support the extensive list of commands found in AIRDRY. Instead, its functionality is extended\r\nvia downloaded plugins that are executed directly in memory. AIRDRY.V2 can also update its configuration.\r\nCUTELOOP\r\nCUTELOOP is a downloader written in C++ that retrieves payloads via HTTPS. Downloaded payloads are mapped into\r\nmemory and executed. CUTELOOP expects a command-line argument that is used to decrypt the payload URL.\r\nTechnical Indicators\r\nHost and Network-based Indicators\r\nMalware\r\nFamily\r\nMD5 SHA256\r\nISO\r\nAttachment\r\n90adcfdaead2fda42b9353d44f7a8ceb 8cc60b628bded497b11dbc04facc7b5d7160294cbe521764df1a9ccb219bb\r\nISO\r\nAttachment\r\n6d1a88fefd03f20d4180414e199eb23a e03da0530a961a784fbba93154e9258776160e1394555d0752ac787f0182\r\nTrojanized\r\nPuTTY\r\nDropper\r\n8368bb5c714202b27d7c493c9c0306d7 1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e6\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 9 of 11\n\nTrojanized\r\nPuTTY\r\nDropper\r\n18c873c498f5b90025a3c33b17031223 cf22964951352c62d553b228cf4d2d9efe1ccb51729418c45dc48801d36f6\r\nThemida-Packed\r\nDropper for\r\nDAVESHELL\r\nc650b716f9eb0bd6b92b0784719081cd aaad412aeb0f98c2c27bb817682f08673902a48b65213091534f96fe6f549\r\nThemida-Packed\r\nDropper for\r\nDAVESHELL\r\n4914bcbbe36dfa9d718d02f162de3da1 3ac82652cf969a890345db1862deff4ea8885fe72fb987904c0283a2d5e6aa\r\nType Value Comment\r\nIPv4 Address 137.184.15[.]189 IP address seen in Readme.txt\r\nURL https://hurricanepub[.]com/include/include.php AIRDRY.V2 C2\r\nURL https://turnscor[.]com/wp-includes/contacts.php AIRDRY.V2 C2\r\nURL https://www.elite4print[.]com/support/support.asp AIRDRY.V2 C2\r\nFile C:\\ProgramData\\PackageColor\\colorcpl.exe\r\nMicrosoft binary used for DLL search order\r\nhijack\r\nFile C:\\ProgramData\\PackageColor\\colorui.dll Themida packed dropper for DAVESHELL\r\nScheduled\r\nTask\r\nTask Name: PackageColor Persistence mechanism\r\nMITRE ATT\u0026CK Mapping\r\nATT\u0026CK Tactic Category Techniques\r\nInitial Access\r\nT1566.001: Phishing: Spearphishing Attachment\r\nT1566.003: Phishing: Spearphishing via Service\r\nExecution\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nT1053.005: Scheduled Task/Job: Scheduled Task\r\nPersistence\r\nT1574.001: Hijack Execution Flow: DLL Search Order Hijacking\r\nT1053.005: Scheduled Task/Job: Scheduled Task\r\nDefense Evasion\r\nT1574.001: Hijack Execution Flow: DLL Search Order Hijacking\r\nT1055.001: Process Injection: Dynamic-link Library Injection\r\nT1218: System Binary Proxy Execution\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 10 of 11\n\nT1620: Reflective Code Loading\r\nT1027.002: Obfuscated Files or Information: Software Packing\r\nCommand and Control\r\nT1071.001: Application Layer Protocol: Web Protocols\r\nT1071.002: Application Layer Protocol: File Transfer Protocols\r\nT1132.001: Data Encoding: Standard Encoding\r\nT1573.001: Encrypted Channel: Symmetric Encryption\r\nT1573.002: Encrypted Channel: Asymmetric Encryption\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nhttps://www.mandiant.com/resources/blog/dprk-whatsapp-phishing\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing" ], "report_names": [ "dprk-whatsapp-phishing" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434173, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4c785a94ccc871d6cebf5c8fe93f8a368b5a339.pdf", "text": "https://archive.orkl.eu/f4c785a94ccc871d6cebf5c8fe93f8a368b5a339.txt", "img": "https://archive.orkl.eu/f4c785a94ccc871d6cebf5c8fe93f8a368b5a339.jpg" } }