{ "id": "be9e80be-d2cf-4782-b2c0-2a56506da7c5", "created_at": "2026-04-06T00:21:25.977303Z", "updated_at": "2026-04-10T03:38:20.551065Z", "deleted_at": null, "sha1_hash": "f62b66f925f7fe8fea27e22142daf0de30c4f28a", "title": "Emulating the Highly Sophisticated North Korean Adversary Lazarus Group – Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4394284, "plain_text": "Emulating the Highly Sophisticated North Korean Adversary\r\nLazarus Group – Part 1\r\nBy Francis Guibernau\r\nPublished: 2023-01-05 · Archived: 2026-04-05 22:05:27 UTC\r\nLazarus Group, also known as Hidden Cobra, is a state-sponsored adversary attributed to the Reconnaissance\r\nGeneral Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK) which has been active since at\r\nleast 2009. The Lazarus Group is composed of at least two subgroups, both known as Andariel and BlueNoroff,\r\nand has notable overlaps with the adversaries known as APT37 and Kimsuky.\r\nLazarus Group’s main motivations are theft of proprietary information, espionage, sabotage, and destruction. The\r\ngroup first came to media attention in 2013, following a series of coordinated attacks against South Korean media\r\nand financial entities using the wiper known as DarkSeoul.\r\nTheir most notorious campaign occurred in November 2014 when the Lazarus Group conducted a large-scale\r\ndestructive attack against Sony Pictures Entertainment (SPE), which was notable due to the substantial penetration\r\nthrough the network, the large amount of exfiltrated data, and the use of a wiper to erase all forensic evidence.\r\nAttackIQ has released six new attack graphs emulating the actor’s historical campaigns to help customers validate\r\ntheir security controls and their ability to defend against this group. Validating your security program performance\r\nagainst these behaviors is vital to reducing risk. By using these new attack graphs in the AttackIQ Security\r\nOptimization Platform, security teams will be able to:\r\nEvaluate security control performance against the top North Korean threat actor who has targeted all\r\nregions and sectors.\r\nAssess their security posture against a threat actor who is not afraid to commit destructive actions.\r\nContinuously validate detection and prevention pipelines against the techniques shared amongst many of\r\nthe North Korean adversaries.\r\nLazarus Group – 2018-12 – Operation Sharpshooter\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 1 of 13\n\n(Click for Larger)\r\nThe first attack graph is based on Operation Sharpshooter reported by McAfee in December 2018. Operation\r\nSharpshooter took place between October and November 2018 against more than 80 organizations worldwide,\r\npredominantly those located in the United States. During this attack, the adversary focused on targeting multiple\r\nsectors, specifically those involved in finance, energy, and defense.\r\n(Click for Larger)\r\nThe attack graph begins with the downloading and saving of the malicious Office Document used for the\r\ndeployment of the Rising Sun implant, which obtains persistence through the Startup folder.\r\nIngress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios\r\nto test network and endpoint controls and their ability to prevent the delivery of known malicious samples of\r\nLazarus malware. These scenarios are used for each stage of the malware delivered in these attacks.\r\nLogon Autostart Execution: Startup Folder (T1547.001): The Startup folder is a directory associated with the\r\nWindows Start Menu that can be used to launch a process at Windows logon. This scenario creates a binary file in\r\nthis directory that would execute at next logon for users.\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 2 of 13\n\nDuring the second stage, the graph seeks to collect information from various sources about the system\r\nenvironment prior to the exfiltration of the encrypted collected data.\r\nFile and Directory Discovery (T1083): This scenario uses the native dir command to find files of interest and\r\noutput to a temporary file.\r\nSystem Network Configuration Discovery (T1016): Native Window’s commands like route , ipconfig , and\r\nnet use are executed to collect details about the infected host and network shares.\r\nSystem Owner / User Discovery (T1033): Living off the land by running whoami and users to gain details\r\nabout the currently available accounts and permission groups.\r\nSystem Information Discovery (T1082): The native hostname and systeminfo commands are used to get the\r\ninfected host’s computer name and basic details about the system.\r\nQuery Registry (T1012): The HKCU\\Software\\Microsoft\\Windows\\CurrentVersion registry key contains\r\ninformation about Windows properties for the user account logged into the system.\r\nData Staged: Local Data Staging (T1074.001): Files are collected and stored in a temporary directory so they\r\ncan be exfiltrated later.\r\nExfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001): Files are first encrypted using AES\r\nencryption and then transmitted over HTTPS using POST requests.\r\n(Click for Larger)\r\nIn the last stage, the implant seeks to obtain in-depth information about the files contained in the system and\r\nperipheral devices, finalizing with the communication to the adversary’s infrastructure.\r\nProcess Discovery (T1057): tasklist is executed as a command process and the results are saved to a\r\ntemporary location.\r\nSystem Information Discovery (T1082): The native Windows commands logicaldisk and diskdrive are\r\nexecuted to collect information about the installed disks, including caption, description, drive type, provider name,\r\nand size.\r\nApplication Layer Protocol: Web Protocols (T1071.001): This scenario emulates the HTTP requests made by\r\nthe Rising Sun backdoor by making an HTTP POST to an AttackIQ server that mimics the URL format and data\r\nsent by a real infection.\r\nLazarus Group – 2020-06 – Operation In(ter)ception\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 3 of 13\n\n(Click for Larger)\r\nThe second attack graph is based on the Operation In(ter)ception report by ESET published in June 2020.\r\nOperation In(ter)ception was a campaign conducted against military and aerospace organizations in Europe and\r\nthe Middle East. The actor used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus,\r\njob offers.\r\n(Click for Larger)\r\nThe attack graph begins with the downloading and saving of a malicious LNK file, which seeks to evade defenses\r\nby masquerading as a legitimate process when executed. Next, the graph seeks to obtain persistence through a\r\nscheduled task and executes a remote XSL script. The first-stage downloader is downloaded, saved, and executed\r\nas a new service.\r\nMasquerading: Match Legitimate Name or Location (T1036.005): A copy of the legitimate wmic.exe binary\r\nis placed in a temporary directory. The file is renamed to ncv.exe and executed to get details on the OS version.\r\nScheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the\r\nschtasks utility with the name HPSync that was observed being used in these attacks.\r\nXSL Script Processing (T1220): wmic.exe is executed and passed a URL as a command line argument that\r\nforces the binary to download and execute an XSL file that contains malicious JavaScript code.\r\nWindows Service (T1543.003): Use the native sc command line tool to create a new service that will executed\r\nat reboot.\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 4 of 13\n\nThe second stage is downloaded and executed using RunDLL32, and in case it is prevented, it will alternatively be\r\nexecuted through RegSvr32. Finally, the graph will seek to obtain information from the environment exfiltrate to\r\nadversary infrastructure.\r\nSystem Binary Proxy Execution: Rundll32 (T1218.011): RunDll32 is a native system utility that can be used\r\nto execute DLL files and call a specific export inside the file. This scenario executes RunDll32 with an AttackIQ\r\nDLL and calls an export to mimic previously reported malicious activity.\r\nSystem Binary Proxy Execution: Regsvr32 (T1218.010): RegSvr32 is a native Windows utility that threat\r\nactors can use to register Common Object Model (COM) DLLs. This functionality allows an actor to deploy a\r\nmalicious DLL and have a native Windows tool execute the code as the parent process. This scenario executes\r\nRegSvr32 with an AttackIQ binary.\r\nSystem Network Connections Discovery (T1049): The native Windows command line tool netstat is used to\r\ncollect active connections and any listening services running on the host.\r\nLazarus Group – 2020-08 – Operation Dream Job (ClearSky)\r\n(Click for Larger)\r\nThis attack graph emulates the first iteration of the Operation Dream Job, reported by ClearSky in August 2020.\r\nOperation Dream Job was a cyberattack carried out against multiple individuals worldwide from early 2020 to\r\nmid-2022. The actors used social media to phish victims in the defense sector and various government\r\norganizations leveraging fake job offers from prominent defense and aerospace companies.\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 5 of 13\n\nThe attack graph begins with the downloading and saving of a malicious Office document, which obtains\r\npersistence through the Startup folder, using a dropped LNK shortcut file. Subsequently, the DBLL Loader is\r\ndownloaded and saved to the system, which is executed through RunDLL32 and to complete the deployment of\r\nthe final payload known as DRATzarus.\r\n(Click for Larger)\r\nIn the last stage, after downloading and saving DRATzarus to the system, the attack graph recreates the\r\ncommunications captured between the malware sample and the adversary’s infrastructure, ending with the\r\ncollection of the network connections available in the system and obtaining credentials from the browser through\r\nLaZagne.\r\nOS Credential Dumping (T1003): This scenario uses the open-source tool LaZagne to dump credentials\r\navailable on the host including the saved browser passwords.\r\nLazarus Group – 2022-04 – Operation Dream Job (Symantec)\r\n(Click for Larger)\r\nThe next attack graph continues to emulate the second iteration of the Dream Job operation, this time from activity\r\nreported by Symantec in April 2022.\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 6 of 13\n\n(Click for Larger)\r\nThe attack graph starts by downloading and saving a trojanized version of the ComparePlus plugin DLL, which is\r\na Notepad++ plugin used to compare two files and show differences side by side. After being executed via\r\nRunDLL32, the attack graph will seek to inject code into an active process.\r\nProcess Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary\r\nfile can be created.\r\n(Click for Larger)\r\nSubsequently, it will attempt to perform lateral movement by using Windows Management Instrumentation\r\n(WMI), continuing with obtaining credentials through the registry or by dumping of the SAM database, and\r\nfinishing with obtaining persistence through a scheduled task.\r\nWindows Management Instrumentation (T1047): This scenario uses wmic commands to execute commands\r\non a remote target.\r\nUnsecured Credentials: Credentials in Registry (T1552.002): A PowerShell script is executed that searches for\r\nDefaultPassword and AltDefaultPassword registry keys that contain hard-coded credentials.\r\nOS Credential Dumping: Security Account Manager (T1003.002): The built-in reg save command is\r\nexecuted to dump the Windows SAM hive.\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 7 of 13\n\nIn the last stage, the attack graph will try to obtain information about the active network connections and drop\r\ntheir tool known as SiteShooter. Finally, it will collect information about the infected environment, ending up\r\nobtaining the system network configuration.\r\nLazarus Group – 2021-01 – ThreatNeedle Campaign\r\n(Click for Larger)\r\nThe ThreatNeedle campaign was a cyberattack against security researchers and the defense industry from mid-2020 to early 2021 reported by Kaspersky. During this attack, Lazarus made use of the malware family known as\r\nThreatNeedle, which is based on the Manuscrypt family. The group leveraged COVID-19-themed emails,\r\npersonalizing them with personal information obtained during an initial reconnaissance effort.\r\n(Click for Larger)\r\nThe attack graph begins with obtaining persistence through the Startup folder and immediately continues with the\r\ndeployment of the ThreatNeedle Loader, which seeks to create a new service to load the ThreatNeedle backdoor.\r\nModify Registry (T1112): This scenario sets the same registry key used by the actor by calling the New-ItemProperty cmdlet.\r\n(Click for Larger)\r\nIn the last stage, the attack graph will seek to collect system information, obtain credentials, and move laterally\r\nthrough the victim network, ending with tunneling an SSH connection to external infrastructure.\r\nOS Credential Dumping (T1003): This scenario uses the open-source tool MimiKatz to dump all possible\r\ncredentials available on the host.\r\nSystem Service Discovery (T1007): Microsoft’s native sc utility is executed to query a list of all running\r\nservices.\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 8 of 13\n\nProtocol Tunneling (T1572): This scenario tests security controls responsible for blocking outbound SSH\r\nconnections to external servers.\r\nLazarus Group – 2022-07 – MagicRAT + TigerRAT Campaign\r\n(Click for Larger)\r\nThe sixth and final attack graph seeks to emulate the activity reported by Cisco Talos in September 2022. During\r\nthis activity, researchers observed the compromise of victims with a new Remote Access Trojan they named\r\nMagicRAT delivered by exploiting publicly exposed VMWare Horizon platforms. During this activity, Lazarus\r\nGroup additionally used TigerRAT, a malware previously attributed to the Andariel adversary during Operation\r\nByteTiger in September 2021.\r\n(Click for Larger)\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 9 of 13\n\nThis attack graph starts with the deployment of MagicRAT immediately after the exploitation of vulnerabilities\r\npresent in VMWare Horizon platforms. During this first stage, MagicRAT will seek to obtain persistence using a\r\nscheduled task or the Startup folder prior to checking in and registering with the actor’s infrastructure.\r\n(Click for Larger)\r\nIn the second stage of the attack, the actor completes some basic discovery commands before attempting to\r\nquickly exfiltrate some files of interest.\r\nExfiltration Over C2 Channel (T1041): Files are sent to an AttackIQ controlled server using HTTP POST\r\nrequests.\r\n(Click for Larger)\r\nIn the next stage, Lazarus Group uses a lightweight port scanner to obtain information about the open ports\r\navailable on other systems located in the infected host’s local network. The actor continues to stage data it\r\ndiscovers for delivery on the next check-in with the command-and-control server.\r\nNetwork Service Discovery (T1046): This scenario uses nmap for scanning hosts that are open on ports\r\n139,389,445,636,3389 that would identify remotely accessible hosts to the attacker.\r\n(Click for Larger)\r\nTigerRAT, a Remote Access Trojan (RAT) previously used during Operation ByteTiger first reported by the\r\nKrCERT, is deployed. This RAT will seek to obtain additional information from the environment.\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 10 of 13\n\n(Click for Larger)\r\nIn the final stages of the attack graph, the actor makes one final attempt to look for files of interest and checks for\r\nthe existing of any additional connected drives and collect data from removable media. All of the data collected\r\nduring the attack is exfiltrated to the actor’s infrastructure.\r\nData from Removable Media (T1025): The native utility fsutil is used to identify any additional hard disks\r\nconnected to the host. PowerShell is then used to iterate through every removable media device and harvest a list\r\nof files.\r\nDetection and Mitigation Opportunities\r\nWith so many different techniques being used by threat actors, it can be difficult to know which to prioritize for\r\nprevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated\r\nin our scenarios before moving on to the remaining techniques.\r\nThe attacks from the Lazarus Group are long drawn-out campaigns that require the actor to collect data and\r\ninfiltrate the victim over time. One of best ways to limit the actor’s ability to live in your network is to scrutinize\r\nthe persistence mechanisms used by the group.\r\n1. Windows Service (T1543.003)\r\nActors can create or modify Windows services to repeatedly execute malicious payloads as part of persistence.\r\nWhen Windows boots up, it starts programs or applications called services that perform background system\r\nfunctions.\r\n1a. Detection\r\nThe following rules can help identify when that persistence mechanism is being set.\r\nProcess Name == (Cmd.exe OR Powershell.exe)\r\nCommand Line CONTAINS (‘sc’ AND ‘create’ AND ‘start= “auto”’)\r\n1b. Mitigation\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 11 of 13\n\nMITRE ATT\u0026CK has the following mitigation recommendations\r\nM1047 – Audit\r\nM1040 – Behavior Prevention on Endpoint\r\nM1018 – User Account Management\r\n2. Scheduled Task/Job: Scheduled Task (T1053.005)\r\nAdversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution\r\nof malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be\r\nrun directly from the command line, or the Task Scheduler can be opened through the GUI within the\r\nAdministrator Tools section of the Control Panel.\r\n2a. Detection\r\nWith an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious\r\ntask\r\nProcess Name = (“cmd.exe” OR “Powershell.exe”)\r\nCommand Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)\r\n2b. Mitigation\r\nMITRE ATT\u0026CK has the following mitigation recommendations\r\nM1047 – Audit\r\nM1028 – Operating System Configuration\r\nM1026 – Privileged Account Management\r\nM1018 – User Account Management\r\n3. Startup Folder (T1547.001)\r\nEach user profile has their own StartUp directory and there is also an additional directory that applies to all\r\nfolders. Actors may place binaries and scripts in here directly or they can place shortcut LNK files that can point\r\nto a file to be executed.\r\n3a. Detection\r\nWith an EDR or SIEM Platform, you can identify processes originating from the StartUp directory and later add\r\nexclusions for known legitimate processes specific to your environment.\r\nCommand Line CONTAINS (“StartUp”)\r\n3b. Mitigation\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 12 of 13\n\nMITRE ATT\u0026CK does not have any mitigation recommendations as this is an abuse of system features. Auditing\r\nand Process Logging are the best options.\r\nWrap-up\r\nIn summary, these attack graphs will evaluate security and incident response processes and support the\r\nimprovement of your security control posture against one of the most dangerous threat actors in the world today.\r\nWith data generated from continuous testing and use of these attack graphs, you can focus your teams on\r\nachieving key security outcomes, adjust your security controls, and work to elevate your total security program\r\neffectiveness against a known and dangerous threat.\r\nAttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ\r\nSecurity Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.\r\nSource: https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nhttps://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/" ], "report_names": [ "emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a13b5ca4-fb52-44a9-aa5a-595eca6789ed", "created_at": "2022-10-25T15:50:23.4331Z", "updated_at": "2026-04-10T02:00:05.381716Z", "deleted_at": null, "main_name": "Sharpshooter", "aliases": [ "Sharpshooter" ], "source_name": "MITRE:Sharpshooter", "tools": [ "Rising Sun" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "874ada20-4ca8-4997-9f2e-e3933742d09c", "created_at": "2023-01-06T13:46:38.857642Z", "updated_at": "2026-04-10T02:00:03.124075Z", "deleted_at": null, "main_name": "Operation Sharpshooter", "aliases": [], "source_name": "MISPGALAXY:Operation Sharpshooter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434885, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f62b66f925f7fe8fea27e22142daf0de30c4f28a.pdf", "text": "https://archive.orkl.eu/f62b66f925f7fe8fea27e22142daf0de30c4f28a.txt", "img": "https://archive.orkl.eu/f62b66f925f7fe8fea27e22142daf0de30c4f28a.jpg" } }