{ "id": "996eaddc-ca5d-40c2-929f-69768bff6952", "created_at": "2026-04-06T00:18:59.325232Z", "updated_at": "2026-04-10T03:38:19.33571Z", "deleted_at": null, "sha1_hash": "f947718c75929c5f5807f0f778453ca1453464c6", "title": "Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1946570, "plain_text": "Comrades in Arms? | North Korea Compromises Sanctioned\r\nRussian Missile Engineering Company\r\nBy Tom Hegel\r\nPublished: 2023-08-07 · Archived: 2026-04-05 22:35:06 UTC\r\nBy Tom Hegel and Aleksandar Milenkoski \r\nExecutive Summary\r\nSentinelLABS identified an intrusion into the Russian defense industrial base, specifically a missile\r\nengineering organization NPO Mashinostroyeniya.\r\nOur findings identify two instances of North Korea related compromise of sensitive internal IT\r\ninfrastructure within this same Russian DIB organization, including a specific email server, alongside use\r\nof a Windows backdoor dubbed OpenCarrot.\r\nOur analysis attributes the email server compromise to the ScarCruft threat actor. We also identify the\r\nseparate use of a Lazarus Group backdoor for compromise of their internal network.\r\nAt this time, we cannot determine the potential nature of the relationship between the two threat actors. We\r\nacknowledge a potential sharing relationship between the two DPRK-affiliated threat actors as well as the\r\npossibility that tasking deemed this target important enough to assign to multiple independent threat actors.\r\nBackground\r\nNorth Korean threat actors have caught our attention over the past year, providing us with fruitful insight into a\r\nvariety of campaigns, such as new reconnaissance tools, (multiple) new supply chain intrusions, elusive multi-platform targeting, and new sly social engineering tactics. To add to that list, let’s take a look at an intrusion into\r\nwhat might be considered a highly desirable strategic espionage mission – supporting North Korea’s contentious\r\nmissile program.\r\nThe Target Organization\r\nWhile conducting our usual hunting and tracking of suspected-North Korean threat actors, we identified a leaked\r\nemail collection containing an implant with characteristics related to previously reported DPRK-affiliated threat\r\nactor campaigns. A thorough investigation of the email archive revealed a larger intrusion, not fully recognized at\r\nthe time by the compromised organization.\r\nThe victim organization is NPO Mashinostroyeniya (JSC MIC Mashinostroyenia, NPO Mash), a leading Russian\r\nmanufacturer of missiles and military spacecraft. The organization’s parent company is JSC Tactical Missiles\r\nCorporation KTRV (Russian: АО «Корпорация Тактическое Ракетное Вооружение», КТРВ). NPO\r\nMashinostroyeniya is a sanctioned entity that possesses highly confidential intellectual property on sensitive\r\nmissile technology currently in use and under development for the Russian military.\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 1 of 9\n\nWe are highly confident that the emails related to this activity originate from the victim organization. Furthermore,\r\nthere are no discernible signs of manipulation or technically verifiable inaccuracies present in these emails. It’s\r\nessential to highlight that the leaked data comprises a substantial volume of emails unrelated to our current\r\nresearch scope. This suggests that the leak was likely accidental or resulted from activity unrelated to the specific\r\nintrusion under scrutiny in our investigation. However, this collection provides valuable background context for\r\nour understanding of their internal network design, security gaps, and even cases of activity by other attackers.\r\nExample of unrelated email alerts from Russian CERT to NPO Mash\r\nIn mid-May 2022, roughly a week prior to Russia vetoing a U.N. resolution to impose new sanctions on North\r\nKorea for intercontinental ballistic missile launches that could deliver nuclear weapons, the victim organization\r\ninternally flagged the intrusion. Internal NPO Mashinostroyeniya emails show IT staff exchanged discussions\r\nhighlighting questionable communications between specific processes and unknown external infrastructure. The\r\nsame day, the NPO Mashinostroyeniya staff also identified a suspicious DLL file present in different internal\r\nsystems. The month following the intrusion, NPO Mashinostroyeniya engaged with their AV solution’s support\r\nstaff to determine why this and other activity was not detected.\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 2 of 9\n\nFollowing an examination of the emails and an in-depth investigation into the two separate sets of suspicious\r\nactivity, we have successfully established a correlation between each cluster of activity and a respective threat\r\nactor amounting to a more significant network intrusion than the victim organization realized.\r\nNorth Korean Overlap\r\nDuring our investigation, we identified the suspicious file in question to be a version of the OpenCarrot Windows\r\nOS backdoor, previously identified by IBM XForce as part of Lazarus group activities. As a feature-rich,\r\nconfigurable, and versatile backdoor, the malware is a strong enabler of the group’s operations. With a wide range\r\nof supported functionality, OpenCarrot enables full compromise of infected machines, as well as the coordination\r\nof multiple infections across a local network. The OpenCarrot variant we analyzed supports proxying C2\r\ncommunication through the internal network hosts and directly to the external server, which supports the strong\r\npossibility of a network-wide compromise.\r\nAdditionally, we discovered the suspicious network traffic discussed in emails is the compromise of the business’\r\nLinux email server, hosted publicly at vpk.npomash[.]ru ( 185.24.244[.]11 ). At time of discovery, the email\r\nserver was beaconing outbound to infrastructure we now attribute to the ScarCruft threat actor. ScarCruft is\r\ncommonly attributed to North Korea’s state-sponsored activity, targeting high value individuals and organizations\r\nnear-globally. The group is also referred to as Inky Squid, APT37, or Group123, and often showcases a variety of\r\ntechnical capabilities for their intrusions. While we are unable to confirm the initial access method and implant\r\nrunning on the email server at time of discovery, we link malware loading tools and techniques involving this set\r\nof infrastructure to those seen in previously reported ScarCruft activity using the RokRAT backdoor.\r\nThis intrusion gives rare insight into sensitive DPRK cyberespionage campaigns, and an opportunity to expand\r\nour understanding of the relationship and goals between various North Korean cyber threat actors. It also\r\nhighlights a potential rift in relations between Russia and North Korea, considering their growing relationship.\r\nThis engagement establishes connections between two distinct DPRK-affiliated threat actors, suggesting the\r\npotential for shared resources, infrastructure, implants, or access to victim networks. Moreover, we acknowledge\r\nthe possibility that the assigned task of an intrusion into NPO Mashinostroyeniya might have warranted targeting\r\nby multiple autonomous threat actors due to its perceived significance.\r\nOpenCarrot Backdoor Activity\r\nThe OpenCarrot sample we analyzed is implemented as a Windows service DLL file, intended to execute in a\r\npersistent manner. In line with typical practices of the Lazarus group, OpenCarrot is subject to continuous, not\r\nnecessarily incremental, changes. The file has a compilation timestamp of Wednesday, Dec. 01, 2021. Although\r\nthe timestamp could have been manipulated by the threat actors, given the proximity to the May 2022 suspected\r\nintrusion date, it’s likely that the timestamp is authentic. Our confidence in this assessment also increases through\r\nthe infrastructure analysis below.\r\nThe OpenCarrot variant we analyzed implements over 25 backdoor commands with a wide range of functionality\r\nrepresentative of Lazarus group backdoors.  In this case, supported functionality includes:\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 3 of 9\n\nReconnaissance: File and process attribute enumeration, scanning and ICMP-pinging hosts in IP ranges for\r\nopen TCP ports and availability.\r\nFilesystem and process manipulation: Process termination, DLL injection, and file deletion, renaming, and\r\ntimestomping.\r\nReconfiguration and connectivity: Managing C2 communications, including terminating existing and\r\nestablishing new comms channels, changing malware configuration data stored on the filesystem, and\r\nproxying network connections.\r\nThe OpenCarrot sample displays further characteristics often seen among Lazarus Group malware.\r\nIts backdoor commands are indexed by consecutive integers, a common trait of Lazarus group malware. In\r\naddition to integer-indexed commands, the developers implement string-indexed sub-commands.\r\nBackdoor command indexing\r\nKeeping with their typical mode of operations, the malware is intended to execute as a Windows service and\r\nexports the ServiceMain function.\r\nOpenCarrot implements executable code in a section named .vlizer indicating the use of code virtualization for\r\nobfuscation. The .vlizer section is associated with the Oreans Code Virtualizer code protection platform, a\r\nfunctional subset of Themida. As previously observed in Themida-protected Lazarus group malware, some code\r\nsegments of the OpenCarrot variant we analyzed are not protected.\r\nAs part of its initialization process, OpenCarrot ingests configuration data from a file whose name is composed of\r\nthe service name in whose context the malware executes and the dll.mui extension. The configuration data\r\ncontains encryption-protected C2 information. The use of configuration files with the dll.mui extension is a\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 4 of 9\n\nlong-standing theme among Lazarus group malware, mimicking a lesser-known standard Windows file extension\r\nused to denote application resources and externalities.\r\nOpenCarrot implements relatively long sleep time periods. To avoid remaining idle for too long whenever the user\r\nof the infected machine is active, OpenCarrot implements a mechanism to exit its sleep state earlier than\r\ninstructed. If the malware is instructed to sleep for 15 seconds or more, it then monitors in 15 second intervals for\r\nthe insertion of new drives, such as USBs. If such an event occurs, the malware exits its sleep state before the\r\nconfigured sleep time elapses. A variant of this technique has been previously observed in the Pebbledash\r\nmalware.\r\nDisk drive monitoring\r\nOpenCarrot’s versatility is evident with its support of multiple methods for communicating with C2 servers. The\r\nmalware dispatches commands for execution based on attacker-provided data originating not only from remote C2\r\nservers, but also from local processes through named pipes and incoming connections to a TCP port on which\r\nOpenCarrot listens.\r\nInfrastructure Analysis\r\nNorth Korean-nexus of threat actors are known for not maintaining the OPSEC of their campaigns. A\r\ncharacteristic lack of segmentation allows researchers to amass unique insights across a variety of unreported\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 5 of 9\n\nactivity. Infrastructure connections in particular often allow us to track the evolution of their campaigns over long\r\nperiods of time.\r\nWe link the NPO Mashinostroyeniya email discussing suspicious networking communication as active C2\r\ncommunications occurring through 192.169.7[.]197 , and 5.134.119[.]142 . The internal host, the\r\norganization’s Red Hat email server, was actively compromised and in communication with the attackers\r\nmalicious infrastructure. A review of all details concludes the threat actor was likely operating on this server for an\r\nextensive period of time prior to the internal team’s discovery.\r\nEmail between NPO Mash Employees sharing beaconing process details\r\nThis set of malicious infrastructure was served via CrownCloud (Australia) and OhzCloud (Spain) VPS hosting\r\nproviders. During the intrusion, the two domains centos-packages[.]com and redhat-packages[.]com were\r\nresolving to those C2 IP addresses. Our assessment is that this particular cluster of infrastructure became active in\r\nNovember 2021, and was immediately paused the same day of NPO Mashinostroyeniya’s intrusion discovery in\r\nMay 2022. This finding may indicate the intrusion was high priority and closely monitored by the operators.\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 6 of 9\n\nInfrastructure and Timeline\r\nA relationship can be observed between this cluster of activity and a more recent ScarCruft campaign. Following\r\nthe intrusion operators immediately killing their C2 server when the suspicious traffic was identified by the victim\r\nin May 2022, the centos-packages[.]com domain use was paused until it began resolving to 160.202.79[.]226\r\nin February 2023. 160.202.79[.]226 is a QuickPacket VPS (US) hosting IP also being shared with the domain\r\ndallynk[.]com and others used by ScarCruft for malware delivery and C2 initiated through malicious\r\ndocuments.\r\nFurther, the domain dallynk[.]com follows the theme we’ve previously reported in which DPRK-associated\r\nthreat actors impersonate Daily NK, a prominent South Korean online news outlet that provides independent\r\nreporting on North Korea.\r\nThe collection of activity stemming from the dallynk[.]com domain contains malware loading tools and\r\ntechniques matching those seen in previously reported ScarCruft activity using the RokRAT backdoor. Similarities\r\nin server configuration history can also link to lower-confidence BlueNoroff relationships.\r\nInfrastructure ScarCruft Link\r\nWhile conducting this research, we first publicly identified the link between the JumpCloud intrusion and North\r\nKorean threat actors. One detail that immediately struck us was the domain theme similarities, such as centos-pkg[.]org / centos-repos[.]org (JumpCloud), and centos-packages[.]com (NPO Mash). This detail is\r\nsuperficial and not strong enough alone to base direct clustering, but alongside other aforementioned North\r\nKorean threat actor connections, it stokes our curiosity for the particulars of the threat actors’ infrastructure\r\ncreation and management procedures.\r\nLastly, we advise particular care into how this infrastructure is further attributed when reviewed historically. For\r\nexample, the C2 server IP address 192.169.7[.]197 was used between January and May 2022 by the DPRK\r\nlinked threat actor; however, that same IP was used by the Arid Viper/Desert Falcon APT in 2020, first reported by\r\nMeta Threat Investigators. Arid Viper is associated with Palestinian interests, conducting activity throughout the\r\nMiddle East. We assess the Arid Viper activity is unrelated to our findings and the overlap of infrastructure is\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 7 of 9\n\nsimply an example of commonly reused dubious VPS hosting providers. This further highlights the importance of\r\nassociating active timeframes with IP-based indicators.\r\nConclusion\r\nWith a high level of confidence, we attribute this intrusion to threat actors independently associated with North\r\nKorea. Based on our assessment, this incident stands as a compelling illustration of North Korea’s proactive\r\nmeasures to covertly advance their missile development objectives, as evidenced by their direct compromise of a\r\nRussian Defense-Industrial Base (DIB) organization.\r\nThe convergence of North Korean cyber threat actors represents a profoundly consequential menace warranting\r\ncomprehensive global monitoring. Operating in unison as a cohesive cluster, these actors consistently undertake a\r\ndiverse range of campaigns motivated by various factors. In light of these findings, it becomes crucial to address\r\nand mitigate this threat with utmost vigilance and strategic response.\r\nIndicators\r\nMD5:\r\n9216198a2ebc14dd68386738c1c59792\r\n6ad6232bcf4cef9bf40cbcae8ed2f985\r\nd0f6cf0d54cf77e957bce6dfbbd34d8e\r\n921aa3783644750890b9d30843253ec6\r\n99fd2e013b3fba1d03a574a24a735a82\r\n0b7dad90ecc731523e2eb7d682063a49\r\n516beb7da7f2a8b85cb170570545da4b\r\nSHA1:\r\n07b494575d548a83f0812ceba6b8d567c7ec86ed\r\n2217c29e5d5ccfcf58d2b6d9f5e250b687948440\r\n246018220a4f4f3d20262b7333caf323e1c77d2e\r\n8b6ffa56ca5bea5b406d6d8d6ef532b4d36d090f\r\n90f52b6d077d508a23214047e680dded320ccf4e\r\nf483c33acf0f2957da14ed422377387d6cb93c4d\r\nf974d22f74b0a105668c72dc100d1d9fcc8c72de\r\nredhat-packages[.]com\r\ncentos-packages[.]com\r\ndallynk[.]com\r\nyolenny[.]com\r\n606qipai[.]com\r\nasplinc[.]com\r\nbsef.or[.]kr\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 8 of 9\n\n192.169.7[.]197\r\n160.202.79[.]226\r\n96.9.255[.]150\r\n5.134.119[.]142\r\nSource: https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nhttps://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/\r\nPage 9 of 9\n\ncreation and management Lastly, we advise procedures. particular care into how this infrastructure is further attributed when reviewed historically. For\nexample, the C2 server IP address 192.169.7[.]197 was used between January and May 2022 by the DPRK\nlinked threat actor; however, that same IP was used by the Arid Viper/Desert Falcon APT in 2020, first reported by\nMeta Threat Investigators. Arid Viper is associated with Palestinian interests, conducting activity throughout the\nMiddle East. We assess the Arid Viper activity is unrelated to our findings and the overlap of infrastructure is\n Page 7 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/" ], "report_names": [ "comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434739, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f947718c75929c5f5807f0f778453ca1453464c6.pdf", "text": "https://archive.orkl.eu/f947718c75929c5f5807f0f778453ca1453464c6.txt", "img": "https://archive.orkl.eu/f947718c75929c5f5807f0f778453ca1453464c6.jpg" } }