{ "id": "61d42b46-239f-4940-b39b-6f2c71257daf", "created_at": "2026-04-06T00:06:56.926514Z", "updated_at": "2026-04-10T03:38:20.364253Z", "deleted_at": null, "sha1_hash": "f9e6d49b1bfeabe0091f770fd799657a4bd73157", "title": "Lazarus Group, Hidden Cobra, Labyrinth Chollima", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 240361, "plain_text": "Lazarus Group, Hidden Cobra, Labyrinth Chollima\r\nArchived: 2026-04-05 23:19:53 UTC\r\nNamesLazarus Group (Kaspersky)\r\nLabyrinth Chollima (CrowdStrike)\r\nGroup 77 (Talos)\r\nHastati Group (SecureWorks)\r\nWhois Hacking Team (McAfee)\r\nNewRomanic Cyber Army Team (McAfee)\r\nZinc (Microsoft)\r\nHidden Cobra (Trend Micro)\r\nAppleworm (Symantec)\r\nAPT-C-26 (Qihoo 360)\r\nATK 3 (Thales)\r\nSectorA01 (ThreatRecon)\r\nITG03 (IBM)\r\nTA404 (Proofpoint)\r\nDEV-0139 (Microsoft)\r\nGuardians of Peace (self given)\r\nGods Apostles (self given)\r\nGods Disciples (self given)\r\nUNC577 (Mandiant)\r\nUNC2970 (Mandiant)\r\nUNC4034 (Mandiant)\r\nUNC4736 (Mandiant)\r\nUNC4899 (Mandiant)\r\nDiamond Sleet (Microsoft)\r\nCitrine Sleet (Microsoft)\r\nJade Sleet (Microsoft)\r\nTraderTraitor (CISA)\r\nGleaming Pisces (Palo Alto)\r\nSlow Pisces (Palo Alto)\r\nG0032 (MITRE) Country North Korea SponsorState-sponsored, Bureau/Unit 211 MotivationInformation theft and\r\nespionage, Sabotage and destruction, Financial crime First seen2007 Description(Malwarebytes) Lazarus Group is\r\ncommonly believed to be run by the North Korean government, motivated primarily by financial gain as a method of\r\ncircumventing long-standing sanctions against the regime. They first came to substantial media notice in 2013 with a series\r\nof coordinated attacks against an assortment of South Korean broadcasters and financial institutions using DarkSeoul, a\r\nwiper program that overwrites sections of the victims’ master boot record.\r\nIn November 2014, a large scale breach of Sony Pictures was attributed to Lazarus. The attack was notable due to its\r\nsubstantial penetration across Sony networks, the extensive amount of data exfiltrated and leaked, as well of use of a wiper\r\nin a possible attempt to erase forensic evidence. Attribution on the attacks was largely hazy, but the FBI released a statement\r\ntying the Sony breach to the earlier DarkSeoul attack, and officially attributed both incidents to North Korea.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\r\nPage 1 of 11\n\nFast forward to May 2017 with the widespread outbreak of WannaCry, a piece of ransomware that used an SMB exploit as\r\nan attack vector. Attribution to North Korea rested largely on code reuse between WannaCry and previous North Korean\r\nattacks, but this was considered to be thin grounds given the common practice of tool sharing between regional threat\r\ngroups. Western intelligence agencies released official statements to the public reaffirming the attribution, and on September\r\n6, 2018, the US Department of Justice charged a North Korean national with involvement in both WannaCry and the Sony\r\nbreach.\r\nLazarus Group has 3 subgroups:\r\n1. Subgroup: Andariel, Silent Chollima\r\n2. Subgroup: BeagleBoyz\r\n3. Subgroup: Bluenoroff, APT 38, Stardust Chollima\r\n4. Subgroup: Operation Contagious Interview\r\nThe following groups may be associated with the Lazarus Group: Covellite, Reaper, APT 37, Ricochet Chollima, ScarCruft,\r\nWassonite and Moonstone Sleet.\r\nObservedSectors: Aerospace, Defense, Energy, Engineering, Financial, Government, Healthcare, Media, Shipping and\r\nLogistics, Technology and BitCoin exchanges.\r\nCountries: Australia, Bangladesh, Belgium, Brazil, Canada, Chile, China, Ecuador, France, Germany, Guatemala, Hong\r\nKong, India, Israel, Japan, Mexico, Netherlands, Philippines, Poland, Russia, South Africa, South Korea, Taiwan, Thailand,\r\nUK, USA, Vietnam and Worldwide (WannaCry). Tools used3proxy, 3Rat Client, Andaratm, AppleJeus, ARTFULPIE, Aryan,\r\nATMDtrack, AuditCred, BADCALL, Bankshot, BanSwift, BISTROMATH, Bitsran, BLINDINGCAN, BlindToad,\r\nBookcode, BootWreck, BottomLoader, Brambul, BTC Changer, BUFFETLINE, Castov, CheeseTray, CleanToad,\r\nClientTraficForwarder, COLDCAT, CollectionRAT, Concealment Troy, Contopee, CookieTime, Dacls RAT, DarkComet,\r\nDAVESHELL, DBLL Dropper, DeltaCharlie, Destover, DLRAT, Dozer, DoublePulsar, DRATzarus, Dtrack, Duuzer,\r\nDyePack, ELECTRICFISH, EternalBlue, FALLCHILL, Fimlis, FudModule, Gh0st RAT, Gopuram, HARDRAIN, Hawup,\r\nHermes, HLOADER, HOOKSHOT, HOPLIGHT, HotelAlfa, HOTCROISSANT, Hotwax, HtDnDownLoader, Http Dr0pper,\r\nHTTP Troy, ICONICSTEALER, Joanap, Jokra, KANDYKORN, KEYMARBLE, KillDisk, Koredos, Lazarus,\r\nLightlessCan, LIGHTSHIFT, LIGHTSHOW, MagicRAT, MATA, Mimikatz, Mydoom, NachoCheese, NestEgg,\r\nNickelLoader, NineRAT, NukeSped, OpBlockBuster, PEBBLEDASH, PhanDoor, PLANKWALK, Plink, PondRAT,\r\nPOOLRAT, PowerBrace, PowerRatankba, PowerShell RAT, PowerSpritz, PowerTask, ProcDump, Proxysvc, PSLogger,\r\nQuickcafe, QuiteRAT, Ratankba, RatankbaPOS, RawDisk, Recon, RedShawl, Rifdoor, Rising Sun, Romeos, RomeoAlfa,\r\nRomeoBravo, RomeoCharlie, RomeoDelta, RomeoEcho, RomeoFoxtrot, RomeoGolf, RomeoHotel, RomeoMike,\r\nRomeoNovember, RomeoWhiskey, RustBucket, Scout, SHARPKNOT, SheepRAT, SIDESHOW, SierraAlfa, SierraCharlie,\r\nSIGFLIP, SLICKSHOES, SmallTiger, Stunnel, SUDDENICON, SUGARLOADER, TAINTEDSCRIBE, TAXHAUL,\r\nTdrop, Tdrop2, TFlower, ThreatNeedle, TigerRAT, TOUCHKEY, TOUCHMOVE, TOUCHSHIFT, TOUCHSHOT, Troy,\r\nTYPEFRAME, ValeforBeta, VEILEDSIGNAL, VHD, Volgmer, VSingle, Vyveva, WannaCry, WbBot, WinorDLL64,\r\nWolfRAT, Wormhole, YamaBot, Yort, Living off the Land. Operations performed2007Operation “Flame”\r\nTarget: South Korean government.\r\nMethod: Disruption and sabotage. Jul 2009Operation “Troy”\r\nNorth Korean hackers are suspected of launching a cyber-attack on some of the most important government offices in the\r\nUS and South Korea in recent days, including the White House, the Pentagon, the New York Stock Exchange and the\r\npresidential Blue House in Seoul.\r\nThe attack took out some of South Korea’s most important websites, including those of the Blue House, the defense\r\nministry, the national assembly, Shinhan bank, Korea Exchange bank and the top internet portal Naver.\r\nTarget: Government, financial and media institutions in South Korea and USA.\r\nMethod: DdoS attacks.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\r\nPage 2 of 11\n\nMar 2011Attack on South Korean banks and\nmedia\nRecent Distributed Denial of Service (DdoS) attacks on a number South Korean websites have been in news for the past\nweek. The threat responsible for carrying out these attacks is Trojan.Koredos.\nTarget: South Korean organizations.\nMethod: DdoS attacks and destruction of infected machines.\nMar 2013Operation “Ten Days of\nRain” / ”DarkSeoul”\nComputer networks running three major South Korean banks and the country’s two largest broadcasters were paralyzed\nWednesday in attacks that some experts suspected originated in North Korea, which has consistently threatened to cripple its\nfar richer neighbor.\nThe attacks, which left many South Koreans unable to withdraw money from A.T.M.’s and news broadcasting crews staring\nat blank computer screens, came as the North’s official Korean Central News Agency quoted the country’s leader, Kim Jong-un, as threatening to destroy government installations in the South, along with American bases in the Pacific.\nTarget: Three broadcasting stations and a bank in South Korea.\nMethod: Infecting with viruses, stealing and wiping information.\nMay 2013South Korean\nFinancial Companies Targeted by Castov\nIn the past few months we have been actively monitoring an exploit kit, called Gongda, which is mainly targeting South\nKorea. Interestingly, we have come across a piece of malware, known as Castov, being delivered by this exploit kit that\ntargets specific South Korean financial companies and their customers. The cybercriminals in this case have done their\nresearch on the South Korean online financial landscape.\nJun 2013DarkSeoul\nCyberattacks Against South Korea Continue on Anniversary of Korean War\nYesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start\nof the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service\n(DdoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang\nand Trojan.Castov.\nNov 2014Operation “Blockbuster”: Breach of Sony Pictures Entertainment\nThe attack on Sony Pictures became public knowledge on November 24, 2014, when Sony employees turned on their\ncomputers to be greeted with the sight of a neon red skeleton and the words “Hacked by GOP”, which stood for “Guardians\nof the Peace”. The message also threatened to release data later that day if an unspecified request was not met. Over the\nfollowing weeks, huge swathes of information stolen from Sony were released, including: personal information about\nemployees and their families; email correspondence between employees at the company; information about company\nsalaries, unreleased Sony films, and other information.\nTarget: Sony Pictures Entertainment (released the “Interview” movie, ridiculing the North Korean leader).\nMethod: Infecting with malware, stealing and wiping data of the company’s employees, correspondence, copies of\nunreleased films.\nJun 2015Using\nthe Palo Alto Networks AutoFocus threat intelligence platform, we identified several samples of malicious code with\nbehavior similar to the aforementioned Operation Troy campaign dating back to June 2015, over two years after the original\nattacks in South Korea. Session data revealed a live attack targeting the transportation and logistics sector in Europe.\nMar 2017The Blockbuster\nSequel\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 3 of 11\n\nThis recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely\nspeak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the\nthreat group behind Operation Blockbuster.\nMay 2017WannaCry ransomware\nThaiCERT's whitepaper:\nJun 2017We analyzed a new\nRATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its\nmore traditional PE executable form—a version that other researchers also recently identified.\nAug 2017The Blockbuster Saga Continues\nUnit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United\nStates defense contractors.\nLate 2017Several financial sector and a casino\nbreaches using KillDisk wiping malware in Latin America and USA.\n2017/2018Cryptocurrency attacks\non South Korean exchanges.\nJan\n2018F-Secure’s investigation revealed that a system administrator from the target organization received a phishing\ndocument via their personal LinkedIn account. The document masqueraded as a legitimate job advert for a role in a\nblockchain technology company that matched the employee’s skills.\nMar 2018APT attack\non Turkish Financial Sector.\nTarget: Turkish Financial Sector.\nMethod: Spear-phishing with Bankshot implant.\nApr 2018Operation “GhostSecret”\nTarget: The impacted organizations are in industries such as telecommunications, health, finance, critical infrastructure, and\nentertainment.\nMethod: Spear-phishing with Destover-like implant.\nApr 2018The first artefacts we found relating to MATA were used around April 2018. After that, the actor\nbehind this advanced malware framework used it aggressively to infiltrate corporate entities around the world.\nAug 2018Operation “AppleJeus”\nTarget: Cryptocurrency exchange.\nMethod: Fake installer and macOS malware.\nJul 2018Operation “CryptoCore”\nOperation “Dangerous Password”\nOperation “Leery Turtle”\nSummer 2018Our\ninvestigation into the Dtrack RAT actually began with a different activity. In the late summer of 2018, we discovered\nATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to\nbe planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 4 of 11\n\nOct 2018Operation “Sharpshooter”\nTarget: 87 organizations in many different sectors (majority Government and Defense) across the globe, predominantly in\nthe United States.\nMethod: Rising Sun implant to gather intelligence.\nNov 2018More Attacks on Cryptocurrency Businesses\nTarget: Some of the documents (for instance one entitled “sample document for business plan evaluation of venture\ncompany”) were prepared in Korean, presumably to target South Korean businesses. Another contains a business overview\nof what seems to be a Chinese technology consulting group named LAFIZ (“we couldn’t confirm if it’s a legitimate business\nor another fake company made up by Lazarus,” Kaspersky Lab researchers said). Yet another provided information for coin\nlistings with a translation in Korean, researchers said.\nMethod: Documents containing weaponized macros, “carefully prepared to attract the attention of cryptocurrency\nprofessionals.” It utilizes PowerShell to control Windows systems and macOS malware for Apple users.\nMar 2019The infamous Lazarus\nthreat actor group has been found targeting an Israeli defense company, according to new research outlined by a\ncybersecurity firm ClearSky. The campaign is carried out with an intention to steal military and commercial secrets.\nMar 2019Operation “AppleJeus sequel”\nAs a result of our ongoing efforts, we identified significant changes to the group’s attack methodology.\nApr 2019“Hoplight” Malware Campaign\nKnown as “Hoplight,” the malware is a collection of nine files, though most of those are designed to work as obfuscation\nlayers to keep admins and security software from spotting the attack.\nMay 2019North Korean Tunneling Tool:\nELECTRICFISH\nThis report provides analysis of one malicious 32-bit Windows executable file. The malware implements a custom protocol\nthat allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware\ncontinuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling\nsession. The malware can be configured with a proxy server/port and proxy username and password. This feature allows\nconnectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s\nrequired authentication to reach outside of the network.\nMay 2019Hackers associated with the APT Lazarus/HIDDEN\nCOBRA group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as\nMay 2019.\nSep 2019Operation “In(ter)caption”\nOperation “In(ter)caption”\nAt the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle\nEast, active from September to December 2019. A collaborative investigation with two of the affected European companies\nallowed us to gain insight into the operation and uncover previously undocumented malware.\nSep 2019Lazarus\nGroup’s MATA Framework Leveraged to Deploy TFlower Ransomware\nOct 2019Dacls, the Dual platform RAT\nDec 2019The Deadly Planeswalker: How The TrickBot\nGroup United High-Tech Crimeware \u0026 APT\n2020Operation “North Star”\nIn this 2020 campaign McAfee ATR discovered a series of malicious documents containing job postings taken from leading\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 5 of 11\n\ndefense contractors to be used as lures, in a very targeted fashion.\n2020Operation “Dream\nJob”\nUpon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably\nin order to try and steal some money from it.\nFeb 2020Lazarus BTC Changer\nMar 2020Lazarus on the hunt for big game\nApr 2020New Mac variant of Lazarus Dacls RAT\ndistributed via Trojanized 2FA app\nApr 2020We discovered another malware cluster named CookieTime used in a campaign mainly focused on the\ndefense industry.\nJun 2020Covid-19 Relief: North Korea Hackers Lazarus\nPlanning Massive Attack on US, UK, Japan, Singapore, India, South Korea?\nJun 2020ESET researchers have discovered a previously undocumented Lazarus backdoor, which they have dubbed\nVyveva, being used to attack a freight logistics company in South Africa.\nMid\n2020Lazarus targets defense industry with ThreatNeedle\nAug 2020North Korean hackers are targeting Israel's defense sector, Israel Ministry of Defense claims\nNov 2020ESET researchers uncover a\nnovel Lazarus supply-chain attack leveraging WIZVERA VeraPort software\nDec 2020As the COVID-19 crisis\ngrinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence\nthat actors, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to\nCOVID-19 research.\nJan 2021New campaign targeting security\nresearchers\nMar 2021Lazarus Attack\nActivities Targeting Japan (VSingle/ValeforBeta)\nMar 2021Update on campaign targeting security researchers\nSpring 2021Lazarus campaign\nTTPs and evolution\nAutumn 2021Amazon‑themed\ncampaigns of Lazarus in the Netherlands and Belgium\nJun 2021APT\nactor Lazarus attacks defense industry, develops supply chain attack capabilities\nNov 2021Lazarus hackers target researchers with trojanized IDA Pro\nDec\n2021Lazarus Trojanized DeFi app for delivering malware\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 6 of 11\n\n2022Analysis Report on Lazarus Threat Group’s Volgmer and\nScout Malware\nJan 2022North Korea’s Lazarus APT leverages Windows Update client, GitHub in\nlatest campaign\nJan 2022Lazarus Targets Chemical Sector\nFeb 2022Operation\n“LolZarus”\nQualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence\nsector.\nFeb 2022On February 10, Threat Analysis Group discovered two distinct North Korean government-backed\nattacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609.\nEarly 2022Tracing State-Aligned Activity\nTargeting Journalists, Media\nFeb 2022Lazarus and the tale of three RATs\nFeb 2022MagicRAT: Lazarus’ latest gateway into\nvictim networks\nMar 2022A hacker stole $625 million from the\nblockchain behind NFT game Axie Infinity\nApr 2022Lazarus Group Exploiting Log4Shell Vulnerability\n(NukeSped)\nMay 2022Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean\nFinancial Entity\nJun 2022North Korea accused of orchestrating\n$100 million Harmony crypto hack\nJun 2022Stealing the\nLIGHTSHOW\nJun 2022ZINC weaponizing open-source software\nJun 2022₿uyer\n₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware\nJul 2022Lazarus and the tale of three RATs\nAug 2022deBridge Finance crypto platform targeted by Lazarus\nhackers\nAug\n2022Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto\nAug\n2022Operation “No Pineapple!”\nNorth Korean hackers stole research data in two-month-long breach\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 7 of 11\n\nSep 2022SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users\nSep 2022Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day\nLate 2022DPRK Using Unpatched Zimbra Devices to Spy on Researchers\nLate\n20223CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North\nKorean Actor Responsible\nLate 2022North Korean\nhackers linked to defense sector supply-chain attack\nNov 2022DPRK hacking groups breach South Korean defense contractors\nEarly\n2023Lazarus Group's infrastructure reuse leads to discovery of new malware\nEarly 2023Lazarus Group exploits ManageEngine vulnerability to\ndeploy QuiteRAT\nMar 2023More evidence links 3CX supply-chain attack to North\nKorean hacking group\nMar 2023Linux malware strengthens links between Lazarus and\nthe 3CX supply‑chain attack\nMar\n2023Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company\nMay 2023Lazarus Group Targeting Windows IIS Web Servers\nJun 2023North Korea’s Lazarus Group Likely Responsible For $35 Million Atomic\nCrypto Theft\nJun\n2023Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution\nJul 2023North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack\nJul 2023Security alert: social engineering campaign\ntargets technology industry employees\nJul\n2023Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points\nJul 2023CoinsPaid blames Lazarus hackers for theft of $37,300,000 in crypto\nJul 2023Lazarus hackers linked to $60 million Alphapo cryptocurrency heist\nJul\n2023A cascade of compromise: unveiling Lazarus’ new campaign\nAug 2023VMConnect: Malicious PyPI packages imitate\npopular open source modules\nSep 2023FBI Identifies Lazarus Group\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 8 of 11\n\nCyber Actors as Responsible for Theft of $41 Million from Stake.com\nSep 2023CoinEx confirms hack after $31 million in cryptocurrency allegedly stolen from exchange\nOct 2023Multiple North Korean threat actors exploiting\nthe TeamCity CVE-2023-42793 vulnerability\nOct 2023Operation “Dream Magic”\nOct 2023Elastic catches DPRK passing out KANDYKORN\nOct 2023Diamond Sleet supply chain compromise distributes a modified CyberLink installer\nJan 2024Lazarus Group Uses the DLL Side-Loading Technique\nFeb 2024New Malicious PyPI Packages used by Lazarus\nFeb 2024Slow Pisces Targets Developers With Coding Challenges\nand Introduces New Customized Python Malware\nMay 2024The Crypto Game of Lazarus APT:\nInvestors vs. Zero-days\nMay 2024FBI links North Korean hackers to\n$308 million crypto heist\nJun\n2024Fake recruiter coding tests target devs with malicious Python packages\nJun 2024An\nOffer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader\nAug 2024North Korean\nthreat actor Citrine Sleet exploiting Chromium zero-day\nSep 2024Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS\nBackdoors\nOct 2024Radiant links $50 million\ncrypto heist to North Korean hackers\nNov\n2024Operation “SyncHole”\nOperation SyncHole: Lazarus APT goes back to the well\nJan 2025Operation “99”\nNorth Korean State Sponsored Supply Chain Attack on Tech Innovation\nJan 2025Operation\n“Phantom Circuit”\nOperation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign\nJan\n2025Operation “Marstech Mayhem”\nLazarus Group’s Open-Source Trap: North Korea’s New Malware Tactic Targeting Developers and Crypto Wallets\nFeb\n2025North Korean hackers linked to $1.5 billion ByBit crypto heist\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 9 of 11\n\nApr 2025Beyond the Pond Phish: Unraveling Lazarus\nGroup’s Evolving Tactics\nMay 2025BitoPro exchange links Lazarus hackers to $11 million\ncrypto heist\nCounter operationsDec 2017Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet\nfrom ongoing cyberthreats\nSep 2018North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct\nMultiple Cyber Attacks and Intrusions\nSep 2019Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups\nMar 2020Treasury Sanctions Individuals Laundering\nCryptocurrency for Lazarus Group\nJul 2020EU imposes the first ever sanctions against cyber-attacks\nFeb 2021Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and\nFinancial Crimes Across the Globe\nApr 2022The Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the address that received\nthe cryptocurrency stolen in the largest cryptocurrency hack ever, the hack of Axie Infinity's Ronin network bridge.\nAug\n2022US sanctions crypto mixer Tornado Cash used by North Korean hackers\nFeb 2023South Korea Sanctions Pyongyang Hackers\nAug 2023FBI Identifies\nCryptocurrency Funds Stolen by DPRK\nOct 2023Justice Department\nAnnounces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic People’s Republic of\nKorea Information Technology Workers\nNov 2023US seizes Sinbad crypto mixer used by North Korean Lazarus hackers\nFeb 2025EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 10 of 11\n\nMITRE ATT\u0026CK Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec" ], "report_names": [ "showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90615eb1-13f5-49e8-b8f5-d0df9b8bd946", "created_at": "2024-12-25T02:00:03.652379Z", "updated_at": "2026-04-10T02:00:03.797373Z", "deleted_at": null, "main_name": "Wassonite", "aliases": [], "source_name": "MISPGALAXY:Wassonite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a13b5ca4-fb52-44a9-aa5a-595eca6789ed", "created_at": "2022-10-25T15:50:23.4331Z", "updated_at": "2026-04-10T02:00:05.381716Z", "deleted_at": null, "main_name": "Sharpshooter", "aliases": [ "Sharpshooter" ], "source_name": "MITRE:Sharpshooter", "tools": [ "Rising Sun" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a9bca241-5f6f-4a30-8184-c16da1a23c55", "created_at": "2022-10-25T16:07:24.38908Z", "updated_at": "2026-04-10T02:00:04.971876Z", "deleted_at": null, "main_name": "Wassonite", "aliases": [], "source_name": "ETDA:Wassonite", "tools": [ "Dtrack", "Mimikatz", "Preft", "TroyRAT" ], "source_id": "ETDA", "reports": null }, { "id": "7a2dd0e8-beea-415c-b90d-4df9da8358ae", "created_at": "2024-09-20T02:00:04.575485Z", "updated_at": "2026-04-10T02:00:03.695726Z", "deleted_at": null, "main_name": "UNC2970", "aliases": [], "source_name": "MISPGALAXY:UNC2970", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-10T02:00:03.937539Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434016, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9e6d49b1bfeabe0091f770fd799657a4bd73157.pdf", "text": "https://archive.orkl.eu/f9e6d49b1bfeabe0091f770fd799657a4bd73157.txt", "img": "https://archive.orkl.eu/f9e6d49b1bfeabe0091f770fd799657a4bd73157.jpg" } }