{ "id": "2e30a644-31db-4931-9334-541cc465ee65", "created_at": "2026-04-06T01:31:03.666937Z", "updated_at": "2026-04-10T03:38:19.40434Z", "deleted_at": null, "sha1_hash": "ff023277406257f779a1fb42a52b82031ab2c032", "title": "New Andariel Reconnaissance Tactics Uncovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 359248, "plain_text": "New Andariel Reconnaissance Tactics Uncovered\r\nBy Joseph C Chen ( words)\r\nPublished: 2018-07-16 · Archived: 2026-04-06 01:07:22 UTC\r\nUpdated June 18, 2018, 10:05 AM to add new IoC information from IssueMakersLab's July investigation. We\r\nupdated it again at 4:30 PM to add a link to IssueMakersLab's website and to add new IoC information. This\r\nresearch is done in cooperation with IssueMakersLab of South Korea.\r\nReconnaissance plays a vital role in criminal operations, and some groups go to great lengths to investigate their\r\ntargets' systems. A recent example is the Andariel Group, a known branch of the notorious Lazarus Group.open on\r\na new tab Last month we tracked new scouting techniques coming from Andariel, which were used mainly against\r\nSouth Korean targets.\r\nAndariel has been quite active these past few months. According to South Korean security researchers\r\nIssueMakersLab, the group used an ActiveX zero-day exploit for watering hole attacksopen on a new tab on South\r\nKorean websites last May—they called this “Operation GoldenAxe”. But more recently on June 21, we noticed\r\nthat Andariel injected their script into four other compromised South Korean websites for reconnaissance\r\npurposes.\r\nWe found that the code of the new injected script is similar to the sample Andariel previously used in Mayopen on\r\na new tab. However, the new script was trying to collect different ActiveX object information and targeted objects\r\nthat it wasn’t attacking before.\r\nIn the earlier case, the group collected targeted ActiveX objects on users’ Internet Explorer browser before they\r\nused the zero-day exploit. This was possibly part of their reconnaissance strategy, to find the right targets for their\r\nexploit. Based on this, we believe it's likely that the new targeted ActiveX objects we found could be their next\r\ntargets for a watering hole exploit attack. To help prevent any damage, we decided to publish our findings before\r\nthe group deploys the attack.\r\nhttps://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nPage 1 of 6\n\nFigure 1. Watering hole reconnaissance flow\r\nAnalysis of the Andariel techniques\r\nOn June 21, we found that the website of a Korean non-profit organization was compromised with an injected\r\nscript that collected visitors’ information. We also found the same script on three South Korean local government\r\nlabor union websites. This reconnaissance lasted until 27 June. We already notified the websites about the\r\ncompromise.\r\nWe believe that the injected script came from the Andariel group since the code has similar obfuscation and\r\nstructure to the sample we previously found from them. The script was used to collect information from visitors’\r\nbrowser: browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects.\r\nhttps://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nPage 2 of 6\n\nThe original script is from the PluginDetect Libraryopen on a new tab, and it was also used by exploit kitsopen on\r\na new tab to verify victims before an attack. The verification process included sending collected information to\r\nanother compromised website that hosted their PHP program and was designed to receive the information.\r\nFigure 2. Compromised website injected with malicious script that collects information\r\nOur colleagues from the IssueMakersLabopen on a new tab team shared insights and information about the\r\nAndariel group, including that they attacked ActiveX vulnerabilities as far back as 2007. The team monitoring\r\nAndariel found that the cybercriminal group injected a malicious script on a South Korean think tank website for\r\nreconnaissanceopen on a new tab in January 2017 and then switched to inject an ActiveX zero-day exploit in mid-April. IssueMakersLab also listed the ActiveX objectsopen on a new tab that the Andariel group attacked.\r\nDuring analysis, we noticed that the new injected script was trying to detect two additional ActiveX objects that\r\nwere not on the previous list. One is “DSDOWNCTRL.DSDownCtrlCtrl.1”, which is related to a DRM (Digital\r\nRights Management) software from a South Korean Document Protection Security vendor. Another is\r\n“WSACTIVEBRIDGEAX.WSActiveBridgeAXCtrl.1”, which is related to a South Korea-based voice conversion\r\nsoftware company. Many local governments and public institutions use these software.\r\nWe made a table to compare the information that the script samples collected in the previous case and this more\r\nrecent case.\r\n \r\nCollected Information from Old\r\nScript Sample (May 2018)\r\n \r\nCollected Information from New\r\nScript Sample (June 2018)\r\nParameter Meaning Parameter Meaning\r\nw Website name w Website name\r\nr \u003c?=$referer?\u003e value r \u003c?=$referer?\u003e value\r\no OS version o OS version\r\nlv HTTP Accept-Language lv HTTP Accept-Language\r\nhttps://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nPage 3 of 6\n\nbt Browser Information bt Browser Information\r\nbv Browser Information bv Browser Information\r\nbdv Browser Information bdv Browser Information\r\nfv Flash Version fv Flash Version\r\nsilv Silverlight Version silv Silverlight Version\r\nez\r\nEasyPayPlugin ActiveX\r\nAvailability\r\nez EasyPayPlugin ActiveX Availability\r\nac\r\nACUBEFILECTRL ActiveX\r\nAvailability*\r\n- -\r\n- - mg MagicLoaderX ActiveX Availability\r\n- - nv NVersionMan ActiveX Availability\r\nsi\r\nSIClientAccess ActiveX\r\nAvailability\r\nsi SIClientAccess ActiveX Availability\r\ndu\r\nDUZONERPSSO ActiveX\r\nAvailability\r\ndu DUZONERPSSO ActiveX Availability\r\niw\r\nINIWALLET61 ActiveX\r\nAvailability\r\n- -\r\n -  - ad admctrl ActiveX Availability\r\n -  - dw DSDownCtril ActiveX Availability**\r\n -  - ab\r\nWSActiveBridgeAX ActiveX\r\nAvailability***\r\n -  - ve\r\nVoice Conversion Software\r\n“WSActiveBridge” WebSocket\r\nAvailability****\r\n* detection of the previous ActiveX zero-day object\r\n** detection of the ActiveX object related to DRM software (one of the new targets)\r\n*** detection of the ActiveX object related to voice conversion software (one of the new targets)\r\n**** detection of the WebSocket related to voice conversion software (one of the new targets)\r\nTable 1. Comparison of the information collected by the previous and new script\r\nhttps://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nPage 4 of 6\n\nBesides the ActiveX objects, we noticed that the script added new code to connect websocket to localhost. The\r\nvoice conversion software has websocket service listening on the local host so the injected script can detect the\r\nsoftware by checking if they can establish a connection to ports 45461 and 45462, which the software uses.\r\nIn addition, the verification process in the older script is different from the ActiveX detection, which was only for\r\nthe Internet Explorer browser. In the script found in June, the websocket verification could also be performed on\r\nother browsers like Chrome and Firefox. This shows that the attacker has expanded his target base, and is\r\ninterested in the software itself and not just their ActiveX objects. Based on this change, we can expect them to\r\nstart using attack vectors other than ActiveX.\r\nFigure 3. Script (Deobfuscated) for detecting the voice conversion software ActiveX object and local websocket\r\navailability\r\nFigure 4. The voice conversion software (WSActiveBridge.exe) is listening on port 45461 and 45462\r\nReconnaissance is the stage where attackers collect information from potential targets to help them determine\r\nwhat tactics will work. These new developments from the Andariel group give us an idea of their plans, although\r\nwe cannot make specific assumptions about their strategy.\r\nTo stay one step ahead of threats like this, we recommend that people use layered security protection in their\r\nenvironments. Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suitesproducts and\r\nWorry-Free™ Business Securityworry free services suites can protect users and businesses from similar threats by\r\ndetecting malicious files and spammed messages as well as blocking all related malicious URLs. Trend Micro\r\nhttps://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nPage 5 of 6\n\nDeep Discovery™products has an email inspection layer that can protect enterprises by detecting malicious\r\nattachment and URLs.\r\nTrend Micro™ OfficeScan™products with XGen™ endpoint security infuses high-fidelity machine learning with\r\nother detection technologies and global threat intelligence for comprehensive protection against advanced\r\nmalware.\r\nIndicators of Compromise (IoC)\r\nIoCs Description\r\ncfcd391eec9fca663afd9a4a152e62af665e8f695a16537e061e924a3b63c3b9 Injected Script in May 2018\r\ne0e30eb5e5ff1e71548c4405d04ce16b94c4cb7f8c2ed9bd75933cea53533114 Injected Script in June 2018\r\n67a1312768c4ca3379181c0fcc1143460efcb4bff7a4774c9c775043964c0878\r\nInjected Script in 17 July\r\n2018\r\nhxxp://aega[.]co[.]kr/mall/skin/skin.php\r\nCompromised site (received\r\ninformation May 2018)\r\nhxxp://www[.]peaceind[.]co[.]kr/board/icon/image.php\r\nCompromised site (received\r\ninformation May 2018)\r\nhxxp://alphap1[.]com/hdd/images/image.php\r\nCompromised site (received\r\ninformation May 2018)\r\nhxxp://adfamc[.]com/editor/sorak/image.php\r\nCompromised site (received\r\ninformation June 2018)\r\nhxxp://adfamc[.[com/editor/sorak/skin.php\r\nCompromised site (received\r\ninformation 17 July 2018)\r\nSource: https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nhttps://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html" ], "report_names": [ "new-andariel-reconnaissance-tactics-hint-at-next-targets.html" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439063, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff023277406257f779a1fb42a52b82031ab2c032.pdf", "text": "https://archive.orkl.eu/ff023277406257f779a1fb42a52b82031ab2c032.txt", "img": "https://archive.orkl.eu/ff023277406257f779a1fb42a52b82031ab2c032.jpg" } }