Andariel
· Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
· Source: The MITRE Corporation
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 5 reports, 78 attack patterns (mitre), 39 malware, 12 sectors, 4 countries, 100 indicators, 6 vulnerabilities (cve)
Aliases
Silent Chollima PLUTONIUM Onyx Sleet
Description
[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)
[Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- AhnLab Andariel Subgroup of Lazarus June 2018
- IssueMakersLab Andariel GoldenAxe May 2017
- Microsoft Threat Actor Naming July 2023
- mitre-attack (G0138)
- Treasury North Korean Cyber Groups September 2019
- TrendMicro New Andariel Tactics July 2018
- CrowdStrike Silent Chollima Adversary September 2021
- FSI Andariel Campaign Rifle July 2017
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (5)
-
14 MITREs 1 Malware 1 Observable 1 APTPublished 04/11/2024 17:12 · Modified 04/11/2024 21:32
-
21 MITREs 22 Malwares 60 Observables 1 APTPublished 25/07/2024 19:26 · Modified 25/07/2024 20:29
-
17 MITREs 3 Malwares 9 Observables 1 APTPublished 01/07/2024 10:23 · Modified 01/07/2024 10:46
-
1 CVE 9 MITREs 2 Malwares 7 Observables 1 APTPublished 30/05/2024 15:37 · Modified 30/05/2024 16:02
-
10 Observables 1 APTPublished 20/05/2024 10:20 · Modified 20/05/2024 10:35
Attack patterns (MITRE) (78)
-
T1113 usesScreen Capture
-
T1560 usesArchive Collected Data
-
T1036 usesMasquerading
-
T1591 usesGather Victim Org Information
-
T1005 usesData from Local System
-
T1573.001 usesSymmetric Cryptography
-
T1203 usesExploitation for Client Execution
-
T1059.001 usesPowerShell
-
T1587.001 usesMalware
-
T1589 usesGather Victim Identity Information
-
T1012 usesQuery Registry
-
T1071.001 usesWeb Protocols
-
T1139 uses
-
T1127 usesTrusted Developer Utilities Proxy Execution
-
T1003 usesOS Credential Dumping
-
T1057 usesProcess Discovery
-
T1048 usesExfiltration Over Alternative Protocol
-
T1219 usesRemote Access Tools
-
T1572 usesProtocol Tunneling
-
T1592 usesGather Victim Host Information
-
T1081 uses
-
T1190 usesExploit Public-Facing Application
-
T1027.003 usesSteganography
-
T1027.002 usesSoftware Packing
-
T1189 usesDrive-by Compromise
-
T1218 usesSystem Binary Proxy Execution
-
T1204.002 usesMalicious File
-
T1132 usesData Encoding
-
T1595 usesActive Scanning
-
T1497 usesVirtualization/Sandbox Evasion
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1049 usesSystem Network Connections Discovery
-
T1112 usesModify Registry
-
T1566 usesPhishing
-
T1087 usesAccount Discovery
-
T1596
-
T1027 usesObfuscated Files or Information
-
T1056.001 usesKeylogging
-
T1082 usesSystem Information Discovery
-
T1083 usesFile and Directory Discovery
-
T1548 usesAbuse Elevation Control Mechanism
-
T1039 usesData from Network Shared Drive
-
T1059 usesCommand and Scripting Interpreter
-
T1204 usesUser Execution
-
T1090 usesProxy
-
T1567 usesExfiltration Over Web Service
-
T1003.001 usesLSASS Memory
-
T1555 usesCredentials from Password Stores
-
T1021.002 usesSMB/Windows Admin Shares
-
T1102 usesWeb Service
-
T1105 usesIngress Tool Transfer
-
T1590.005 usesIP Addresses
-
T1068 usesExploitation for Privilege Escalation
-
T1056 usesInput Capture
-
Software usesT1592.002
-
T1565 usesData Manipulation
-
T1115 usesClipboard Data
-
T1059.003 usesWindows Command Shell
-
T1110 usesBrute Force
-
T1140 usesDeobfuscate/Decode Files or Information
-
T1133 usesExternal Remote Services
-
T1055 usesProcess Injection
-
T1137 usesOffice Application Startup
-
T1471
-
T1041 usesExfiltration Over C2 Channel
-
T1588.001 usesMalware
-
T1136 usesCreate Account
-
T1091 usesReplication Through Removable Media
-
T1071 usesApplication Layer Protocol
-
T1021 usesRemote Services
-
T1053 usesScheduled Task/Job
-
T1543 usesCreate or Modify System Process
-
Exploits usesT1587.004
-
T1566.001 usesSpearphishing Attachment
-
T1573 usesEncrypted Channel
-
T1106 usesNative API
-
T1498 usesNetwork Denial of Service
-
T1064 usesScripting
Malware (39)
-
Mydoor usesFamilyPublished 17/04/2026 23:18 · Modified 17/04/2026 23:18
-
BottomLoader usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
- Maui
-
TigerRAT usesFamilyPublished 29/07/2024 10:21 · Modified 29/07/2024 10:21
-
Backdoor:Win32/Dora usesFamilyPublished 30/05/2024 15:37 · Modified 30/05/2024 15:37
-
MagicRAT usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Valefor/VSingle usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
YamaBot usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Jupiter usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Atharvan usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
NukeSped usesFamilyPublished 10/04/2025 18:50 · Modified 10/04/2025 18:50
-
DLang usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
ModeLoader usesFamilyPublished 31/12/2024 16:26 · Modified 31/12/2024 16:26
-
Andariel keylogger usesFamilyPublished 04/11/2024 17:12 · Modified 04/11/2024 17:12
-
mimikatz usesFamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
-
Xctdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:41 · Modified 21/12/2025 05:41
-
XcLoader usesFamilyPublished 01/07/2024 10:23 · Modified 01/07/2024 10:23
-
HotCroissant - S0431 usesFamilyPublished 01/07/2024 10:23 · Modified 01/07/2024 10:23
-
ELF Backdoor usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Nestdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:06 · Modified 21/12/2025 05:06
-
Black RAT usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Goat RAT usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
DurianBeacon usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
FamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
KaosRAT usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
- Dtrack
-
ValidAlpha usesFamilyPublished 29/07/2024 10:21 · Modified 29/07/2024 10:21
-
Dtrack - S0567 usesFamilyPublished 30/10/2024 16:32 · Modified 30/10/2024 16:32
-
AndarLoader usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Preft usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
-
Lilith RAT usesFamilyPublished 23/08/2024 09:41 · Modified 23/08/2024 09:41
-
Trifaux usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:32 · Modified 21/12/2025 05:32
-
LightHand usesFamilyPublished 29/07/2024 10:21 · Modified 29/07/2024 10:21
-
No Pineapple usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
- BlackRAT
-
SmallTiger usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:20 · Modified 21/12/2025 05:20
- Rifdoor
-
Sliver usesFamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
NineRAT usesFamilyPublished 25/07/2024 19:26 · Modified 25/07/2024 19:26
Sectors (12)
- Construction targets
- Engineering consulting targets
- Manufacturing targets
- Nuclear power (civilian use) targets
- Technology targets
- High-tech targets
- Aerospace targets
- Government targets
- Healthcare targets
- Education targets
- Defense targets
- Energy targets
Countries (4)
- United States of America targets
- India targets
- Korea, Republic of targets
- Korea, Democratic People's Republic of targets
Indicators (100)
-
16db0063e4aa666d94752414549fa09fb33142481d894b01a0fae45b339a09fbindicates -
323cbe7a3d050230cfaa822c2a22160b4f8c5fe65481dd329841ee2754b522d9indicates -
3bb8445c95142da1bda0e3440b53cc70e05a3fe996a77e6dcfb2919fd8878ca9indicates -
b2cec2d6992bf41d2bab643968691e06722f830fc38f7776238fe88a1f892404indicates -
americajobmail.siteindicates -
4a87fc2f9da25152bf26fff375dd9a18e81eeb78c2b5c5babcc04dc93371d0aaindicates -
1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1indicates -
ww3c.bounceme.netindicates -
452ca47230afd4bb85c45af54fcacbfa544208ef8b4604c3c5caefe3a64dcc19indicates -
7f904d16371b40e24495d9cc91019a54a3f257129896db1698282a187dfd8808indicates -
61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1indicates -
www.mssrv.kro.krindicates -
2a1b556770982acd711188821bfd90bb7a3eb2a977232303d7e64ba0b8682934indicates -
http://www.mssrv.kro.kr/modeRead.phpindicates -
02135f60f3edff0b9baa4c20715ee6a80c94f282079bf879265f5e020d37cf88indicates -
6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1indicates -
3ec2292dc5be0161d25f258f716d92e96c591ab084548679dd7b169f80b2e967indicates -
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4indicates -
http://185.29.8.108:8585/view.phpindicates -
http://www.jikji.pe.kr/xe/files/attach/binaries/102/663/image.gifindicates -
0995f1f2e4bb43ef7e3dcd57c06154fc812394ac214861c5e30084a215018dbeindicates -
664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54indicates -
c419f17b54d5b1dd356af3703e1c31064720521337abed3ffecfed0884d1e235indicates -
http://145.232.235.222/usr/users/mini.ps1indicates -
74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643indicates -
http://27.102.118.204:6099/fav.icoindicates -
http://www.ipservice.kro.kr/view.phpindicates -
3dffb684333ea8f036e0d2142d1f49ebeccb28806cf6407308a88e846f8f30ecindicates -
29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3indicates -
http://panda.ourhome.o-r.kr/view.phpindicates -
bbs.topigsnorsvin.com.ecindicates -
http://185.29.8.108:8585/load.htmlindicates -
www.jikji.pe.krindicates -
0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76cindicates -
18b75949e03f8dcad513426f1f9f3ca209d779c24cd4e941d935633b1bec00cbindicates -
5f71d7511bdd0b236d05b35396eddc20eae57ab2561f09ff62f212f32ef310ccindicates -
song.thindicates -
ce779e30502ecee991260fd342cc0d7d5f73d1a070395b4120b8d300ad11d694indicates -
http://109.248.150.147:8585/load.pngindicates -
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5indicates -
primez.onlineindicates -
8aa6612c95c7cef49709596da43a0f8354f14d8c08128c4cb9b1f37e548f083bindicates -
http://www.mssrv.kro.kr/view.phpindicates -
chinesekungfu.orgindicates -
http://panda.ourhome.o-r.kr/modeView.phpindicates -
96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3indicates -
2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbcindicates -
http://84.38.132.67:9479/netpass.pngindicates -
http://beebeep.info/index.phpindicates -
799d44f51e6ea84998d96570e8b597af82601260fada14bd7f08391e403bc02aindicates -
http://84.38.134.56/procdump.gifindicates -
http://www.ipservice.kro.kr/modeRead.phpindicates -
http://www.ipservice.kro.kr/index.phpindicates -
f1856188732f05612c7c05347463109e8fc0e11a3d2604196551d90b4f846513indicates -
4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b80564bc08indicates -
92adc5ea29491d9245876ba0b2957393633c9998eb47b3ae1344c13a44cd59aeindicates -
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78indicates -
http://kmobile.bestunif.com:443indicates -
b7435d23769e79fcbe69b28df4aef062685d1a631892c2354f96d833eae467beindicates -
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164findicates -
5758765a59abfdf5e255df4d0447f92132891d1b325faaa2fb155ebb41cba818indicates -
c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1related -
1962ebb7bf8d2b306c6f3b55c3dcd69a755eeff1a17577b7606894b781841c3arelated -
7e9b7ebf36cfbd4b59b77fba3bba1bac0b8d2ac657530d945fd41c15937f0bb3related -
9f90670d2197496f7d9d20152fe822238d9806716baf55c0078eef937dc8dfdbrelated -
6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67related -
http://209.127.19.223:443related -
18679f10e50678804a44f8cddbc0ed937b3ed234e95fe28357f2703a259c47d4related -
199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1related -
http://privacy.hopto.org:443related -
048698159bbb051af779d22eb5b1282ce895e8311d641d50cc23cbfd36cc020arelated -
http://109.248.150.147:8585/load.htmlrelated -
3e7715ac57003f8a80119ab348a7a7b260afde749cad3c56bd2d9ab931288f92related -
f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafbrelated -
d14447f41d11e0ed192d9161a60cee139fe8b01d921bbdff56abc01a5a653161related -
http://206.72.205.117:443related -
http://45.58.159.237:443related -
privatemake.bounceme.netrelated -
http://27.102.128.152:8098/load.pngrelated -
http://84.38.132.67:9479/fav.icorelated -
http://145.232.235.222/usr/users/dwem.certrelated -
fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32related -
advice.uphearth.comrelated -
7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742brelated -
d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79arelated -
9ac31ce26749874b8f9e080cbe10e6d9c4d0fa9c8edb17685291e031d7f82949related -
def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563related -
http://panda.ourhome.o-r.kr/modeRead.phprelated -
http://www.mssrv.kro.kr/modeWrite.phprelated -
17085ef59c256aabae656311399575ceb2cf7e2e904255ac4c920fab9d5215e1related -
kmobile.bestunif.comrelated -
60425a4d5ee04c8ae09bfe28ca33bf9e76a43f69548b2704956d0875a0f25145related -
www.ipservice.kro.krrelated -
http://109.248.150.147:8585/view.phprelated -
658c25c5c9ed34cd7835b7efc5f75b0cbb9a7f6b96a6922fce077e78aa5b08b4related -
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469related -
panda.ourhome.o-r.krrelated -
4e5e42b1acb0c683963caf321167f6985e553af2c70f5b87ec07cc4a8c09b4d8related -
http://www.mssrv.kro.kr/modeView.phprelated -
66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66related
Vulnerabilities (CVE) (6)
CVE-2021-44228
KEV
10.0
Critical
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
CVE-2023-42793
KEV
9.8
Critical
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
CVE-2023-22515
KEV
9.8
Critical
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
CVE-2023-46604
KEV
10.0
Critical
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
CVE-2023-27350
KEV
9.8
Critical
PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …
- Attack vector
- Network
- Published
- 21/04/2023
- Modified
- 21/12/2025
CVE-2017-10271
KEV
7.5
High
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/10/2017
- Modified
- 22/04/2026