DPRK
· Published 20/12/2025 23:19 · Modified 20/12/2025 23:19
· Source: AlienVault
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 23:19
- Modified
- 20/12/2025 23:19
- Updated at
- 20/12/2025 23:19
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 6 reports, 68 attack patterns (mitre), 16 malware, 6 sectors, 4 countries, 102 indicators, 4 vulnerabilities (cve)
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (6)
-
AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APTPublished 23/04/2026 05:27 · Modified 27/04/2026 14:32 · threat-report
-
14 MITREs 1 Malware 2 Observables 1 APTPublished 26/11/2025 10:07 · Modified 21/12/2025 18:05
-
18 MITREs 1 Malware 9 Observables 1 APTPublished 04/07/2025 09:39 · Modified 04/07/2025 10:14
-
11 MITREs 5 Malwares 2 Observables 1 APTPublished 04/02/2025 08:35 · Modified 04/02/2025 09:44
-
8 MITREs 3 Malwares 1 APTPublished 31/01/2025 09:53 · Modified 31/01/2025 10:39
-
19 MITREs 2 Malwares 1 APTPublished 09/10/2024 15:39 · Modified 10/10/2024 08:07
Attack patterns (MITRE) (68)
-
T1056.001 usesKeylogging
-
TA0007 uses
-
T1588.002 usesTool
-
T1095 usesNon-Application Layer Protocol
-
T1016 usesSystem Network Configuration Discovery
-
T1078 usesValid Accounts
-
T1562.001 usesDisable or Modify Tools
-
T1598.003 usesSpearphishing Link
-
T1566 usesPhishing
-
TA0040 uses
-
T1497 usesVirtualization/Sandbox Evasion
-
T1070.004 usesFile Deletion
-
T1583.003 usesVirtual Private Server
-
T1074 usesData Staged
-
T1102.002 usesBidirectional Communication
-
T1552.001 usesCredentials In Files
-
T1555.001 usesKeychain
-
T1071 usesApplication Layer Protocol
-
T1543 usesCreate or Modify System Process
-
T1078.003 usesLocal Accounts
-
T1566.002 usesSpearphishing Link
-
T1590.005 usesIP Addresses
-
T1497.003 usesTime Based Checks
-
T1059.006 usesPython
-
T1090.003 usesMulti-hop Proxy
-
T1132.001 usesStandard Encoding
-
T1204 usesUser Execution
-
T1546.001
-
T1036.005 usesMatch Legitimate Resource Name or Location
-
T1071.001 usesWeb Protocols
-
T1573.001 usesSymmetric Cryptography
-
T1083 usesFile and Directory Discovery
-
T1055 usesProcess Injection
-
T1574.002 uses
-
T1571 usesNon-Standard Port
-
T1027 usesObfuscated Files or Information
-
T1119 usesAutomated Collection
-
T1543.001 usesLaunch Agent
-
T1102 usesWeb Service
-
T1027.001 usesBinary Padding
-
T1195 usesSupply Chain Compromise
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1132 usesData Encoding
-
T1586.002 usesEmail Accounts
-
T1082 usesSystem Information Discovery
-
T1090.002 usesExternal Proxy
-
T1219 usesRemote Access Tools
-
T1059.001 usesPowerShell
-
T1059.005 usesVisual Basic
-
T1486 usesData Encrypted for Impact
-
T1036 usesMasquerading
-
TA0001 uses
-
T1005 usesData from Local System
-
T1566.001 usesSpearphishing Attachment
-
T1105 usesIngress Tool Transfer
-
TA0008 uses
-
T1059.004 usesUnix Shell
-
T1553.002 usesCode Signing
-
T1057 usesProcess Discovery
-
T1204.002 usesMalicious File
-
T1059.002 usesAppleScript
-
T1555 usesCredentials from Password Stores
-
T1573.002 usesAsymmetric Cryptography
-
T1041 usesExfiltration Over C2 Channel
-
T1583 usesAcquire Infrastructure
-
T1140 usesDeobfuscate/Decode Files or Information
-
T1547.009 usesShortcut Modification
-
T1087 usesAccount Discovery
Malware (16)
-
BeaverTail usesFamilyPublished 21/04/2026 12:09 · Modified 21/04/2026 12:09
-
ChromeUpdate usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 09:42 · Modified 21/12/2025 09:42
- DPRK
-
SparkRAT usesFamilyPublished 20/02/2026 00:28 · Modified 20/02/2026 00:28
-
FROSTYFERRET_UI usesFamilyPublished 04/02/2025 08:35 · Modified 04/02/2025 08:35
- Maui
- Ryuk
-
FRIENDLYFERRET_SECD usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:50 · Modified 21/12/2025 09:42
-
FamilyPublished 04/02/2025 08:35 · Modified 04/02/2025 08:35
-
NimDoor usesFamilyPublished 04/07/2025 09:39 · Modified 04/07/2025 09:39
- H0lyGh0st
-
InvisibleFerret usesFamilyPublished 21/04/2026 12:09 · Modified 21/04/2026 12:09
-
WarmCookie usesFamilyPublished 28/01/2026 18:26 · Modified 28/01/2026 18:26
-
ClickFix usesFamilyPublished 14/05/2026 11:16 · Modified 14/05/2026 11:16
-
FlexibleFerret usesFamilyPublished 08/06/2026 10:05 · Modified 08/06/2026 10:05
-
XWorm usesFamilyPublished 27/03/2026 08:45 · Modified 27/03/2026 08:45
Sectors (6)
- Healthcare targets
- Government targets
- Public Health targets
- Technology targets
- Chemical targets
- Finance targets
Countries (4)
- Latvia targets
- Korea, Republic of targets
- Singapore targets
- United States of America targets
Indicators (102)
-
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5indicates -
23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76indicates -
de6f9e9e2ce58a604fe22a9d42144191cfc90b4e0048dffcc69d696826ff7170indicates -
updatetiker.netindicates -
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7indicates -
a9affdcdb398d437e2e1cd9bc1ccf2d101d79fc6d87e95e960e50847a141faa4indicates -
ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56eindicates -
gmoonsom.siteindicates -
f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4indicates -
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4indicates -
dataupload.storeindicates -
e0568196f1494137a5bbee897a37bc4fe15f87175b57a30403450a88486190c4indicates -
c92c1f3e77a1876086ce530e87aa9c1f9cbc5e93c5e755b29cad10a2f3991435indicates -
8de446957ce96826628c88da9fd4e7ff9d6327d8004afc4e9e86d59e7d6948dcindicates -
99b0056b7cc2e305d4ccb0ac0a8a270d3fceb21ef6fc2eb13521a930cea8bd9findicates -
ba8f9e7afe5f78494c111971c39a89111ef9262bf23e8a764c6f65c818837a44indicates -
6e065f1e4d1d8232da5de830d270a13fff8284a91e81c060377ebe66aa75d81dindicates -
fcb1ee9c2c0ee0c8afd4324e5958a203481ea201ff1fb573de6e6d6a9e0752daindicates -
gmoocsoom.siteindicates -
72.61.9.45indicates -
8d0907b150a760da774a425b7994b4a6af3cb869c63809062f63b4fe7bb42873indicates -
6b7f566889b80d1dba4f92d5e2fb2f5ef24f57fcfd56bb594978dffe9edbb9ebindicates -
ggnmcomas.siteindicates -
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78indicates -
https://gmcomamz.siteindicates -
f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332indicates -
d1aba3f95f11fc6e5fec7694d188919555b7ff097500e811ff4a5319f8f230beindicates -
d68036a30b99e8beba1c3aa52b6c5986eee823c21699a24d9af7022eaa9190acindicates -
07183a60ebcb02546c53e82d92da3ddcf447d7a1438496c4437ec06b4d9eb287indicates -
6122c94cbfa11311bea7129ecd5aea6fae6c51d23228f7378b5f6b2398728f67indicates -
10f86be3e564f2e463e45420eb5f9fbdb14f7427eac665cd9cc7901efbc4cc59indicates -
655aa64860f1655081489cf85b77f72a49de846a99dd122093db4018434b83aeindicates -
69.62.86.78indicates -
8a5a55ab9fb7a97b5438575af12ff59b9dc383cdabaf90f344bd808fd9dca49aindicates -
586f30907c3849c363145bfdcdabe3e2e4688cbd5688ff968e984b201b474730indicates -
ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5indicates -
ee3b86daaa46733499bc014fee9c51b30863118dfab4535521f70e0e5c570027indicates -
99b448e91669b92c2cc3417a4d9711209509274dab5d7582baacfab5028a818cindicates -
5ad106e333de056eac78403b033b89c58b4c4bdda12e2f774625d47ccfd3d3aeindicates -
gmoosomnoem.siteindicates -
gomncomow.siteindicates -
henho247.netindicates -
56925a1f7d853d814f80e98a1c4890b0a6a84c83a8eded34c585c98b2df6ab19indicates -
remote.henho247.netindicates -
fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0indicates -
ad8a819d7b68905fa6a8425295755c329504dd0bb48b2fba8dd17e54562b0c6findicates -
863b707873f7d653911e46885e261380b410bb3bf6b158daefb47562e93cb657indicates -
dfdd72c9ce1212f9d9455e2bca5a327c88d2d424ea5c086725897c83afc3d42dindicates -
52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15indicates -
3b9fe1713f638f85f20ea56fd09d20a96cd6d288732b04b073248b56cdaef878indicates -
38491f48d0cbaab7305b5ddca64ba41a2beb89d81d5fb920e67d0c7334c89131indicates -
5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894indicates -
9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cfindicates -
http://one68.top/clientindicates -
cde5afd20b7bb5c9457b68e02c13094125025fb974df425020361303dc6fcdfcindicates -
f1576627e8130e6d5fde0dbe3dffcc8bc9eef1203d15fcf09cd877ced1ccc72aindicates -
d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6indicates -
nasanecesoi.siteindicates -
672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7indicates -
gooczmmnc.siteindicates -
support.us05web-zoom.cloudindicates -
0054147db54544d77a9efd9baf5ec96a80b430e170d6e7c22fcf75261e9a3a71indicates -
updatetiker.siteindicates -
firstfromsep.onlineindicates -
gmcomamz.siteindicates -
87bdb1de1dd6b0b75879d8b8aef80b562ec4fad365d7abbc629bcfc1d386afa6indicates -
a557a0c67b5baa7cf64bd4d42103d3b2852f67acf96b4c5f14992c1289b55eaaindicates -
8dbe67e41077ce7016824334012e10caec9dd101085c900cdab3bb4cd625b643indicates -
b9af4660da00c7fa975910d0a19fda072031c15fad1eef935a609842c51b7f7dindicates -
bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1indicates -
one68.topindicates -
advisorflux.comindicates -
eaff9ddb1606124fb7ed2a0c8dffe1dc921601783b66c5d9d286e49e37840678indicates -
lenvny.comindicates -
https://flare.io/learn/resources/north-korean-infiltrator-threatindicates -
4343fa4e313a61f10de08fa5b1b8acb98589faf5739ab5b606f540983b630f79indicates -
151ab3e05a23e9ccd03a6c49830dabb9e9281faf279c31ae40b13e6971dd2fb8indicates -
1c218d15b35b79d762b966db8bc2ca90fc62a95903bd78ac85648de1d828dbceindicates -
support.us05web-zoom.forumindicates -
b9be6b0ac414ac2a033c17c3ac649417e97e5d0580db796a8ff55169299de50eindicates -
luckyguys.siteindicates -
d0a5b9dc988834cc930624661e6e7dd1943d480d75594fff0f4bc39d229c5999indicates -
f6375c5276d1178a2a0fe1a16c5668ce523e2f846c073bf75bb2558fdec06531indicates -
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164findicates -
f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafbindicates -
safeup.storeindicates -
a3b7e88d998078cfd8cdf37fa5454c45f6cbd65f4595fb94b2e9c85fe767ad47indicates -
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923indicates -
carrerlilla.comindicates -
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428cindicates -
gsoonmann.siteindicates -
6319102bac226dfc117c3c9e620cd99c7eafbf3874832f2ce085850aa042f19cindicates -
writeup.liveindicates -
f08e88c7397443e35697e145887af2683a83d2415ccd0c7536cea09e35da9ef7indicates -
2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826dindicates -
assureeval.comindicates -
9e3a9dbf10793a27361b3cef4d2c87dbd3662646f4470e5242074df4cb96c6b4indicates -
cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56indicates -
d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31eindicates -
6263e421e397db821669420489d2d3084f408671524fd4e1e23165a16dda2225indicates -
216.158.225.144indicates -
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392indicates
Vulnerabilities (CVE) (4)
CVE-2021-20038
KEV
SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
- Published
- 28/01/2022
- Modified
- 20/12/2025
CVE-2022-24990
KEV
7.5
High
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
- Attack vector
- Network
- Published
- 10/02/2023
- Modified
- 20/12/2025
CVE-2024-27198
KEV
9.8
Critical
JetBrains TeamCity contains an authentication bypass vulnerability that allows an attacker to perform admin actions.
- Attack vector
- Network
- Published
- 07/03/2024
- Modified
- 21/12/2025
CVE-2021-44228
KEV
10.0
Critical
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026