STARDUST CHOLLIMA
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 97 attack patterns (mitre), 24 malware, 7 sectors, 20 countries, 100 indicators, 53 vulnerabilities (cve), 2 tool
Aliases
NICKEL GLADSTONE BeagleBoyz Stardust Chollima Sapphire Sleet COPERNICIUM Bluenoroff APT38
Description
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Kaspersky Lazarus Under The Hood Blog 2017
- Microsoft Threat Actor Naming July 2023
- FireEye APT38 Oct 2018
- SecureWorks NICKEL GLADSTONE profile Sept 2021
- DOJ North Korea Indictment Feb 2021
- CrowdStrike GTR 2021 June 2021
- CrowdStrike Stardust Chollima Profile April 2018
- FireEye APT38 Oct 2018
- CISA AA20-239A BeagleBoyz August 2020
- mitre-attack (G0082)
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
19 MITREs 6 Malwares 13 Observables 1 APT
Attack patterns (MITRE) (97)
-
T1176 usesSoftware Extensions MITRE
-
T1002 uses
-
T1070.004 usesFile Deletion MITRE
-
Mutual Exclusion uses
-
TA0037 uses
-
T1074.001 usesLocal Data Staging MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1102 usesWeb Service MITRE
-
-
-
T1189 usesDrive-by Compromise MITRE
-
T1059.002 usesAppleScript MITRE
Malware (24)
-
RealTimeTroy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
softwareupdate.app usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HOPLIGHT usesFamily The MITRE Corporation Confidence 100
[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
DarkKomet usesThe MITRE Corporation Confidence 100
[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
com.apple.cli usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SneakMain usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LessonOne usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ZoomClutch usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DownTroy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RooTroy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SilentSiphon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamsClutch usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (7)
-
Legal targets
-
Finance targets
-
Financial organizations targets
-
Fintech targets
-
Technology targets
-
Banking institutions targets
-
Government targets
Countries (20)
-
Italy targets
-
Australia targets
-
Russian Federation targets
-
United States of America targets
-
Poland targets
-
Hong Kong targets
-
Thailand targets
-
Ukraine targets
-
Viet Nam targets
-
Czechia targets
-
France targets
-
India targets
Indicators (100)
-
stix 100/100· Valid until 01/09/2026 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0
· Valid until 07/10/2024 · Source: AlienVault -
http://signsafe.xyz/updaterelatedstix 100/100 Revoked· Valid until 14/12/2025 · Source: AlienVault -
googleservice.icurelated -
fastercapital.ccrelated -
stix 100/100 Revoked
SHA256 of 7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa
· Valid until 07/10/2024 · Source: AlienVault -
stix 100/100 Revoked
SHA256 of 963a86aab1e450b03d51628797572fe9da8410a2
· Valid until 07/10/2024 · Source: AlienVault -
c59ac795c44edfeba5266c2cf39d7d4b5f6a30aba224f7977abc228e7f353ee1related -
stix 100/100 Revoked
multiple_versions SHA256 of 469236d0054a270e117a2621f70f2a494e7fb823
· Valid until 07/10/2024 · Source: AlienVault
Vulnerabilities (CVE) (53)
An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. A malicious authenticated user with non-administrator privileges may be …
- Attack vector
- NETWORK
- Published
- 16/10/2024
- Modified
- 21/12/2025
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
- Attack vector
- Network
- Published
- 23/09/2022
- Modified
- 27/05/2026
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on …
- Published
- 15/02/2024
- Modified
- 21/12/2025
Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web …
- Attack vector
- Network
- Published
- 16/09/2024
- Modified
- 21/12/2025
- Published
- 20/12/2025
- Modified
- 21/12/2025
Ivanti Sentry, formerly known as MobileIron Sentry, contains an authentication bypass vulnerability that may allow an attacker to bypass authentication controls on …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …
- Attack vector
- Local
- Published
- 24/08/2023
- Modified
- 27/05/2026
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
- Attack vector
- NETWORK
- Published
- 22/01/2024
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for sensitive information disclosure when configured as a Gateway …
- Attack vector
- Network
- Published
- 18/10/2023
- Modified
- 21/12/2025
Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core contain an authentication bypass vulnerability that allows unauthorized users to access restricted functionality or …
- Attack vector
- Network
- Published
- 18/01/2024
- Modified
- 21/12/2025
Tool (2)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…