STARDUST CHOLLIMA
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 04/05/2026 16:33
- Updated at
- 04/05/2026 16:33
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 1 reports, 97 attack patterns (mitre), 24 malware, 7 sectors, 20 countries, 100 indicators, 53 vulnerabilities (cve), 2 tool
Aliases
NICKEL GLADSTONE BeagleBoyz Stardust Chollima Sapphire Sleet COPERNICIUM Bluenoroff APT38
Description
Marking (TLP)
TLP:GREEN Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Kaspersky Lazarus Under The Hood Blog 2017
- Microsoft Threat Actor Naming July 2023
- FireEye APT38 Oct 2018
- SecureWorks NICKEL GLADSTONE profile Sept 2021
- DOJ North Korea Indictment Feb 2021
- CrowdStrike GTR 2021 June 2021
- CrowdStrike Stardust Chollima Profile April 2018
- FireEye APT38 Oct 2018
- CISA AA20-239A BeagleBoyz August 2020
- mitre-attack (G0082)
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (1)
-
19 MITREs 6 Malwares 13 Observables 1 APT
Attack patterns (MITRE) (97)
-
T1041 usesExfiltration Over C2 Channel MITRE
-
T1027 usesObfuscated Files or Information MITRE
-
T1105 usesIngress Tool Transfer MITRE
-
T1115 usesClipboard Data MITRE
-
T1027.002 usesSoftware Packing MITRE
-
-
T1049 usesSystem Network Connections Discovery MITRE
-
T1562.003 usesImpair Command History Logging MITRE
-
T1560 usesArchive Collected Data MITRE
-
T1547.001 usesRegistry Run Keys / Startup Folder MITRE
-
T1555.001 usesKeychain MITRE
-
T1132 usesData Encoding MITRE
Malware (24)
-
RealTimeTroy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
softwareupdate.app usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HOPLIGHT usesFamily The MITRE Corporation Confidence 100
[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
DarkKomet usesThe MITRE Corporation Confidence 100
[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
com.apple.cli usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SneakMain usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LessonOne usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ZoomClutch usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DownTroy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RooTroy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SilentSiphon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamsClutch usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (7)
-
Legal targets
-
Finance targets
-
Financial organizations targets
-
Fintech targets
-
Technology targets
-
Banking institutions targets
-
Government targets
Countries (20)
-
Italy targets
-
Australia targets
-
Russian Federation targets
-
United States of America targets
-
Poland targets
-
Hong Kong targets
-
Thailand targets
-
Ukraine targets
-
Viet Nam targets
-
Czechia targets
-
France targets
-
India targets
Indicators (100)
-
stix 100/100· Valid until 01/09/2026 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of a1a85cba1bc4ac9f6eafc548b1454f57b4dff7e0
· Valid until 07/10/2024 · Source: AlienVault -
http://signsafe.xyz/updaterelatedstix 100/100 Revoked· Valid until 14/12/2025 · Source: AlienVault -
googleservice.icurelated -
fastercapital.ccrelated -
stix 100/100 Revoked
SHA256 of 7a5d57c7e2b0c8ab7d60f7a7c7f4649f33fea8aa
· Valid until 07/10/2024 · Source: AlienVault -
stix 100/100 Revoked
SHA256 of 963a86aab1e450b03d51628797572fe9da8410a2
· Valid until 07/10/2024 · Source: AlienVault -
c59ac795c44edfeba5266c2cf39d7d4b5f6a30aba224f7977abc228e7f353ee1related -
stix 100/100 Revoked
multiple_versions SHA256 of 469236d0054a270e117a2621f70f2a494e7fb823
· Valid until 07/10/2024 · Source: AlienVault
Vulnerabilities (CVE) (53)
Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …
- Attack vector
- Local
- Published
- 13/08/2024
- Modified
- 21/12/2025
Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted …
- Attack vector
- NETWORK
- Published
- 01/05/2024
- Modified
- 21/12/2025
Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain a type confusion vulnerability that leads to code execution when processing maliciously crafted …
- Attack vector
- Network
- Complexity
- LOW
- Published
- 23/01/2024
- Modified
- 04/04/2026
Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP …
- Attack vector
- Network
- Published
- 09/02/2024
- Modified
- 21/12/2025
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due …
- Attack vector
- Local
- Published
- 07/11/2024
- Modified
- 21/12/2025
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …
- Attack vector
- NETWORK
- Published
- 29/03/2024
- Modified
- 21/12/2025
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious …
- Attack vector
- NETWORK
- Published
- 07/12/2023
- Modified
- 21/12/2025
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to …
- Attack vector
- Network
- Published
- 24/04/2024
- Modified
- 28/02/2026
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
- Attack vector
- NETWORK
- Published
- 26/12/2023
- Modified
- 21/12/2025
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
- Attack vector
- Network
- Published
- 17/10/2024
- Modified
- 21/12/2025
Tool (2)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…