Array of malware used to gather intelligence for North Korea
· Published 29/07/2024 10:21 · Modified 29/07/2024 11:04
Essential information
- Published
- 29/07/2024 10:21
- Modified
- 29/07/2024 11:04
- Tags
- 2024-07-29 CVE-2021-44228 CVE-2023-27350 CVE-2023-42793 dtrack espionage lighthand north korea sliver smalltiger tigerrat validalpha
- Related entities
- 5 vulnerabilities (cve), 24 observables, 1 intrusion sets (apt), 19 techniques (mitre), 6 malware, 6 others
Description
Microsoft Threat Intelligence analyzes the activities of the North Korean threat actor Onyx Sleet, which conducts cyber espionage operations primarily targeting military, defense, and technology industries. The report covers Onyx Sleet's affiliations with other North Korean threat groups, its targets, attack techniques like exploiting vulnerabilities and custom malware, and recent malware campaigns such as TigerRAT, SmallTiger, LightHand, and ValidAlpha. The report also provides recommendations, detections, and indicators to help organizations protect themselves against Onyx Sleet's operations.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (5)
CVE-2023-42793
KEV
9.8
Critical
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
CVE-2023-27350
KEV
9.8
Critical
PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context …
- Attack vector
- Network
- Published
- 21/04/2023
- Modified
- 21/12/2025
CVE-2023-46604
KEV
10.0
Critical
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
CVE-2023-22515
KEV
9.8
Critical
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
CVE-2021-44228
KEV
10.0
Critical
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Observables (24)
84.38.134.5645.155.37.101213.139.205.151162.19.71.175147.78.149.201109.248.150.147http://84.38.134.56/procdump.gifww3c.bounceme.netadvice.uphearth.comamericajobmail.siteprivatemake.bounceme.netfed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d596118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab31b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1c1a09024504a5ec422cbea68e17dffc46472d3c2d73f83aa0741a89528a45cd1c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b67460610837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
Intrusion sets (APT) (1)
-
Published 29/07/2024 10:21 · Modified 29/07/2024 10:21
Techniques (MITRE) (19)
-
Data Manipulation
-
Office Application Startup
-
Software Packing
-
Create Account
-
Windows Command Shell
-
Account Discovery
-
Web Protocols
-
Remote Services
-
System Binary Proxy Execution
-
Process Discovery
-
Ingress Tool Transfer
-
Application Layer Protocol
-
Web Service
-
Masquerading
-
Network Denial of Service
-
Data Encoding
-
Obfuscated Files or Information
-
Command and Scripting Interpreter
Malware (6)
-
FamilyPublished 30/10/2024 16:32 · Modified 30/10/2024 16:32
-
FamilyPublished 29/07/2024 10:21 · Modified 29/07/2024 10:21
-
FamilyPublished 29/07/2024 10:21 · Modified 29/07/2024 10:21
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:20 · Modified 21/12/2025 05:20
-
FamilyPublished 29/07/2024 10:21 · Modified 29/07/2024 10:21
-
FamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
Others (6)
- India
- Korea, Republic of
- United States of America
- Technology
- Energy
- Defense