Skip to main content
Mallory
Back to threat actors
North Korea62 malware familiesExploits CVEs in the wild

Andariel

Also known asAndarielAPT45Black ChollimaDarkSeouljumpy_piscesOnyx SleetPLUTONIUMSILENT CHOLLIMAStoneflyTdrop2 campaign

Andariel is a North Korea-linked threat actor and a sanctioned DPRK state-sponsored malicious cyber group. The provided content identifies Andariel as associated with North Korea and notes OFAC added it to the SDN List in September 2019. Treasury reporting in the content describes Andariel as one of two subsidiaries of Lazarus Group, alongside Bluenoroff, and states that Lazarus Group, Bluenoroff, and Andariel stole around $700 million over three years and attempted to steal nearly $2 billion. Known aliases in the provided content include APT45, Black Chollima, DarkSeoul, Jumpy Pisces, Onyx Sleet, PLUTONIUM, Silent Chollima, Stonefly, and TDrop2 campaign. Microsoft naming reflected in the content maps the actor to the North Korea-attributed Sleet family via the alias Onyx Sleet. The content describes Andariel conducting spearphishing campaigns using malicious Word or Excel attachments and attempting to lure victims into enabling malicious macros in email attachments. It also states that Andariel used tasklist to enumerate processes and search for a specific string, and collected large numbers of files from compromised network systems for later extraction. Recent activity in the provided reporting says ESET uncovered the reemergence of Andariel in South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within a South Korean engineering company. The targeted company reportedly appeared to manufacture equipment relevant to liquid hydrogen handling and the nuclear industry. Separate reporting in the content also says Play has recently been linked to the North Korea-aligned group Andariel. The content further states that APT45, identified as DPRK-aligned and described in one source as North Korea’s military hacking group, used AI systems operationally by sending thousands of repetitive prompts to recursively analyze CVEs and validate proof-of-concept exploits at industrial scale, building a durable exploit arsenal.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • government
  • legal
MITRE ATT&CK

Tradecraft

52 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics62 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1592×2
Gather Victim Host Information
T1595
Active Scanning
T1596
Search Open Technical Databases
TA0042
Resource Development
1 technique
T1587×3
Develop Capabilities
T1587.001×2
Malware
T1587.004×3
Exploits
TA0001
Initial Access
5 techniques
T1078
Valid Accounts
T1189
Drive-by Compromise
T1190×6
Exploit Public-Facing Application
T1195×2
Supply Chain Compromise
T1566×3
Phishing
T1566.001×5
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
5 techniques
T1059×2
Command and Scripting Interpreter
T1059.001×2
PowerShell
T1059.007
JavaScript
T1129
Shared Modules
T1197
BITS Jobs
T1203×4
Exploitation for Client Execution
T1204
User Execution
T1204.001
Malicious Link
T1204.002×6
Malicious File
TA0003
Persistence
3 techniques
T1078
Valid Accounts
T1197
BITS Jobs
T1546
Event Triggered Execution
T1546.015×2
Component Object Model Hijacking
TA0004
Privilege Escalation
3 techniques
T1068×2
Exploitation for Privilege Escalation
T1078
Valid Accounts
T1546
Event Triggered Execution
T1546.015×2
Component Object Model Hijacking
TA0005
Stealth
6 techniques
T1027
Obfuscated Files or Information
T1036
Masquerading
T1070
Indicator Removal
T1070.004
File Deletion
T1078
Valid Accounts
T1197
BITS Jobs
T1564
Hide Artifacts
T1564.006
Run Virtual Instance
TA0006
Credential Access
1 technique
T1003×2
OS Credential Dumping
TA0007
Discovery
5 techniques
T1016
System Network Configuration Discovery
T1049
System Network Connections Discovery
T1057×3
Process Discovery
T1083
File and Directory Discovery
T1217
Browser Information Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.002×2
SMB/Windows Admin Shares
TA0009
Collection
3 techniques
T1005×4
Data from Local System
T1039
Data from Network Shared Drive
T1560
Archive Collected Data
TA0011
Command and Control
4 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1090×2
Proxy
T1090.002
External Proxy
T1105×4
Ingress Tool Transfer
T1572×2
Protocol Tunneling
TA0010
Exfiltration
3 techniques
T1041×2
Exfiltration Over C2 Channel
T1048
Exfiltration Over Alternative Protocol
T1567
Exfiltration Over Web Service
TA0040
Impact
4 techniques
T1485
Data Destruction
T1486×4
Data Encrypted for Impact
T1561×2
Disk Wipe
T1657×2
Financial Theft
ARSENAL

Associated malware families

62 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
MauiAndariel was reported deploying their signature Maui ransomware on at least one occasion in 20224Apr 18, 2026
TigerRATWe also uncovered the reemergence of Andariel in South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company4May 29, 2026
Lilith RATIt also follows a new attack campaign orchestrated by the North Korea-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.3Apr 18, 2026
NukeSpedIt also follows a new attack campaign orchestrated by the North Korea-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.3Apr 18, 2026
3proxySuspicious 3proxy tool... The “3Proxy” tool... was compiled on 2020-09-09 and deployed to the victim on 2020-12-25... used... to maintain access.2Mar 18, 2026

57 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.

CVE-2021-44228Log4ShellIn the wildEvidence3

The actors gain initial access through widespread exploitation of web servers through known vulnerabilities, such as CVE-2021-44228 (“Log4Shell”) in Apache’s Log4j software library... Note: CVE-2021-44228 ‘Log4Shell’ was disclosed in December 2021 and affects the Log4j library prior to version 2.17.0.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2017-10271Oracle WebLogic WLS-WSAT XML Deserialization RCEIn the wildEvidence1

"The other victim operated a vulnerable Weblogic server. According to our telemetry, the actor compromised this server via the CVE-2017-10271 exploit."

IOCS

Observables

132 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

132 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
malware newsNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

DPRK-aligned actor using AI at industrial scale to analyze CVEs and validate exploit proof-of-concepts, building a durable exploit arsenal.

Read more
detectNews
May 29, 2026
The AI-Embedded SOC: An Operating Model for the Asymmetry Era | by Omar Tarek Zayed | May, 2026 | Detect FYI

Uses AI at industrial scale to recursively analyze CVEs and validate proof-of-concept exploits, building a durable exploit arsenal.

Read more
lazarusholic blueskyNews
May 28, 2026
Post by @lazarusholic.bsky.social - Bluesky

Referenced as a named threat actor discussed in the ESET APT Activity Report Q4 2025–Q1 2026.

Read more
eset welivesecurity blogNews
May 28, 2026
ESET APT Activity Report Q4 2025-Q1 2026

Reemerged in South Korea, deploying TigerRAT and attempting to spread Rook ransomware inside an engineering company tied to liquid hydrogen handling and the nuclear industry.

Read more
+168 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping52

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal62

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs3

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables132

Domains, IPs, and hashes tied to this actor, refreshed continuously.