North Korea🇰🇵 KP76 malware familiesExploits CVEs in the wild

APT38

Also known asAPT38APT38 (Bluenoroff)BeagleBoyzBlueNoroffCageyChameleonCryptoCoreDangerousPasswordleeryturtlemasannickel tapestrysapphire sleetTA444unc1069

APT38 is a North Korea-aligned threat actor associated with the DPRK and widely linked to financially motivated cyber operations, especially theft from cryptocurrency and financial targets. The provided content ties APT38 closely to BlueNoroff/Bluenoroff and notes OFAC listed APT38 and APT 38 as aliases of Bluenoroff; the content also references related aliases and tracking names including BeagleBoyz, BlueNoroff, CageyChameleon, CryptoCore, DangerousPassword, LeeryTurtle, Masan, Nickel Tapestry, Sapphire Sleet, TA444, and UNC1069. Multiple items in the content describe UNC1069/CryptoCore as a DPRK-linked cryptocurrency-theft cluster active since at least 2018 that may be the successor to what was previously tracked as APT38. The actor is described as targeting cryptocurrency organizations, cryptocurrency exchanges, financial institutions, and related users and officials, with objectives including confidential information theft and monetary gain via SWIFT and cryptocurrency theft. The content also states that U.S. authorities attributed the theft of approximately $615 million from Axie Infinity to Lazarus Group and APT38, and that DOJ reporting tracked Lazarus Group and APT38 as part of a North Korean conspiracy involving bank heists, cryptocurrency theft, malicious cryptocurrency applications, FASTCash activity, and other financially motivated operations. Directly attributed tradecraft in the content includes use of the NACHOCHEESE command-line tunneler for shell access, use of batch scripts, collection of data from compromised hosts, modification of file timestamps to mimic nearby files, use of Sysmon for process and service reconnaissance, use of open-source tools such as Mimikatz, collection of browser bookmark information to profile victims and identify internal resources, and use of CLOSESHAVE to securely delete files and remove malware, tools, and other non-native artifacts during cleanup. The content also notes Elastic assessed PHANTOMPULSE tradecraft, targeting, and infrastructure as aligned with DPRK-linked crypto-targeting clusters including Lazarus, BlueNoroff, UNC5342, and APT38, but that reporting aligns rather than directly attributes PHANTOMPULSE to APT38.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Financial Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics79 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1598

Phishing for Information

TA0042

Resource Development

2 techniques

T1585

Establish Accounts

T1588

Obtain Capabilities

T1588.002

Tool

TA0001

Initial Access

4 techniques

T1078×3

Valid Accounts

T1189×2

Drive-by Compromise

T1195×6

Supply Chain Compromise

T1195.001×2

Compromise Software Dependencies and Development Tools

T1195.002

Compromise Software Supply Chain

T1566×3

Phishing

T1566.001

Spearphishing Attachment

T1566.003×2

Spearphishing via Service

TA0002

Execution

4 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001×3

PowerShell

T1059.002×2

AppleScript

T1059.003×2

Windows Command Shell

T1059.004×2

Unix Shell

T1059.006

Python

T1204

User Execution

T1204.002

Malicious File

T1574

Hijack Execution Flow

TA0003

Persistence

6 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1078×3

Valid Accounts

T1112

Modify Registry

T1543

Create or Modify System Process

T1543.003

Windows Service

T1547

Boot or Logon Autostart Execution

T1556

Modify Authentication Process

TA0004

Privilege Escalation

6 techniques

T1053

Scheduled Task/Job

T1053.005×2

Scheduled Task

T1055×4

Process Injection

T1078×3

Valid Accounts

T1543

Create or Modify System Process

T1543.003

Windows Service

T1547

Boot or Logon Autostart Execution

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

9 techniques

T1027

Obfuscated Files or Information

T1036×4

Masquerading

T1055×4

Process Injection

T1070×4

Indicator Removal

T1070.004×3

File Deletion

T1070.006

Timestomp

T1078×3

Valid Accounts

T1218

System Binary Proxy Execution

T1564

Hide Artifacts

T1574

Hijack Execution Flow

T1620×2

Reflective Code Loading

TA0112

Defense Impairment

2 techniques

T1112

Modify Registry

T1556

Modify Authentication Process

TA0006

Credential Access

5 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

T1555

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1555.005

Password Managers

T1556

Modify Authentication Process

T1649×4

Steal or Forge Authentication Certificates

TA0007

Discovery

4 techniques

T1057×2

Process Discovery

T1082×3

System Information Discovery

T1083

File and Directory Discovery

T1217

Browser Information Discovery

TA0009

Collection

5 techniques

T1005×2

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1115

Clipboard Data

T1125

Video Capture

T1560

Archive Collected Data

TA0011

Command and Control

4 techniques

T1071×2

Application Layer Protocol

T1071.001

Web Protocols

T1102

Web Service

T1105×2

Ingress Tool Transfer

T1219×4

Remote Access Tools

TA0010

Exfiltration

1 technique

T1041×2

Exfiltration Over C2 Channel

TA0040

Impact

1 technique

T1657

Financial Theft

ARSENAL

Associated malware families

76 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

WAVESHAPER.V2Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of reconnaissance (extracting telemetry), command execution (in-memory Portable Executable injection and arbitrary shell commands), and system enumeration (returns detailed metadata).6May 26, 2026

AppleJeusThe joint cybersecurity analysis and MARs highlight the cyber threat North Korea – which is referred to by the U.S. government as HIDDEN COBRA – poses to cryptocurrency and identify malware and indicators of compromise related to the “AppleJeus” family of malware (the name given by the cybersecurity community to a family of North Korean malicious cryptocurrency applications that includes Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale).3May 26, 2026

icloudzAside from deploying a credential stealer that exfiltrates data via Telegram Bot API, the campaign also involved the icloudz backdoor that enabled further in-memory delivery of additional payloads.3Apr 18, 2026

plain-crypto-jsThese versions introduced a phantom dependency -- plain-crypto-js@4.2.1 ... a package that had not existed before that day and is never actually imported by axios code. Its sole purpose was to execute a postinstall script that drops and runs a cross-platform RAT targeting macOS, Windows, and Linux.3Apr 16, 2026

WAVESHAPERThe goal was credential harvesting and financial theft, facilitated by multiple malware families including WAVESHAPER and SUGARLOADER... a fake error prompt tricked the maintainer into running an “update” that deployed WAVESHAPER.V2, giving the attackers the npm credentials needed to publish trojanized versions of axios.3Apr 9, 2026

71 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2026-33634Trivy supply chain compromise via malicious release and retagged GitHub ActionsIn the wildEvidence1

CERT-EU disclosed on April 2-3, 2026 that the European Commission's Europa web hosting platform on AWS was breached through the Trivy supply chain compromise (CVE-2026-33634). ... Entry vector: Supply chain via compromised Trivy (CVE-2026-33634) ... The CISA KEV remediation deadline for CVE-2026-33634 is now 5 days away (April 8, 2026).

IOCS

Observables

443 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

443 IOCsView more in app

Domains

156 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+148

hash.md5

76 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+68

hash.sha1

61 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+53

hash.sha256

60 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+52

uri

54 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+46

ip.v4

36 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+28

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

cyber security newsNews

Jun 2, 2026

PHANTOMPULSE RAT Uses Process Injection and UAC Bypass to Compromise Windows Systems

Referenced as a DPRK-linked group whose known patterns match the PHANTOMPULSE campaign, especially cryptocurrency wallet targeting.

lazarusholic blueskyNews

May 31, 2026

Post by @lazarusholic.bsky.social - Bluesky

Targeting macOS in a multi-stage intrusion campaign.

the hacker newsNews

May 28, 2026

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

Referenced as a North Korean threat cluster with tradecraft similar to the observed campaign, especially around cryptocurrency and developer targeting.

lazarusholic blueskyNews

May 28, 2026

Post by @lazarusholic.bsky.social - Bluesky

Referenced as a named activity cluster or threat actor discussed in the ESET APT Activity Report Q4 2025–Q1 2026.

+190 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping56

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal76

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables443

Domains, IPs, and hashes tied to this actor, refreshed continuously.