North Korea4 malware families

Alluring Pisces

Also known asAlluring PiscesAppleJeusAPT38BeagleBoyzBlack ArtemisBlueNoroffCageyChameleonCitrine SleetCOPERNICIUMCryptoCoreDiamond SleetGleaming PiscesGuardians of PeaceHidden CobraJade SleetLABYRINTH CHOLLIMAlazaruslazarus_aptlazarus_apt_grouplazarus_groupMoonstone SleetNICKEL ACADEMYNICKEL GLADSTONESapphire SleetSTARDUST CHOLLIMAStorm-0139Storm-0954Storm-1222Storm-1789UNC1069UNC1720UNC4736ZINC

Alluring Pisces is a North Korea-attributed threat actor tracked under numerous aliases including Lazarus Group, Lazarus, Lazarus APT, BlueNoroff, Sapphire Sleet, APT38, BeagleBoyz, Hidden Cobra, Diamond Sleet, Jade Sleet, Moonstone Sleet, Citrine Sleet, AppleJeus, CryptoCore, Copernicium, Labyrinth Chollima, Stardust Chollima, UNC1069, UNC1720, UNC4736, Storm-0139, Storm-0954, Storm-1222, Storm-1789, Guardians of Peace, Black Artemis, CageyChameleon, Gleaming Pisces, Nickel Academy, Nickel Gladstone, and Zinc. The provided content attributes the actor to North Korea and describes motivations of financial gain and espionage, with targeting focused on finance, cryptocurrency, and defense. Mentioned malware and operations include WannaCry, Hermes, BLINDINGCAN, and campaigns such as Operation AppleJeus and Dream Job. Supporting reporting in the content also links Alluring Pisces to BlueNoroff and Sapphire Sleet, and notes prior attribution of the RustDoor backdoor to this actor. The content states that Lazarus Group is associated with extensive ATT&CK coverage, with 80+ techniques and usage relationships.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

100 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics155 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

3 techniques

T1589

Gather Victim Identity Information

T1589.002

Email Addresses

T1591

Gather Victim Org Information

T1598

Phishing for Information

T1598.003

Spearphishing Link

TA0042

Resource Development

4 techniques

T1583

Acquire Infrastructure

T1583.001

Domains

T1583.003

Virtual Private Server

T1583.006

Web Services

T1587

Develop Capabilities

T1587.001

Malware

T1588

Obtain Capabilities

T1588.002

Tool

T1588.004

Digital Certificates

T1608

Stage Capabilities

T1608.001

Upload Malware

TA0001

Initial Access

3 techniques

T1189

Drive-by Compromise

T1195

Supply Chain Compromise

T1195.002

Compromise Software Supply Chain

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.002

Spearphishing Link

TA0002

Execution

6 techniques

T1047

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1053.003

Cron

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.003

Windows Command Shell

T1059.005

Visual Basic

T1106

Native API

T1204

User Execution

T1204.001

Malicious Link

T1204.002

Malicious File

T1574

Hijack Execution Flow

T1574.001

DLL

T1574.013

KernelCallbackTable

TA0003

Persistence

5 techniques

T1053

Scheduled Task/Job

T1053.003

Cron

T1053.005

Scheduled Task

T1098

Account Manipulation

T1505

Server Software Component

T1505.003

Web Shell

T1542

Pre-OS Boot

T1542.003

Bootkit

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

6 techniques

T1053

Scheduled Task/Job

T1053.003

Cron

T1053.005

Scheduled Task

T1055

Process Injection

T1055.001

Dynamic-link Library Injection

T1098

Account Manipulation

T1134

Access Token Manipulation

T1134.002

Create Process with Token

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

TA0005

Stealth

12 techniques

T1027

Obfuscated Files or Information

T1027.002

Software Packing

T1027.007

Dynamic API Resolution

T1027.013

Encrypted/Encoded File

T1036

Masquerading

T1036.005

Match Legitimate Resource Name or Location

T1055

Process Injection

T1055.001

Dynamic-link Library Injection

T1070

Indicator Removal

T1070.003

Clear Command History

T1070.004

File Deletion

T1134

Access Token Manipulation

T1134.002

Create Process with Token

T1140

Deobfuscate/Decode Files or Information

T1202

Indirect Command Execution

T1218

System Binary Proxy Execution

T1218.001

Compiled HTML File

T1218.005

Mshta

T1218.007

Msiexec

T1218.011

Rundll32

T1542

Pre-OS Boot

T1542.003

Bootkit

T1564

Hide Artifacts

T1564.001

Hidden Files and Directories

T1574

Hijack Execution Flow

T1574.001

DLL

T1574.013

KernelCallbackTable

T1620

Reflective Code Loading

TA0112

Defense Impairment

1 technique

T1553

Subvert Trust Controls

T1553.002

Code Signing

TA0006

Credential Access

4 techniques

T1003

OS Credential Dumping

T1003.001

LSASS Memory

T1056

Input Capture

T1056.001

Keylogging

T1110

Brute Force

T1110.003

Password Spraying

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

TA0007

Discovery

13 techniques

T1010

Application Window Discovery

T1012

Query Registry

T1016

System Network Configuration Discovery

T1033

System Owner/User Discovery

T1046

Network Service Discovery

T1049

System Network Connections Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1135

Network Share Discovery

T1217

Browser Information Discovery

T1518

Software Discovery

T1518.001

Security Software Discovery

T1680

Local Storage Discovery

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1021.002

SMB/Windows Admin Shares

T1021.004

SSH

TA0009

Collection

5 techniques

T1056

Input Capture

T1056.001

Keylogging

T1074

Data Staged

T1074.001

Local Data Staging

T1115

Clipboard Data

T1557

Adversary-in-the-Middle

T1557.001

Name Resolution Poisoning and SMB Relay

T1560

Archive Collected Data

T1560.002

Archive via Library

T1560.003

Archive via Custom Method

TA0011

Command and Control

9 techniques

T1001

Data Obfuscation

T1001.003

Protocol or Service Impersonation

T1008

Fallback Channels

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090

Proxy

T1090.001

Internal Proxy

T1090.002

External Proxy

T1102

Web Service

T1102.002

Bidirectional Communication

T1104

Multi-Stage Channels

T1132

Data Encoding

T1132.001

Standard Encoding

T1571

Non-Standard Port

T1573

Encrypted Channel

T1573.001

Symmetric Cryptography

TA0040

Impact

6 techniques

T1485

Data Destruction

T1486

Data Encrypted for Impact

T1489

Service Stop

T1491

Defacement

T1491.001

Internal Defacement

T1561

Disk Wipe

T1561.001

Disk Content Wipe

T1561.002

Disk Structure Wipe

T1565

Data Manipulation

T1565.001

Stored Data Manipulation

T1565.002

Transmitted Data Manipulation

T1565.003

Runtime Data Manipulation

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BLINDINGCANThe profile shows: Attributed to: North Korea Motivations: Financial gain, Espionage Targets: Finance, Cryptocurrency, Defense Malware used: WannaCry, Hermes, BLINDINGCAN (all auto-linked by MITRE connector)1Jun 17, 2026

HermesThe profile shows: Attributed to: North Korea Motivations: Financial gain, Espionage Targets: Finance, Cryptocurrency, Defense Malware used: WannaCry, Hermes, BLINDINGCAN (all auto-linked by MITRE connector)1Jun 17, 2026

RustDoor“In this campaign, we discovered a Rust-based macOS malware nicknamed RustDoor masquerading as a legitimate software update…”1Mar 8, 2026

WannaCryThe profile shows: Attributed to: North Korea Motivations: Financial gain, Espionage Targets: Finance, Cryptocurrency, Defense Malware used: WannaCry, Hermes, BLINDINGCAN (all auto-linked by MITRE connector)1Jun 17, 2026

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

infosec writeupsNews

Jun 16, 2026

The Intelligent Shield. OpenCTI. Beyond Ingestion Subtitle: Deploying… | by Andrey Pautov | May, 2026 | InfoSec Write-ups

Used as an example of a mature intrusion set profile in OpenCTI, associated with financial gain and espionage, targeting finance, cryptocurrency, and defense sectors.

lazarusholic blueskyNews

Jun 16, 2026

Post by @lazarusholic.bsky.social - Bluesky

Referenced in the post author name 'lazarusholic' and the content discusses tooling linked to North Korean actors, but no concrete operational details about Lazarus are provided in the content.

palo alto networks unit 42 blogNews

Apr 14, 2025

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Referenced as a DPRK-affiliated group using similar initial infection vectors, specifically LinkedIn/GitHub-style social engineering tactics.

palo alto networks unit 42 blogNews

Feb 26, 2025

RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector

Referenced as a North Korea-linked threat actor to which RustDoor has been previously attributed; the broader activity described involves recruiter-style social engineering against job-seeking software developers in the cryptocurrency sector, delivering macOS malware (RustDoor and a macOS variant of Koi Stealer) for credential and crypto-wallet theft and data exfiltration.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping100

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.