7 malware families

North Korean threat actors

Also known asNorth Korean threat actors

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics45 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0042

Resource Development

1 technique

T1608

Stage Capabilities

T1608.001

Upload Malware

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1190

Exploit Public-Facing Application

T1195

Supply Chain Compromise

T1195.001

Compromise Software Dependencies and Development Tools

T1195.002

Compromise Software Supply Chain

T1566

Phishing

T1566.001

Spearphishing Attachment

T1566.003

Spearphishing via Service

TA0002

Execution

4 techniques

T1059

Command and Scripting Interpreter

T1059.007×2

JavaScript

T1203

Exploitation for Client Execution

T1204

User Execution

T1204.001

Malicious Link

T1204.002×2

Malicious File

T1574

Hijack Execution Flow

TA0003

Persistence

2 techniques

T1078

Valid Accounts

T1546

Event Triggered Execution

T1546.016

Installer Packages

TA0004

Privilege Escalation

3 techniques

T1078

Valid Accounts

T1546

Event Triggered Execution

T1546.016

Installer Packages

T1548

Abuse Elevation Control Mechanism

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1027.013

Encrypted/Encoded File

T1036

Masquerading

T1070×2

Indicator Removal

T1078

Valid Accounts

T1574

Hijack Execution Flow

TA0006

Credential Access

3 techniques

T1539

Steal Web Session Cookie

T1555

Credentials from Password Stores

T1555.001

Keychain

T1555.003

Credentials from Web Browsers

T1649

Steal or Forge Authentication Certificates

TA0007

Discovery

3 techniques

T1082

System Information Discovery

T1083

File and Directory Discovery

T1217

Browser Information Discovery

TA0009

Collection

2 techniques

T1005

Data from Local System

T1119

Automated Collection

TA0011

Command and Control

1 technique

T1105×2

Ingress Tool Transfer

TA0010

Exfiltration

1 technique

T1041

Exfiltration Over C2 Channel

TA0040

Impact

2 techniques

T1486

Data Encrypted for Impact

T1657

Financial Theft

ARSENAL

Associated malware families

7 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BeaverTailOnce run locally on the machine, the package referenced in the supposed project acts as a stealer (i.e., BeaverTail) to harvest browser credentials, cryptocurrency wallet data, macOS Keychain, keystrokes, clipboard content, and screenshots. The malware is designed to download additional payloads, including a cross-platform Python backdoor codenamed InvisibleFerret.1May 25, 2026

CoreKitAgentAlso dropped as part of the attacks is a collection of Nim-based executable that are used as a launchpad for CoreKitAgent, which monitors for user attempts to kill the malware process and ensures persistence.1Mar 18, 2026

HexEval...using them to deliver malware families like HexEval, XORIndex, and encrypted loaders that deliver BeaverTail...1May 25, 2026

InjectWithDyldArm64At the heart of the infection sequence is a C++ loader called InjectWithDyldArm64 (aka InjectWithDyld), which decrypts two embedded binaries named Target and trojan1_arm64.1Mar 18, 2026

InvisibleFerretThe malware is designed to download additional payloads, including a cross-platform Python backdoor codenamed InvisibleFerret.1May 25, 2026

2 additional families tracked in Mallory.

IOCS

Observables

29 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

29 IOCsView more in app

Domains

13 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+5

hash.sha256

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

uri

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

3 total

•••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

No public activity tracked yet. Mallory keeps watching.

0 SOURCESView more in app

No public activity observed for this threat actor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal7

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables29

Domains, IPs, and hashes tied to this actor, refreshed continuously.