APT38 is a North Korean state-sponsored threat actor widely assessed as part of the broader Lazarus ecosystem and also tracked as Sapphire Sleet. The group is best known for financially motivated operations, especially large-scale theft targeting banks, financial institutions, payment infrastructure, and cryptocurrency-related organizations, but it has also been associated with software supply-chain compromise and developer-focused intrusion activity. APT38 combines espionage-grade tradecraft with financially motivated objectives. Reported operations have included compromise of software development and package distribution ecosystems, abuse of trusted platforms and legitimate services, and post-compromise host reconnaissance to profile victim environments. Observed behavior includes discovery of installed security software and defensive tooling, collection of detailed host information such as operating system version and patch state, and modification of the Windows Registry. The group has also been associated with process injection for stealth and privilege-related post-exploitation activity. The actor’s targeting has historically centered on the financial sector, including banks and cryptocurrency organizations, while more recent reporting links it to attacks on developers and software supply chains. In one notable campaign, APT38 was linked to compromise of an npm supply chain affecting a large number of packages. This reflects a broader pattern of North Korean operators leveraging developer ecosystems, open-source repositories, and trusted software channels to gain access, distribute malicious code, and expand victim reach. APT38 is commonly discussed alongside Lazarus Group subclusters and overlapping North Korean intrusion sets. Alias usage varies across vendors, but Sapphire Sleet is a recognized alternate name associated with this actor.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Attributed origin per open-source reporting.
56 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Compromised an npm supply chain by injecting a malicious dependency into over 140 packages, targeting developers and related communities.
Mentioned only as an annotated threat actor associated with the ATT&CK technique Process Injection (T1055) in a Splunk detection entry; no campaign or activity is described.
Mentioned only as an annotation/tag associated with the ATT&CK technique Process Injection (T1055); no campaign or activity by this group is described in the content.
Mentioned only in an annotation/list associated with the detection content; no actor-specific activity is described in this reference.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.