Lilith RAT
Lilith RAT is a remote access trojan referenced in reporting on North Korea-linked activity. It has been identified as an open-source or dual-use tool used and/or customized by the Andariel group, a subordinate element of Lazarus also tracked as Onyx Sleet. Reporting states Andariel used Lilith RAT alongside Black RAT, NukeSped, and TigerRAT in campaigns that infiltrated vulnerable MS-SQL servers and in supply-chain attacks involving South Korean asset management software. Separate reporting on a Konni/Kimsuky-linked campaign in South Korea states attackers used malicious attachments to deliver remote access trojans such as Lilith RAT in order to take over victims’ machines. The available content does not provide detailed technical functionality specific to Lilith RAT beyond its use as a RAT, nor does it include malware-specific IoCs, but it does note a detection reference: YARA rule "Andariel_LilithRAT_Variant."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The authoring agencies have identified the following open source and dual-use tools as used and/or customized by the actors: ▪ Lilith RAT
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It also follows a new attack campaign orchestrated by the North Korea-linked Andariel group – another subordinate element within Lazarus – to deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.
The authoring agencies have identified the following open source and dual-use tools as used and/or customized by the actors: ▪ Lilith RAT
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesAndariel ... deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers
Andariel ... deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.
Stealth
1 techniqueDiscovery
1 techniqueRecent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan referenced as a payload delivered via malicious attachments to take over victim machines.
A remote access trojan reportedly delivered by the North Korea-linked Andariel group via compromised MS-SQL servers and supply chain attacks involving South Korean asset management software.
Commodity/open-source RAT (and variants) used for remote access and control.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.