Maui
Maui is a ransomware family associated with North Korean state-sponsored cyber actors, particularly the Lazarus Group and its Andariel/Stonefly sub-cluster. The provided reporting states Lazarus historically developed its own ransomware families including WannaCry, Maui, and H0lyGh0st, and that Maui has been used since at least May 2021. Multiple sources in the content link Maui to DPRK operations targeting the healthcare and public health sector, including U.S. healthcare organizations, and note that North Korean-backed Maui actors were the subject of a July 2022 advisory and a broader February 10, 2023 joint advisory by NSA, HHS, FBI, CISA, and South Korean partners. The content also states Andariel was reported deploying Maui in at least one 2022 incident and that Lazarus/Andariel used Maui alongside other bespoke ransomware families such as SHATTEREDGLASS and H0lyGh0st. High-confidence behavioral detail in the provided content is limited, but the reporting consistently characterizes Maui as custom-developed ransomware used in financially motivated DPRK intrusions, with ransom demands in bitcoin and revenue assessed to support DPRK national priorities, including follow-on cyber operations. The strongest targeting pattern directly mentioned is healthcare and public health organizations, though the content also references activity against entities in South Korea, Japan, and the United States. No specific file hashes or technical IOCs for Maui itself are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell)... Observed CVEs used include: CVE-2021-44228
Observed CVEs used include: ... CVE-2022-24990 ... The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw...
Recently observed CVEs that actors used to gain access include ... remote code execution in unpatched SonicWall SMA 100 appliances... Observed CVEs used include: CVE-2021-20038
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lazarus Group has historically built its own ransomware -- WannaCry (2017), Maui (2022), H0lyGh0st (2022).
Andariel was reported deploying their signature Maui ransomware on at least one occasion in 2022
For more information on this ransomware activity, see... North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
"Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations."
North Korea has long been involved in ransomware attacks and has been previously associated with the Maui and Play ransomware families.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques"Acquire Infrastructure [ T1583 ] . DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations."
"Purchase VPNs and VPSs [ T1583.003 ] . DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses..."
Initial Access
3 techniques"...remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]."
"The other victim operated a vulnerable Weblogic server... compromised this server via the CVE-2017-10271 exploit." | "In one victim system, we discovered that a well-known simple HTTP server, HFS7, had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and “whoami” was executed..."
"Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger... [T1195]."
Persistence
1 techniqueStealth
1 techniqueDiscovery
1 technique"...perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]."
Lateral Movement
1 technique"...perform reconnaissance activities... and execute shell commands [T1083, T1021]."
Impact
1 techniqueAdditionally, Andariel was reported deploying their signature Maui ransomware on at least one occasion in 2022.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a prior Lazarus-operated ransomware family historically built and controlled by the group.
Maui is cited as a ransomware family historically deployed by Lazarus Group.
Ransomware family previously associated (in the cited reporting) with North Korean state-backed activity.
Manually executed ransomware; uses AES-128 per file with RSA-protected keys (maui.key / maui.evd), XOR obfuscation derived from disk identifiers, and generates maui.log to support operator-side decryption workflows.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.