TigerRAT
TigerRAT is a remote access trojan (RAT) associated with North Korea-linked Lazarus/Andariel activity. Reporting in the provided content describes it as a C++ RAT used in espionage intrusions, including defense-sector compromises and multiple Andariel operations in South Korea. It has been publicly disclosed by KISA and KRCERT in 2021 as part of Operation ByteTiger, alongside a downloader named TigerDownloader.
Documented capabilities include file control, arbitrary command execution, SOCKS tunneling, and encrypted HTTP-like communications. Additional reporting states the malware family supports common RAT functions such as keylogging, screenshots, file and directory listing, browser history retrieval, process snooping, and uploading content to command-and-control infrastructure. Cisco Talos reported newer variants with an added "USB dump" capability and preparatory code for webcam video capture, while noting that port forwarding capability was removed in the latest version they analyzed.
The content links TigerRAT to Andariel, a subgroup under the Lazarus umbrella tied to the DPRK Reconnaissance General Bureau (RGB) 3rd Bureau. It has been used in intrusions targeting defense, aerospace, nuclear, engineering, medical, and energy-related organizations, with specific mention of use against a South Korean engineering company relevant to liquid hydrogen handling and the nuclear industry. Reported delivery and access patterns in Andariel operations include exploitation of vulnerable public-facing servers, including MS-SQL servers, as well as supply-chain compromise via a South Korean asset management software and a compromised South Korean ERP vendor update mechanism. TigerRAT has also been observed hosted on MagicRAT command-and-control infrastructure, and attribution has been supported by the actor's repeated use of unique malware including TigerRAT.
High-confidence contextual indicators from the content include its association with Operation ByteTiger, TigerDownloader, MagicRAT-linked infrastructure, and malware clusters including VSingle, YamaBot, Black RAT, Lilith RAT, and NukeSped in Lazarus/Andariel campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Over the last 15 years, the group has developed RATs, including the following... ▪ TigerRAT
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We also uncovered the reemergence of Andariel in South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company
Over the last 15 years, the group has developed RATs, including the following... ▪ TigerRAT
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThese tools include functionality for executing arbitrary commands... and uploading content to command and control (C2) [T1587.001, T1587.004].
Initial Access
2 techniquesAndariel ... deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers
Andariel ... deliver Black RAT, Lilith RAT, NukeSped, and TigerRAT by infiltrating vulnerable MS-SQL servers as well as via supply chain attacks using a South Korean asset management software.
Command and Control
1 techniqueThe actors disguise their malware within HTTP packets to appear as benign network traffic... [T1090, T1071].
Impact
1 techniqueAndariel in South Korea, where the group deployed TigerRAT and attempted to spread Rook ransomware within an engineering company
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan deployed by Andariel in South Korea during an intrusion into an engineering company.
C++ remote access trojan with file control, command execution, SOCKS tunneling, and encrypted HTTP-like communications; used in defense-sector intrusions.
Remote access trojan cited as a distinctive tool used in activity attributed with high confidence to Andariel (DPRK-linked).
RAT used in 2025 intrusions attributed to Andariel, including targeting an unnamed European legal-sector entity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.