Atharvan
Atharvan is a custom remote access trojan/backdoor associated with the North Korea-linked threat group Andariel, which is assessed as operating under the DPRK Reconnaissance General Bureau (RGB) 3rd Bureau and widely tracked as a Lazarus sub-cluster. In the provided reporting, Atharvan is specifically described as an "Atharvan ELF Backdoor" and as a custom RAT that creates the mutex "SAPTARISHI-ATHARVAN-101" and disguises command-and-control traffic as legitimate Microsoft update traffic. Atharvan is listed among Andariel-developed RATs and implants used to permit remote access, manipulation of compromised systems, and lateral movement. The broader advisory context attributes Andariel activity to intrusions targeting defense, aerospace, nuclear, engineering, medical, and energy organizations, with collection priorities tied to military and nuclear programs and with ransomware activity also observed in parallel. Initial access in those operations commonly involved exploitation of public-facing applications and known vulnerabilities, deployment of web shells, phishing with ZIP archives containing LNK or HTA files, credential theft, and lateral movement using built-in tools and remote access protocols. High-confidence malware-specific indicators directly mentioned in the content are the mutex "SAPTARISHI-ATHARVAN-101" and the use of C2 traffic disguised as Microsoft update traffic.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement. ▪ Atharvan
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement. ▪ Atharvan
Over the last 15 years, the group has developed RATs, including the following, to permit remote access and manipulation of systems and lateral movement. ▪ Atharvan
Techniques & procedures
1 distinct technique documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“These tools include functionality for executing arbitrary commands... and uploading content to command and control (C2) [T1587.001, T1587.004].”
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom RAT that creates mutex SAPTARISHI-ATHARVAN-101 and disguises C2 traffic as legitimate Microsoft update traffic.
Remote access trojan used to provide remote access/manipulation of victim systems and support lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.