Andariel Scheduled Task Malware

Andariel Scheduled Task Malware is a malware/loader associated with the DPRK Reconnaissance General Bureau (RGB) 3rd Bureau threat group Andariel, also tracked as Onyx Sleet and formerly as PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. It is explicitly referenced in a joint FBI-led Cybersecurity Advisory and corresponding YARA detection content as "Andariel Scheduled Task Malware" (including the rule name "Andariel_ScheduledTask_Loader"). Based on the advisory context, it is part of Andariel’s broader intrusion toolkit used in cyber espionage and related operations.

The surrounding reporting states Andariel commonly gains initial access by exploiting public-facing web servers using known vulnerabilities, including CVE-2021-44228 (Log4Shell), and then deploys web shells for follow-on exploitation. The actors establish persistence using Scheduled Tasks, perform discovery, steal credentials with tools such as Mimikatz, escalate privileges, move laterally via SMB and RDP, and exfiltrate data using cloud services or tools such as PuTTY and WinSCP. The group also uses phishing with malicious LNK files and HTA scripts in ZIP archives. In this context, Andariel Scheduled Task Malware is associated with the persistence mechanism of Scheduled Tasks and likely functions as a loader or implant used after initial compromise.

The advisory attributes Andariel activity to long-running DPRK state-sponsored espionage and ransomware operations. Current targeting is focused on defense, aerospace, nuclear, and engineering organizations for theft of sensitive military information and intellectual property, with additional targeting of medical and energy sectors. Reported objectives include collection of contract specifications, bills of materials, project details, design drawings, and engineering documents supporting Pyongyang’s military and nuclear programs. The advisory also notes Andariel has funded espionage through ransomware operations against U.S. healthcare entities and has conducted ransomware and espionage against the same victim in close temporal proximity.

High-confidence behavioral context from the advisory indicates Andariel malware and related tooling support arbitrary command execution, keylogging, screenshots, file and directory listing, browser history retrieval, process snooping, tunneling/proxying, and uploading content to command-and-control infrastructure. The actors often disguise C2 within HTTP traffic, use dual-use tools such as 3Proxy, PLINK, Stunnel, AsyncRAT, Impacket, ORVX Web Shell, WSO web shell, ProcDump, PuTTY, WinRAR, WinSCP, and RDP Wrapper, and routinely pack late-stage tooling with VMProtect and Themida for anti-analysis and evasion. The content indicates that indicators of compromise exist in the source advisory, including hashes, user-agent strings, and YARA rules, but no specific IOC values for this malware sample are provided in the supplied content.