| SYMBOL | COMMON_NAME | aka. SYNONYMS |
Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.
| 2025-04-06
⋅
Gridinsoft
⋅
How to Remove Lilith RAT: Complete Removal Guide Lilith puNK-003 |
| 2024-10-30
⋅
Palo Alto Networks Unit 42
⋅
Jumpy Pisces Engages in Play Ransomware Dtrack MimiKatz PLAY Sliver |
| 2024-08-22
⋅
S2W Inc.
⋅
Analysis of the North Korea-backed puNK-003’s Lilith RAT ported to AutoIt Script Lilith puNK-003 |
| 2024-07-24
⋅
Google
⋅
APT45: North Korea’s Digital Military Machine SHATTEREDGLASS APT45 |
| 2023-12-11
⋅
Cisco Talos
⋅
Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang BottomLoader DLRAT HazyLoad NineRAT |
| 2023-11-10
⋅
⋅
AhnLab
⋅
Detection of attacks exploiting asset management software (Andariel Group) Lilith Tiger RAT |
| 2023-10-18
⋅
Microsoft
⋅
Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability FeedLoad ForestTiger HazyLoad RollSling Silent Chollima |
| 2023-08-31
⋅
AhnLab
⋅
Analysis of Andariel’s New Attack Activities Andardoor BlackRemote Tiger RAT Volgmer |
| 2023-08-24
⋅
Cisco Talos
⋅
Lazarus Group's infrastructure reuse leads to discovery of new malware Collection RAT |
| 2023-08-24
⋅
Cisco Talos
⋅
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT QuiteRAT |
| 2023-08-22
⋅
⋅
AhnLab
⋅
Analyzing the new attack activity of the Andariel group Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer |
| 2023-07-19
⋅
Twitter (@h2jazi)
⋅
Tweet on observation with Korean targeting, suspecting Lazarus Unidentified 105 |
| 2023-06-28
⋅
Kaspersky Labs
⋅
Andariel’s silly mistakes and a new malware family Jupiter |
| 2023-05-25
⋅
YouTube (BSidesCharm)
⋅
it’s all Magic(RAT) – A look into recent North Korean nation-state attacks MagicRAT VSingle YamaBot |
| 2023-05-17
⋅
Medium (@DCSO_CyTec)
⋅
Andariel’s “Jupiter” malware and the case of the curious C2 Jupiter |
| 2023-04-14
⋅
Github (Hildaboo)
⋅
SHATTEREDGLASS Server Emulator SHATTEREDGLASS |
| 2023-02-23
⋅
Bitdefender
⋅
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966 Cobalt Strike DarkComet QuiteRAT RATel |
| 2023-02-23
⋅
Symantec
⋅
Clasiopa: New Group Targets Materials Research Atharvan HazyLoad Lilith |
| 2023-02-15
⋅
⋅
AhnLab
⋅
Distributed Malware Exploiting Vulnerable Innorix: Andariel Andardoor |
| 2023-02-09
⋅
CISA
⋅
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities Maui Ransomware SiennaBlue SiennaPurple Storm-0530 |
| 2023-02-09
⋅
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot |
| 2023-02-02
⋅
WithSecure
⋅
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector Dtrack GREASE QuiteRAT |
| 2023-01-05
⋅
AttackIQ
⋅
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group MagicRAT Tiger RAT |
| 2022-11-15
⋅
Kaspersky Labs
⋅
DTrack activity targeting Europe and Latin America Dtrack |
| 2022-10-05
⋅
Zscaler
⋅
Analysis of LilithBot Malware and Eternity Threat Group Eternity Clipper Eternity Stealer Lilith |
| 2022-09-08
⋅
Cisco Talos
⋅
Lazarus and the tale of three RATs MagicRAT MimiKatz VSingle YamaBot |
| 2022-09-07
⋅
Cisco Talos
⋅
MagicRAT: Lazarus’ latest gateway into victim networks MagicRAT Tiger RAT |
| 2022-08-15
⋅
Brandefense
⋅
Lazarus APT Group (APT38) AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor |
| 2022-08-09
⋅
Kaspersky
⋅
Andariel deploys DTrack and Maui ransomware Dtrack Maui Ransomware |
| 2022-07-12
⋅
cyble
⋅
New Ransomware Groups On The Rise: “RedAlert,” LILITH And 0mega Leading A Wave Of Ransomware Campaigns RedAlert Ransomware Lilith |
| 2022-07-07
⋅
JPCERT/CC
⋅
YamaBot Malware Used by Lazarus YamaBot |
| 2022-07-06
⋅
Stairwell
⋅
Maui Ransomware Maui Ransomware |
| 2022-07-06
⋅
CISA
⋅
Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector Maui Ransomware |
| 2022-07-06
⋅
CISA
⋅
CSA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (PDF) Maui Ransomware |
| 2022-07-05
⋅
JPCERT/CC
⋅
VSingle malware that obtains C2 server information from GitHub VSingle |
| 2022-05-18
⋅
Yoroi
⋅
A deep dive into Eternity Group: A new emerging Cyber Threat Eternity Ransomware Eternity Stealer Eternity Worm Lilith |
| 2022-04-27
⋅
Symantec
⋅
Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets Dtrack VSingle |
| 2021-12-22
⋅
Threatray
⋅
Establishing the TigerRAT and TigerDownloader Malware Families TigerLite Tiger RAT |
| 2021-12-14
⋅
Trend Micro
⋅
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack APT23 |
| 2021-12-03
⋅
vmware
⋅
TigerRAT – Advanced Adversaries on the Prowl Tiger RAT |
| 2021-11-10
⋅
⋅
AhnLab
⋅
Analysis Report of Lazarus Group’s NukeSped Malware DarkComet Tiger RAT |
| 2021-09-02
⋅
⋅
KrCert
⋅
TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA) Tiger RAT |
| 2021-07-15
⋅
BrightTALK
⋅
Visual investigations - Speed up your IR, Forensic Analysis and Hunting Tiger RAT |
| 2021-07-07
⋅
Talos
⋅
InSideCopy: How this APT continues to evolve its arsenal (IOCs) AllaKore Lilith NjRAT |
| 2021-07-07
⋅
Talos
⋅
InSideCopy: How this APT continues to evolve its arsenal AllaKore Lilith NjRAT |
| 2021-07-07
⋅
Talos
⋅
InSideCopy: How this APT continues to evolve its arsenal (Network IOCs) AllaKore Lilith NjRAT |
| 2021-07-02
⋅
Cisco
⋅
InSideCopy: How this APT continues to evolve its arsenal AllaKore CetaRAT Lilith NjRAT ReverseRAT |
| 2021-06-15
⋅
Kaspersky
⋅
Andariel evolves to target South Korea with ransomware BISTROMATH PEBBLEDASH SHATTEREDGLASS TigerLite Tiger RAT |
| 2021-05-11
⋅
⋅
Qianxin
⋅
Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait BISTROMATH TigerLite |
| 2021-04-19
⋅
Malwarebytes
⋅
Lazarus APT conceals malicious code within BMP image to drop its RAT TigerLite |
| 2021-04-19
⋅
Malwarebytes
⋅
Lazarus APT conceals malicious code within BMP image to drop its RAT BISTROMATH |
| 2021-03-22
⋅
JPCERT/CC
⋅
Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) VSingle |
| 2020-11-27
⋅
⋅
Macnica
⋅
Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack |
| 2020-11-03
⋅
Kaspersky Labs
⋅
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti |
| 2020-05-31
⋅
Twitter (ShadowChasing1)
⋅
Tweet on DTRACK malware Dtrack |
| 2020-04-16
⋅
VMWare Carbon Black
⋅
The Evolution of Lazarus HOTCROISSANT Rifdoor |
| 2020-03-03
⋅
PWC UK
⋅
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle |
| 2020-02-25
⋅
SentinelOne
⋅
DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES |
| 2020-02-19
⋅
Lexfo
⋅
The Lazarus Constellation A study on North Korean malware FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor |
| 2020-02-14
⋅
US-CERT
⋅
Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH BISTROMATH |
| 2020-02-13
⋅
Qianxin
⋅
APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
| 2019-12-12
⋅
FireEye
⋅
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD POISONPLUG TrickBot BlackTech |
| 2019-11-29
⋅
Trend Micro
⋅
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK Datper Lilith |
| 2019-11-21
⋅
Cyberbit
⋅
Dtrack: In-depth analysis of APT on a nuclear power plant Dtrack |
| 2019-11-04
⋅
Marco Ramilli's Blog
⋅
Is Lazarus/APT38 Targeting Critical Infrastructures? Dtrack |
| 2019-11-03
⋅
Github (jeFF0Falltrades)
⋅
DTrack Dtrack |
| 2019-09-23
⋅
Kaspersky Labs
⋅
Hello! My name is Dtrack Dtrack |
| 2019-09-19
⋅
GitHub (werkamsus)
⋅
Lilith Lilith |
| 2018-06-23
⋅
AhnLab
⋅
Full Discloser of Andariel, A Subgroup of Lazarus Threat Group PhanDoor Rifdoor |
| 2018-03-09
⋅
NCCIC
⋅
Malware Analysis Report Sharpknot SHARPKNOT |
| 2017-05-01
⋅
IssueMakersLab
⋅
Operation GoldenAxe Rifdoor |
| 2017-01-01
⋅
FSI
⋅
Campaign Rifle: Andariel, The Maiden of Anguish Rifdoor |
| 2014-02-24
⋅
RSA Conference
⋅
The Art of Attribution Identifying and Pursuing your Cyber Adversaries ANDROMEDA SPIDER APT19 DEXTOROUS SPIDER Ghost Jackal Silent Chollima SINGING SPIDER Tonto Team TOXIC PANDA UNION SPIDER |
| 2013-04-02
⋅
Dark South Korea Total War Review SHARPKNOT |