Home/Threat Actor/Andariel
Threat Actor

Andariel

andariel · north_korea · active since 2009

Andariel (Silent Chollima / Onyx Sleet / PLUTONIUM / APT45 / Stonefly / Clasiopa / DarkSeoul / Jumpy Pisces / Nickel Hyatt / Wassonite / G0138) is a DPRK state-sponsored cyber actor attributed to the Reconnaissance General Bureau 3rd Bureau (Pyongyang and Sinuiju, per CISA AA24-207A July 2024)

active since at least 2009, formally OFAC-sanctioned in September 2019 alongside Lazarus and Bluenoroff, and upgraded to APT-grade designation by Mandiant in July 2024 as APT45.

among DPRK state actors Andariel occupies a uniquely dual-mission posture , sustained nuclear-and-military intellectual-property collection for DPRK weapons-program advancement supplemented by ransomware-as-revenue operations against US healthcare and critical infrastructure.

mission evolved across three generations from destructive South Korean operations (Ten Days of Rain 2011, DarkSeoul / Operation Troy March 2013 wiping ~32,000 systems, November 2014 Sony Pictures destructive attack under the 'Guardians of Peace' persona) through South Korean defense and ICS reconnaissance to current global espionage against US, Japanese, Indian, and South Korean defense, aerospace, nuclear, and engineering targets for IP theft directly supporting DPRK missile and nuclear programs.

the ransomware-as-state-revenue mission uniquely distinguishes Andariel, Maui ransomware against US healthcare 2021-2022 (CISA AA22-187A), SHATTEREDGLASS, and as of October 2024 operating as a Play ransomware affiliate (Palo Alto Unit 42 disclosure of Jumpy Pisces / Play collaboration, the first publicly-documented case of a DPRK state cluster integrating with a Western criminal ransomware operation)

the July 25, 2024 US DOJ indictment of named DPRK Andariel operator Rim Jong Hyok (US$10 million State Department reward) formalized US criminal attribution.

tradecraft hallmarks include heavy public-facing web-server vulnerability exploitation (Log4Shell, ManageEngine, PaperCut, ActiveMQ, Ivanti, per CISA AA24-207A), web-shell deployment, the TigerRAT / BlackRemote / Rifledoor / Andarat / DTrack / Durian implant family, and steganographic BMP-image RAT delivery (Malwarebytes April 2021).

north_korea confidence: high 30 aliases MITRE ATT&CK G0138 ↗
Sigma rules200 YARA rules102 Live IOCs16 CVEs exploited14

Profile

Andariel (Silent Chollima / Onyx Sleet / PLUTONIUM / APT45 / Stonefly / Clasiopa / DarkSeoul / Jumpy Pisces / Nickel Hyatt / Wassonite / Operation Troy / Guardians of Peace overlap / WHOis Team / G0138) is a DPRK state-sponsored cyber actor attributed to the Reconnaissance General Bureau (RGB) 3rd Bureau and based in Pyongyang and Sinuiju per the July 25, 2024 CISA AA24-207A joint advisory. Active since at least 2009, Andariel was formally upgraded to APT-grade designation by Mandiant in July 2024 as APT45, and US Treasury OFAC designated the cluster in September 2019 alongside Lazarus and Bluenoroff. Among DPRK state actors, Andariel occupies a uniquely dual-mission posture: sustained nuclear-and-military intellectual-property collection for DPRK weapons-program advancement, supplemented by ransomware-as-revenue operations against US healthcare and critical infrastructure to fund espionage operations. Targeting evolved across three distinct generations: (Phase I, 2009-2014) destructive attacks against South Korean government, financial, and broadcast targets (Ten Days of Rain 2011, DarkSeoul / Operation Troy March 2013 wiping ~32,000 systems across South Korean banks and broadcasters, contributing activity in the November 2014 Sony Pictures destructive attack under the 'Guardians of Peace' persona)

(Phase II, 2015-2021) South Korean defense, financial, and ICS reconnaissance with ActiveX zero-day capability, gradual expansion to financial- cluster operations.

(Phase III, 2022-2026) global espionage against US, Japanese, Indian, and South Korean defense, aerospace, nuclear, and engineering entities for IP theft directly supporting DPRK missile and nuclear programs, with ransomware-as-revenue model running in parallel. The ransomware-as-state-revenue mission is uniquely distinguishing: Andariel deployed Maui ransomware against US healthcare organizations 2021-2022 (CISA AA22-187A July 2022), SHATTEREDGLASS ransomware in subsequent campaigns, and as of October 2024 began operating as a Play ransomware affiliate (Palo Alto Unit 42 disclosure), the first publicly-documented case of a DPRK state-sponsored cluster collaborating directly with a Western criminal ransomware operation. Distinct from APT38/Bluenoroff's SWIFT and cryptocurrency-exchange financial- heist mission, Andariel's financial-cyber operations target operational ransomware extortion of healthcare and critical infrastructure, blending state-actor capability with criminal- ecosystem revenue mechanics. The July 25, 2024 US DOJ indictment of named DPRK Andariel operator Rim Jong Hyok for healthcare ransomware operations (US$10 million State Department reward) formalized US criminal attribution. Tradecraft hallmarks: (a) heavy exploitation of public-facing web-server vulnerabilities (Log4Shell, ManageEngine, PaperCut, ActiveMQ, Ivanti) for initial access, per CISA AA24-207A; (b) web-shell deployment as the dominant persistence pattern; (c) TigerRAT, BlackRemote, Rifledoor, Phandoor, and the Andarat / DTrack / Durian implant family.

(d) steganographic RAT delivery via BMP images (Malwarebytes April 2021); (e) targeting of defense and engineering project documentation (contract specifications, bills of materials, design drawings, engineering documents) of both military and dual-use application value.

(f) the Maui / SHATTEREDGLASS / Play ransomware-as-revenue capability set.

(g) state-criminal ecosystem integration (October 2024 Play affiliate operations). Note on DPRK cluster boundaries: Andariel's relationship to the broader Lazarus umbrella, APT38/Bluenoroff, and Kimsuky remains a matter of vendor taxonomy. MITRE tracks G0138 (Andariel) separately from G0032 (Lazarus) and G0082 (APT38). Mandiant's APT45 designation specifically separates the cluster from broader Lazarus naming. Functional mission specialization, nuclear/military IP collection plus ransomware revenue, is consistent across all taxonomies.

Aliases

30
andarielsilent chollimaplutoniumonyx sleetapt45apt 45apt-45stoneflyclasiopadark seouldarkseouloperation troyoperation_troywassonitejumpy piscesnickel hyattguardian of peaceguardians of peacegopwhois teamwho is teamrgb 3rd bureaurgb third bureaureconnaissance general bureaulab 110bureau 121dprkmaui_operatorsshatteredglass_operatorsg0138

Notable Campaigns

12
2024CISA AA24-207A, North Korea Cyber Group Conducts Global Espionage Campaign (July 25, 2024)
2024Mandiant APT45 Designation (July 25, 2024)
2024Andariel / Play Ransomware Collaboration (Palo Alto Unit 42 October 2024)
2024US DOJ Indictment of DPRK Andariel Operator (July 2024)
2023-2024Stonefly US Engineering and Aerospace Targeting (Symantec 2023-2024)
2021-2022Maui Ransomware Against US Healthcare (2021-2022)
2019US Treasury OFAC Sanctions on Andariel (September 13, 2019)
2017-2018Spear-Phishing of South Korean Defense Sector (2017-2018)
2017Industrial Control Systems Reconnaissance (2017)
2014Sony Pictures Attack, Guardians of Peace (November 2014)
2013DarkSeoul / Operation Troy / Jokra Wiper (March 20, 2013)
2011Ten Days of Rain (March 2011)

Attribution & Reporting

Attributed by
FBICISANSAUS Cyber CommandUS Department of JusticeUS Department of TreasuryUS Department of Treasury OFACUS Department of StateUS Department of DefenseUS ArmyUK NCSCRepublic of Korea NISRepublic of Korea KISARepublic of Korea NCSCJapan NPAFive EyesMicrosoftMandiantFireEyeGoogle Cloud Threat IntelligenceCrowdStrikeKaspersky GReATSymantec / BroadcomCisco TalosTrend MicroSentinelOnePalo Alto Networks Unit 42ESETAhnLab ASECRecorded FutureInsikt GroupSecureWorksMalwarebytesPWCHHS HC3
Key reporting
reportCISA AA24-207A: North Korea Cyber Group Conducts Global Espionage Campaign (July 25, 2024)
reportCISA AA22-187A: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (July 6, 2022)
reportMandiant: APT45, North Korea's Digital Military Machine (July 25, 2024)
reportMicrosoft: Onyx Sleet Uses Array of Malware to Gather Intelligence for North Korea (July 25, 2024)
reportSymantec Threat Hunter Team: Stonefly, North Korean Group Targets Engineering Firms for IP Theft (multiple, 2023-2024)
reportKaspersky GReAT: Andariel Deploys DTrack and Maui Ransomware (August 2022)
reportKaspersky GReAT: The Andariel Cluster of the Lazarus Group (May 2023)
reportTrend Micro: New Andariel Reconnaissance Tactics Uncovered (July 2018)
reportPalo Alto Networks Unit 42: Jumpy Pisces Play Ransomware Collaboration (October 2024)
reportMalwarebytes: Lazarus APT Conceals Malicious Code Within BMP Image to Drop Its RAT (April 2021)
reportESET: Lazarus Luring Employees with Trojanized Coding Challenges, Spanish Aerospace Case Study (October 2023)
reportUS DOJ: USA v. Rim Jong Hyok Indictment (July 25, 2024)
reportUS State Department Rewards for Justice: Rim Jong Hyok US$10M Reward (July 2024)
reportFBI Wanted Notice: Rim Jong Hyok
reportUS Treasury OFAC SM-774: Sanctions Designations of Andariel, Lazarus, Bluenoroff (September 13, 2019)
reportCrowdStrike: Silent Chollima Adversary Profile
reportHHS HC3: North Korean State-Sponsored Cyber Actors TTPs
reportCouncil on Foreign Relations: Andariel Cyber Operations Tracker
reportEuRepoC: APT Profile, Andariel

Operational

State sponsor

Democratic People's Republic of Korea (DPRK), Reconnaissance General Bureau (RGB) 3rd Bureau, based in Pyongyang and Sinuiju per the CISA AA24-207A July 2024 joint advisory. Formally designated by US Treasury OFAC September 13, 2019 sanctions naming Andariel, Lazarus, and Bluenoroff as DPRK state-sponsored malicious cyber groups. Mission specialization: nuclear and military intellectual property collection for DPRK weapons programs, supplemented by ransomware-as-revenue operations against healthcare and critical infrastructure.

Motivations
espionage, intelligence_gathering, military_intellectual_property_theft, nuclear_program_collection, weapons_development_collection, financial_theft, ransomware_revenue, regime_funding, sanctions_evasion, destructive_attacks, regime_objectives, opportunistic_destruction
Sectors
defensedefense_industrial_basemilitaryaerospacenuclearnuclear_researchnuclear_facilitiesatomic_energyengineeringmanufacturingshipbuildingsubmarine_technologymissile_technologygovernmentforeign_ministriesintelligence_agencieshealthcarehospitalsmedical_researchpharmaceuticalcovid_19_researchenergyoil_and_gaselectric_utilitiescrop_scienceagricultural_researchfinancial_servicesbankingcryptocurrency_exchangesatmshigher_educationresearch_instituteslaw_firmstelecommunicationscritical_infrastructureicscritical_infrastructureindustrial_control_systemsmedia
Regions
south_koreaunited_statesjapanindiaunited_kingdomgermanyfrancebelgiumpolandcanadaaustralianew_zealandtaiwanphilippinesvietnambrazileuropeasianorth_americaoceaniaglobal

Techniques Used

60
T1001T1001.002T1003T1003.001T1003.002T1005T1012T1016T1018T1021T1021.001T1021.002T1021.004T1027T1027.002T1027.005T1027.010T1027.013T1029T1033T1036T1036.005T1041T1047T1048T1048.003T1049T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.006T1059.007T1068T1069T1070T1070.001T1070.004T1070.006T1071T1071.001T1071.003T1074T1074.001T1078T1078.002T1078.004T1082T1083T1087T1087.001T1087.002T1090

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)54/60 · 90%
Analytics (MITRE CAR)34/60 · 56%
Runtime / container (Falco)5/60 · 8%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

11 mapped
S1182 · MagicRATS0002 · MimikatzS0029 · PsExecS0039 · NetS0057 · TasklistS0075 · RegS0096 · SysteminfoS0160 · certutilS0190 · BITSAdminS0349 · LaZagneS0357 · Impacket
Other tooling / TTPs (curation, not ATT&CK-mapped):
MAUIMAUI RANSOMWAREMBR KILLERMETERPRETERSHATTEREDGLASSSHATTEREDGLASS RANSOMWARE

CVEs Exploited

14
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2018-0802
CVECVE-2018-4878
CVECVE-2019-0708
CVECVE-2020-1472
CVECVE-2021-26411
CVECVE-2021-44228
CVECVE-2021-45046
CVECVE-2022-24990
CVECVE-2022-47966
CVECVE-2023-27350
CVECVE-2023-46604
CVECVE-2024-21887
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin