The Andariel hacking group, a notorious entity linked to North Korea, has recently shifted its focus towards financially motivated attacks on U.S. organizations. This pivot, observed in August 2024, marks a significant change in the group’s operational strategy, raising concerns among cybersecurity experts and organizations alike.
Background of Andariel
Andariel, considered a sub-cluster of the notorious Lazarus Group, is also known as APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (previously Plutonium), Operation Troy, Silent Chollima, and Stonefly. They’ve been active since at least 2009.
Operating under North Korea’s Reconnaissance General Bureau (RGB), Andariel is notorious for deploying ransomware strains like SHATTEREDGLASS and Maui, and developing custom backdoors such as Dtrack (aka Valefor and Preft), TigerRAT, Black RAT (aka ValidAlpha), Dora RAT, and LightHand.
They also use lesser-known tools like a data wiper called Jokra and an advanced implant named Prioxer for exchanging commands and data with a command-and-control (C2) server.
In July 2024, a North Korean military intelligence operative from Andariel was indicted by the U.S. Department of Justice (DoJ) for ransomware attacks on healthcare facilities, using the proceeds to co
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.