The sub-techniques beta is now live! Read the release blog post for more info.


APT38 is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.[1]

North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.[2] Some organizations track North Korean clusters or groups such as Bluenoroff,[3] APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

ID: G0082
Version: 1.1
Created: 29 January 2019
Last Modified: 04 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[1]

Enterprise T1059 Command-Line Interface

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[1]

Enterprise T1485 Data Destruction

APT38 has used a custom secure delete function to make deleted files unrecoverable.[1]

Enterprise T1486 Data Encrypted for Impact

APT38 has used Hermes ransomware to encrypt files with AES256.[1]

Enterprise T1487 Disk Structure Wipe

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[1]

Enterprise T1189 Drive-by Compromise

APT38 has conducted watering holes schemes to gain initial access to victims.[1]

Enterprise T1107 File Deletion

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.[1]

Enterprise T1070 Indicator Removal on Host

APT38 clears Window Event logs and Sysmon logs from the system.[1]

Enterprise T1056 Input Capture

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[1]

Enterprise T1112 Modify Registry

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[1]

Enterprise T1057 Process Discovery

APT38 leveraged Sysmon to understand the processes, services in the organization.[1]

Enterprise T1105 Remote File Copy

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[1]

Enterprise T1494 Runtime Data Manipulation

APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.[1]

Enterprise T1045 Software Packing

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[1]

Enterprise T1071 Standard Application Layer Protocol

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[1]

Enterprise T1492 Stored Data Manipulation

APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.[1]

Enterprise T1049 System Network Connections Discovery

APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[1]

Enterprise T1529 System Shutdown/Reboot

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[1]

Enterprise T1493 Transmitted Data Manipulation

APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.[1]


ID Name References Techniques
S0334 DarkComet [1] Audio Capture, Clipboard Data, Command-Line Interface, Disabling Security Tools, Input Capture, Masquerading, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Scripting, Software Packing, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Video Capture
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares