Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

ID: G0138
Associated Groups: Silent Chollima, PLUTONIUM, Onyx Sleet
Contributors: Kyoung-ju Kwak (S2W)
Version: 2.0
Created: 29 September 2021
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
Silent Chollima




Onyx Sleet


Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Andariel has collected large numbers of files from compromised network systems for later extraction.[1]

Enterprise T1189 Drive-by Compromise

Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.[3][4]

Enterprise T1203 Exploitation for Client Execution

Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[1][2][4]

Enterprise T1592 .002 Gather Victim Host Information: Software

Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.[4]

Enterprise T1590 .005 Gather Victim Network Information: IP Addresses

Andariel has limited its watering hole attacks to specific IP address ranges.[3]

Enterprise T1105 Ingress Tool Transfer

Andariel has downloaded additional tools and malware onto compromised hosts.[3]

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Andariel has hidden malicious executables within PNG files.[8][9]

Enterprise T1588 .001 Obtain Capabilities: Malware

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.[3][8]

Enterprise T1057 Process Discovery

Andariel has used tasklist to enumerate processes and find a specific string.[9]

Enterprise T1049 System Network Connections Discovery

Andariel has used the netstat -naop tcp command to display TCP connections on a victim's machine.[9]

Enterprise T1204 .002 User Execution: Malicious File

Andariel has attempted to lure victims into enabling malicious macros within email attachments.[3]