The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

2024 Recap - North Korean Threat Actor Activity

Dec 13, 2024 2:20:52 PM / by The Hivemind

2024RECAP-NORTH KOREA

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2024 Recap series. This report highlights the activity perpetrated by North Korea-based threat actors in 2024.

Key Takeaways

  • This report highlights the activity perpetrated by North Korea-based threat actors in 2024.
  • Threat actors featured in this report include Silent Chollima, Labyrinth Chollima, Velvet Chollima, Stardust Chollima, Ricochet Chollima, Famous Chollima, and Moonstone Sleet. 
  • PolySwarm tracked malware associated with multiple North Korea nexus threat actors in 2024. 

2024 North Korea Nexus Threat Actor Activity 

Silent Chollima

Silent Chollima, also known as Stonefly, Andariel, Onyx Sleet, TDrop2, and DarkSeoul, is a North Korean threat actor group that is reportedly an offshoot of Lazarus Group. The group has been active since at least 2009 and is known to conduct espionage operations on behalf of North Korea. They are linked to North Korea’s Reconnaissance General Bureau. More recently, the group has been observed conducting activities for financial gain. Verticals targeted by Silent Chollima include military, defense, engineering, technology, education, construction, manufacturing, gambling, and energy. Their targets are primarily located in India, South Korea, and the US. 

For initial access, Silent Chollima is known to use spearphishing. However, they have more recently moved to exploiting N-day vulnerabilities as well. For example, in late 2023, the group was observed exploiting the TeamCity vulnerability CVE-2023-42793, allowing them to perform remote code execution and obtain administrative control of the server.  

Silent Chollima has an extensive arsenal of custom tools and malware, regularly evolving its TTPs to adapt to changes in the threat landscape and evade detection. These custom tools range from RATs to ransomware. Custom malware associated with Silent Chollima includes but is not limited to Dtrack (Preft), Dora RAT, TigerRAT, SmallTiger, LightHand, and ValidAlpha. The group is also known to use open-source tools, including Sliver, RMM tools, SOCKS proxy tools, Ngrok, and masscan.

Activity

  • In July 2024, the US Department of Justice (DOJ) indicted an individual affiliated with Silent Chollima, and US agencies issued a joint cybersecurity advisory warning the group had been engaging in espionage to advance North Korea’s military and nuclear programs.
  • In August 2024, Silent Chollima was observed shifting TTPs. The group has traditionally focused on espionage operations targeting entities of high intelligence value but exhibited an increase in extortion and other financially motivated activities. 
  • Silent Chollima began using Preft backdoor, also known as Dtrack and Valefor. 

Labyrinth Chollima

Labyrinth Chollima, also known as Gleaming Pisces, AppleJeus, Nickel Academy, Hidden Cobra, Citrine Sleet, and UNC4736, is a state-sponsored threat actor group likely affiliated with Bureau 121 of North Korea’s Reconnaissance General Bureau. It has been active since at least 2018. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations. Labyrinth Chollima is known for espionage activity, disruptive activity, and financially motivated attacks. 

Last year, Labyrinth Chollima was observed weaponizing a backdoored UltraVNC client and using a trojanized version of the CyberLink app. Other TTPs associated with Labyrinth Chollima include LightlessCan, KandyKorn, SugarLoader, and Hloader. In the past, the group has been observed engaging in supply chain attacks and attacks on cryptocurrency platforms.

Activity

  • In August 2024, Labyrinth Chollima was observed exploiting a security flaw in Chromium based web browsers to deliver the FudModule rootkit. 
  • In Q3 2024, Labyrinth Chollima was observed using poisoned Python packages to deliver PondRAT, a backdoor that targets MacOS and Linux systems.  
  • The threat actors were also observed using a new Linux variant of PoolRAT (SimpleSea).

Velvet Chollima

Velvet Chollima, also known as Kimsuky, Thallium, APT43, Emerald Sleet, Springtail, and Black Banshee, is a North Korean threat actor group thought to be an offshoot of Lazarus Group. They are associated with North Korea’s Reconnaissance General Bureau (RGB) and are potentially a part of the 5th Bureau. The group has been active since at least 2014 and typically conducts espionage campaigns.

Velvet Chollima’s targets have included government employees, think tanks, academics, and human rights organizations. They have also engaged in cybercrime activity, including stealing cryptocurrency, then using the proceeds from this illicit activity to fund espionage operations. The group uses a combination of social engineering and moderately sophisticated technical capabilities in its attacks.  

Activity

  • In an espionage campaign that began as early as February 2024, Velvet Chollima used trojanized software installation packages for TrustPKI and NX_PRNMAN to deliver Gomir malware. The campaign also delivered another new malware family, Troll Stealer.
  • In March 2024, Velvet Chollima used TRANSLATEXT to target academics in South Korea. 
  • In May 2024, US agencies issued a joint cybersecurity advisory warning that Velvet Chollima was exploiting weak DMARC security policies in an attempt to mask spearphishing efforts. 
  • Later in 2024, Velvet Chollima was observed using KLogEXE and FPSpy malware families in targeted attacks. 

Stardust Chollima

Stardust Chollima, also known as BlueNoroff, TA444, APT38, BlackAlicanto, Coperenicum, and Sapphire Sleet, is a North Korean threat actor group that is likely an offshoot of Lazarus Group. They are thought to be affiliated with Bureau 121 of the DPRK’s Reconnaissance General Bureau. The group is known for financially motivated activity, including targeting banks, casinos, cryptocurrency exchanges, ATMs, and SWIFT endpoints. Stardust Chollima has been observed using malware to target MacOS systems, including RustBucket, KandyKorn, ObjCShellz, and SpectralBlur.

Activity

  • In January 2024, industry researchers reported on SpectralBlur, a backdoor used by Stardust Chollima. While Spectral Blur was first discovered in 2023, Stardust Chollima reportedly continued to use the backdoor in late 2023 and early 2024. 

Richochet Chollima

Richochet Chollima, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Reaper, is a North Korea nexus threat actor group. Richochet Chollima has been active since at least 2012 and typically targets entities in South Korea. However, the group has also been known to target entities in Japan, Vietnam, the Middle East, and elsewhere. Targeted verticals include chemical, electronics, manufacturing, aerospace, automotive, and healthcare. Ricochet Chollima TTPs include Windows UAC bypass, C2 over HTTPS, SoundWave, Zumkong, a MBR wiper, RiceCurry, Flash exploits, steganography, Freenki, RokRAT, Bluelight, CoralDeck, Final1stspy, HappyWork, Karae, NavRAT, PoorAim, ShutterSpeed, SlowDrift, and WineRack.

Activity

  • In 2024, Ricochet Chollima was observed using .LNK files to distribute RokRAT. 
  • In Q3 2024, Ricochet Chollima was observed targeting entities in Southeast Asia with VeilShell RAT. This activity was part of the Shrouded#Sleep campaign. 
  • In October 2024, industry researchers reported Ricochet Chollima was leveraging CVE-2024-38178, a Microsoft zero-day browser vulnerability. 

Famous Chollima

Famous Chollima, also known as Bad Clone and UNC5267, is a North Korea nexus APT group. They have been active since at least 2018 and have the unusual tactic of seeking remote freelance or full-time equivalent (FTE) work and illegally funneling the salary money back to North Korea. Malware associated with Famous Chollima includes BeaverTail and InvisibleFerret. The group has reportedly targeted over 100 US based employers. 

Activity

  • In mid-2024, an individual associated with Famous Chollima reportedly stole proprietary data from a remote employer and demanded ransom for the stolen data.
  • In August 2024, Famous Chollima threat actors were observed targeting developers with malicious npm packages to deploy InvisibleFerret. 

Moonstone Sleet

In May 2024, Microsoft identified a North Korea nexus intrusion set known as Moonstone Sleet. The group was previously tracked as Storm-1789. Moonstone Sleet, which has been active since at least 2023, leverages a combination of commonly used North Korean threat actor TTPs, along with their own unique attack methodologies. The group appears to be driven by both financial gain and espionage objectives.  

When Moonstone Sleet activity was first observed, they were using TTPs that overlapped with those of  Diamond Sleet/Lazarus Group. However, the group soon shifted to its own unique set of TTPs. Moonstone Sleet’s TTPs include setting up fake companies and job opportunities to lure potential targets, leveraging trojanized versions of legitimate tools, leveraging a malicious but otherwise fully functional game, and custom ransomware. 

Moonstone Sleet has been observed using a Trojanized version of PuTTY distributed via LinkedIn, Telegram, and other platforms to drop the SplitLoader payload. This technique is very similar to one previously used by Diamond Sleet. The group has also been observed leveraging projects containing malicious npm packages, distributed via LinkedIn and freelancing sites, to deliver malicious payloads.

Activity

  • From January to April 2024, Moonstone Sleet used the fake company StarGlow Ventures to target entities in the education and software development verticals with email communications. 
  • Moonstone Sleet was observed as early as February 2024 using a malicious tank game to infect devices. The fully functional game was known as DeTankWar and was presented as a blockchain related project. 
  • Moonstone Sleet’s custom ransomware, known as FakePenny, was observed in the wild as early as April 2024.
  • In May 2024, Microsoft reported on Moonstone Sleet. 

Tracking North Korea Nexus Threat Actor Activity With PolySwarm

PolySwarm tracked malware associated with the following North Korea nexus threat actors in 2024:

Silent Chollima

f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5

12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444

96118268f9ab475860c3ae3edf00d9ee944d6440fd60a1673f770d150bfb16d3

e5d56cb7085ed8caf6c8269f4110265f9fb9cc7d8a91c498f3e2818fc978eee2

fce7db964bef4b37f2f430c6ea99f439e5be06e047f6386222826df133b3a047

75448c81d54acb16dd8f5c14e3d4713b3228858e07e437875fbea9b13f431437

d71f478b1d5b8e489f5daafda99ad203de356095278c216a421694517826b79a 

5633691b680b46b8bd791a656b0bb9fe94e6354f389ab7bc6b96d007c9d41ffa 

ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269  

f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c

0837dd54268c373069fc5c1628c6e3d75eb99c3b3efc94c45b73e2cf9a6f3207

29c6044d65af0073424ccc01abcb8411cbdc52720cac957a3012773c4380bab3

fed94f461145681dc9347b382497a72542424c64b6ae6fcf945f4becd2d46c32

868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf

f1662bee722a4e25614ed30933b0ced17b752d99fae868fbb326a46afa2282d5

1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1

3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061

8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f

7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b

 

Labyrinth Chollima

0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7

3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e

bfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b

5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456

f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703

 

Velvet Chollima

7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0 

8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd 

47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822 

 

Stardust Chollima

6f3e849ee0fe7a6453bd0408f0537fa894b17fc55bc9d1729ae035596f5c9220

 

Moonstone Sleet

F59035192098e44b86c4648a0de4078edbe80352260276f4755d15d354f5fc58 

Cb97ec024c04150ad419d1af2d1eb66b5c48ab5f345409d9d791db574981a3fb

39d7407e76080ec5d838c8ebca5182f3ac4a5f416ff7bda9cbc4efffd78b4ff5

Cafaa7bc3277711509dc0800ed53b82f645e86c195e85fbf34430bbc75c39c24

9863173e0a45318f776e36b1a8529380362af8f3e73a2b4875e30d31ad7bd3c1

09d152aa2b6261e3b0a1d1c19fa8032f215932186829cfcca954cc5e84a6cc38

 

You can use the following CLI command to search for all samples associated with a particular threat actor in our portal:

$ polyswarm link list -t ThreatActorName

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, North Korea, Asia, APAC, 2024, Recap

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More