North Korea75 malware familiesExploits CVEs in the wild

APT38

Also known asAPT38 (Bluenoroff)DangerousPasswordleeryturtlemasannickel tapestrysapphire sleetTA444

APT38 is a North Korean (DPRK) state-sponsored threat actor and a subgroup associated in the provided content with BlueNoroff and Lazarus. Reported aliases include BlueNoroff, BeagleBoyz, CageyChameleon, CryptoCore, DangerousPassword, Leery Turtle, Masan, Nickel Tapestry, Sapphire Sleet, TA444, and UNC1069. The content also notes TA444/BlueNoroff/Sapphire Sleet as a DPRK APT subgroup known for targeting cryptocurrencies since at least 2017, and states that UNC1069/CryptoCore may be the successor to what was previously tracked as APT38. The actor is strongly associated with financially motivated operations, especially cryptocurrency theft and major financial heists. The content explicitly cites North Korea’s APT38 as responsible for the 2016 Bank of Bangladesh heist that stole $81 million. Multiple cited reports align APT38/BlueNoroff/Sapphire Sleet/TA444 with cryptocurrency-focused intrusions and digital financial platform targeting. Observed tradecraft in the provided content includes establishing persistence by installing a new Windows service; file and directory discovery on compromised hosts; identifying primary, logged-in, common, and inactive users; command-and-control over HTTP and HTTPS; clipboard theft via the KEYLIME trojan; and phishing that attempts to lure victims into enabling malicious macros in email attachments. Additional reporting in the content aligns APT38 with clusters using sophisticated malware and intrusion chains targeting cryptocurrency organizations, including macOS-focused activity, multi-stage malware, and wallet-targeting operations. The content also states that PHANTOMPULSE tradecraft, targeting, and infrastructure align with DPRK-linked crypto-targeting clusters that include Lazarus, BlueNoroff, UNC5342, and APT38.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

60 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics89 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1592

Gather Victim Host Information

T1598×2

Phishing for Information

TA0042

Resource Development

2 techniques

T1585

Establish Accounts

T1588

Obtain Capabilities

T1588.002

Tool

TA0001

Initial Access

4 techniques

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1189×2

Drive-by Compromise

T1195×4

Supply Chain Compromise

T1195.001×2

Compromise Software Dependencies and Development Tools

T1195.002

Compromise Software Supply Chain

T1566×3

Phishing

T1566.002×2

Spearphishing Link

T1566.003

Spearphishing via Service

TA0002

Execution

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.002

AppleScript

T1059.003×2

Windows Command Shell

T1059.004

Unix Shell

T1059.007

JavaScript

T1203

Exploitation for Client Execution

T1204×2

User Execution

T1204.002×2

Malicious File

TA0003

Persistence

5 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1543

Create or Modify System Process

T1543.003

Windows Service

T1543.004

Launch Daemon

T1546

Event Triggered Execution

T1546.004

Unix Shell Configuration Modification

T1547

Boot or Logon Autostart Execution

TA0004

Privilege Escalation

8 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055×3

Process Injection

T1068

Exploitation for Privilege Escalation

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1543

Create or Modify System Process

T1543.003

Windows Service

T1543.004

Launch Daemon

T1546

Event Triggered Execution

T1546.004

Unix Shell Configuration Modification

T1547

Boot or Logon Autostart Execution

T1548

Abuse Elevation Control Mechanism

T1548.002

Bypass User Account Control

T1548.003

Sudo and Sudo Caching

TA0005

Stealth

8 techniques

T1027

Obfuscated Files or Information

T1036×5

Masquerading

T1055×3

Process Injection

T1070

Indicator Removal

T1070.004×2

File Deletion

T1070.006×2

Timestomp

T1078×3

Valid Accounts

T1078.004

Cloud Accounts

T1497

Virtualization/Sandbox Evasion

T1564

Hide Artifacts

T1564.001×2

Hidden Files and Directories

T1620

Reflective Code Loading

TA0006

Credential Access

3 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001

Keylogging

T1056.002

GUI Input Capture

T1649×2

Steal or Forge Authentication Certificates

TA0007

Discovery

5 techniques

T1033

System Owner/User Discovery

T1057×3

Process Discovery

T1082×2

System Information Discovery

T1083×2

File and Directory Discovery

T1497

Virtualization/Sandbox Evasion

TA0008

Lateral Movement

1 technique

T1021

Remote Services

TA0009

Collection

4 techniques

T1005×2

Data from Local System

T1056

Input Capture

T1056.001

Keylogging

T1056.002

GUI Input Capture

T1113

Screen Capture

T1115×2

Clipboard Data

TA0011

Command and Control

5 techniques

T1071×3

Application Layer Protocol

T1071.001×4

Web Protocols

T1090

Proxy

T1090.003

Multi-hop Proxy

T1102

Web Service

T1105×3

Ingress Tool Transfer

T1219×4

Remote Access Tools

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1537

Transfer Data to Cloud Account

TA0040

Impact

1 technique

T1657

Financial Theft

ARSENAL

Associated malware families

75 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

RustBucketThe malicious PDF dropped a second-stage malware known as RUSTBUCKET which is a backdoor written in Rust that supports file execution.4Jun 14, 2026

icloudzAside from deploying a credential stealer that exfiltrates data via Telegram Bot API, the campaign also involved the icloudz backdoor that enabled further in-memory delivery of additional payloads.3Apr 18, 2026

PHANTOMPULSEElastic Security Labs published a comprehensive PHANTOMPULSE malware analysis highlighting advanced evasion strategies... The malicious agent retrieves its primary operational server locations through a decentralized blockchain C2 channel... AMSI, WLDP, and ETW are bypassed via a single shared HWBP primitive... the command dispatcher supports three functional injection techniques...3Jun 6, 2026

WAVESHAPER.V2These versions included a phantom dependency called "plain crypto js" that executed an obfuscated dropper during installation, deploying a cross platform Remote Access Trojan known as WAVESHAPER.V2 across Windows, macOS, and Linux systems.3Jun 12, 2026

AppleJeusThe joint cybersecurity analysis and MARs highlight the cyber threat North Korea – which is referred to by the U.S. government as HIDDEN COBRA – poses to cryptocurrency and identify malware and indicators of compromise related to the “AppleJeus” family of malware (the name given by the cybersecurity community to a family of North Korean malicious cryptocurrency applications that includes Celas Trade Pro, WorldBit-Bot, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale).2May 26, 2026

70 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

3 CVEs this actor has used in observed campaigns. 3 of them exploited in the wild.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2024-4947Type Confusion RCE in Google Chrome V8In the wildEvidence1

Google released an update and thanked us for discovering this attack... CVE-2024-4947... The exploit contains code for two vulnerabilities: the first is used to gain the ability to read and write Chrome process memory from the JavaScript... CVE-2024-4947 ... is the vulnerability in this new compiler.

CVE-2026-33634Trivy supply chain compromise via malicious release and retagged GitHub ActionsIn the wildEvidence1

CERT-EU disclosed on April 2-3, 2026 that the European Commission's Europa web hosting platform on AWS was breached through the Trivy supply chain compromise (CVE-2026-33634). ... Entry vector: Supply chain via compromised Trivy (CVE-2026-33634) ... The CISA KEV remediation deadline for CVE-2026-33634 is now 5 days away (April 8, 2026).

IOCS

Observables

559 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

559 IOCsView more in app

Domains

231 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+223

hash.md5

78 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+70

hash.sha256

71 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+63

hash.sha1

68 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+60

uri

58 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+50

ip.v4

53 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+45

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

security online infoNews

Jun 6, 2026

PHANTOMPULSE Malware Analysis: Blockchain C2 Channel

DPRK-aligned crypto-targeting intrusion cluster referenced as sharing tradecraft, targeting, and infrastructure characteristics with the PHANTOMPULSE activity.

cyber security newsNews

Jun 2, 2026

PHANTOMPULSE RAT Uses Process Injection and UAC Bypass to Compromise Windows Systems

Referenced as a DPRK-linked group whose known patterns match the PHANTOMPULSE campaign, especially cryptocurrency wallet targeting.

lazarusholic blueskyNews

May 31, 2026

Post by @lazarusholic.bsky.social - Bluesky

Targeting macOS in a multi-stage intrusion campaign.

the hacker newsNews

May 28, 2026

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware

Referenced as a North Korean threat cluster with tradecraft similar to the observed campaign, especially around cryptocurrency and developer targeting.

+190 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping60

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal75

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs3

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables559

Domains, IPs, and hashes tied to this actor, refreshed continuously.