Maui
Maui is a ransomware family associated with North Korean state-sponsored cyber actors, most consistently linked in the provided content to Lazarus Group and its Andariel/Stonefly/APT45 sub-cluster. U.S. government reporting cited in the content states that DPRK actors have used Maui since at least May 2021, and CISA reported in 2022 that it was used to target the healthcare and public health sector. Multiple references describe Maui as custom-developed or bespoke ransomware historically built and deployed by Lazarus alongside other DPRK-linked ransomware families such as WannaCry and H0lyGh0st. The content also notes reporting that Andariel deployed Maui in at least one 2022 incident and that North Korean-backed Maui actors were tied to multiple cyberattacks against healthcare organizations. Targeting mentioned in the content includes healthcare and public health organizations, with additional references to activity affecting entities in South Korea, Japan, and the United States. The malware is discussed in the context of financially motivated DPRK operations, with joint government advisories stating that ransomware revenue supports broader North Korean state priorities and follow-on cyber operations. No specific Maui technical indicators or file-level IOCs are provided in the content beyond the malware name and its association with DPRK healthcare-sector ransomware activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell)... Observed CVEs used include: CVE-2021-44228
Observed CVEs used include: ... CVE-2022-24990 ... The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw...
Recently observed CVEs that actors used to gain access include ... remote code execution in unpatched SonicWall SMA 100 appliances... Observed CVEs used include: CVE-2021-20038
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lazarus Group has historically built its own ransomware -- WannaCry (2017), Maui (2022), H0lyGh0st (2022).
Andariel was reported deploying their signature Maui ransomware on at least one occasion in 2022
For more information on this ransomware activity, see... North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
"Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations."
North Korea has long been involved in ransomware attacks and has been previously associated with the Maui and Play ransomware families.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
3 techniques
Initial Access
"...remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]."
"The other victim operated a vulnerable Weblogic server... compromised this server via the CVE-2017-10271 exploit." | "In one victim system, we discovered that a well-known simple HTTP server, HFS7, had deployed the malware above. After an unknown exploit was used on a vulnerable HFS server and “whoami” was executed..."
Persistence
1 technique
Persistence
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Impact
1 technique
Impact
In 2022, the U.S. Cybersecurity and Infrastructure Security Agency reported on North Korean state-sponsored actors' use of MAUI ransomware to target the healthcare and public health sectors. In 2021, Kaspersky reported on the identification of ransomware tracked by Mandiant as SHATTEREDGLASS, which has been used by suspected APT45 clusters.
Recent activity
34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a prior Lazarus-operated ransomware family historically built and controlled by the group.
Maui is cited as a ransomware family historically deployed by Lazarus Group.
Ransomware family previously associated (in the cited reporting) with North Korean state-backed activity.
Manually executed ransomware; uses AES-128 per file with RSA-protected keys (maui.key / maui.evd), XOR obfuscation derived from disk identifiers, and generates maui.log to support operator-side decryption workflows.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.