North Korean Malicious Cyber Activity

On February 17, 2021, CISA,  the Federal Bureau of Investigation (FBI), and the Department of the Treasury identified malware and other indicators of compromise used by the North Korean government to facilitate the theft of cryptocurrency—referred to by the U.S. Government as "AppleJeus." 

• February 17, 2021: Joint Cybersecurity Advisory: AppleJeus: Analysis of North Korea's Cryptocurrency Malware
  • February 17, 2021: Malware Analysis Report-10322463-1.v1: AppleJeus – Celas Trade Pro
  • February 17, 2021: Malware Analysis Report -10322463-2.v1: AppleJeus – JMT Trader
  • February 17, 2021: Malware Analysis Report -10322463-3.v1: AppleJeus – Union Crypto
  • February 17, 2021: Malware Analysis Report -10322463-4.v1: AppleJeus – Kupay Wallet
  • February 17, 2021: Malware Analysis Report -10322463-5.v1: AppleJeus – CoinGoTrade
  • February 17, 2021: Malware Analysis Report -10322463-6.v1: AppleJeus – Dorusio
  • February 17, 2021: Malware Analysis Report -10322463-7.v1: AppleJeus – Ants2Whale

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. Users or administrators should flag associated activity, report the activity to CISA or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

See the listing below for previous Alerts and Malware Analysis Reports (MARs) on North Korea’s malicious cyber activities. 

• October 27, 2020: Joint CISA-CNMF-FBI Cybersecurity Advisory: North Korean Advanced Persistent Threat Focus: Kimsuky
• August 26, 2020: Joint Technical Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
• August 26, 2020: Malware Analysis Report (10301706-1.v1): North Korean Remote Access Tool: ECCENTRICBANDWAGON
• August 26, 2020: Malware Analysis Report (10301706-2.v1): North Korean Remote Access Tool: VIVACIOUSGIFT
• August 26, 2020: Malware Analysis Report (10257062-1.v2): North Korean Remote Access Tool: FASTCASH for Windows
• August 19, 2020: Malware Analysis Report (10295134.r1.v1) – North Korean Remote Access Trojan: BLINDINGCAN
• May 12, 2020: Malware Analysis Report (1028834-1.v1) – North Korean Remote Access Tool: COPPERHEDGE
• May 12, 2020: Malware Analysis Report (1028834-2.v1) – North Korean Trojan: TAINTEDSCRIBE
• May 12, 2020: Malware Analysis Report (1028834-3.v1) – North Korean Trojan: PEBBLEDASH
• April 15, 2020 Alert: (AA20-106A) Guidance on the North Korean Cyber Threat
• February 14, 2020: Malware Analysis Report (10265965-1.v1) – North Korean Trojan: BISTROMATH
• February 14, 2020: Malware Analysis Report (10265965-2.v1) – North Korean Trojan: SLICKSHOES
• February 14, 2020: Malware Analysis Report (10265965-3.v1) – North Korean Trojan: CROWDEDFLOUNDER
• February 14, 2020: Malware Analysis Report (10271944-1.v1) – North Korean Trojan: HOTCROISSANT
• February 14, 2020: Malware Analysis Report (10271944-2.v1) – North Korean Trojan: ARTFULPIE
• February 14, 2020: Malware Analysis Report (10271944-3.v1) – North Korean Trojan: BUFFETLINE
• February 14, 2020: Malware Analysis Report (10135536-8.v4) – North Korean Trojan: HOPLIGHT
  (updates October 31, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT, which updated April 10, 2019: Malware Analysis Report (10135536-8) – North Korean Trojan: HOPLIGHT
• September 9, 2019: Malware Analysis Report (10135536-21) – North Korean Proxy Malware: ELECTRICFISH
  (updates May 9, 2019: Malware Analysis Report (10135536-21) – North Korean Tunneling Tool: ELECTRICFISH)
• September 9, 2019: Malware Analysis Report (10135536-10) – North Korean Trojan: BADCALL
  (updates February 13, 2018: Malware Analysis Report (MAR-10135536-G) – North Korean Trojan: BADCALL and STIX file for MAR-10135536-G)
• October 2, 2018: Alert TA18-275A - HIDDEN COBRA FASTCash Campaign
• October 2, 2018: Malware Analysis Report MAR-10201537 - HIDDEN COBRA FASTCash-Related Malware
• August 9, 2018: Malware Analysis Report (10135536-17) – North Korean Trojan: KEYMARBLE
• June 14, 2018: Malware Analysis Report (10135536-12) – North Korean Trojan: TYPEFRAME
• May 29, 2018: Alert: (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
• May 29, 2018: Malware Analysis Report (MAR-10135536-3) – HIDDEN COBRA RAT/Worm
• March 28, 2018: Malware Analysis Report (MAR-10135536.11) – North Korean Trojan: SHARPKNOT
  • STIX file for MAR-10135536.11
• February 13, 2018: Malware Analysis Report (MAR-10135536-F) – North Korean Trojan: HARDRAIN
  • STIX file for MAR-10135536-F
• December 21, 2017: Malware Analysis Report (MAR-10135536) – North Korean Trojan: BANKSHOT
  • STIX file for MAR-10135536
• November 14, 2017: Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
• November 14, 2017: Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer
• August 23, 2017: Malware Analysis Report (MAR-10132963) – Analysis of Delta Charlie Attack Malware
  • STIX file for MAR-10132963
• June 13, 2017: Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
• May 12, 2017: Alert (TA17-132A) Indicators Associated With WannaCry Ransomware