G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Analyst context for executives and security teams
APT38 matters because ATT&CK describes it as a North Korean state-sponsored group focused on financial cyber operations, with reported targeting of banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT endpoints, and ATMs across many countries. For leaders, the business issue is not only theft risk; the official description also notes destructive attacks, making resilience, transaction integrity, credential protection, and recovery readiness central concerns.
Executive priority
Prioritize APT38-relevant readiness where financial transaction systems, payment infrastructure, cryptocurrency operations, ATM/SWIFT-connected environments, or high-value financial workflows exist. Executives should ask whether the organization can prove control coverage for credential theft, remote access tooling, discovery, persistence, command execution, web-based command-and-control, local data collection, and destructive wiping scenarios. This object is also useful for audit and board discussions because it links financial crime risk to concrete ATT&CK behaviors and recovery requirements.
Technical view
MITRE provides no standalone detection text for APT38, so SOC and IR teams should validate coverage through the related software and techniques. Relationship context includes Windows-focused tooling such as Mimikatz, Net, DarkComet, HOPLIGHT, ECCENTRICBANDWAGON, PowerShell, Windows Command Shell, Scheduled Task, and Windows credential/collection behaviors, plus cross-platform behaviors such as process injection, file deletion, timestomping, web protocol C2, local data collection, and KillDisk on Windows/Linux. Detection engineering should map alerts and hunts to the behaviors rather than relying on the group name or aliases alone.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, cmd, Net, scheduled tasks, renamed utilities, and suspicious script execution
- Windows security, authentication, credential access, and LSASS/credential-dumping relevant events where collected
- EDR telemetry for process injection, packed executables, remote access tools, keylogging indicators, and suspicious parent-child process chains
- File system telemetry for file deletion, timestomping, unusual executable names, local data staging, and disk-wiping indicators
- Network telemetry for HTTP/HTTPS or other web-protocol command-and-control patterns, unusual external destinations, and suspicious beaconing
Detection direction
- Do not build coverage around the name APT38 alone; tune around the related ATT&CK behaviors and known aliases such as BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM, and NICKEL GLADSTONE for intelligence correlation.
- Validate whether credential dumping, keylogging, remote access Trojan behavior, and discovery activity can be detected before transaction manipulation or destructive actions occur.
- Tune command-line analytics for administrative tools such as Net, PowerShell, cmd, scheduled tasks, and cron with context to reduce false positives from legitimate administration.
- Hunt for stealth patterns including packed binaries, process injection, renamed legitimate utilities, file deletion, and timestomping; these may be missed by signature-only controls.
- Review network detections for web-protocol C2 that blends into normal HTTP/S traffic, with allowlist and business-context tuning to manage false positives.
Mitigation priorities
- Start with identity and privilege controls: reduce standing privileged access, harden administrative paths to financial systems, and monitor credential access attempts.
- Harden and monitor endpoints that support payment, SWIFT, ATM, cryptocurrency, and financial operations, especially Windows systems reflected in several related tools and techniques.
- Restrict and log administrative scripting and scheduling mechanisms such as PowerShell, cmd, scheduled tasks, cron, and Net usage according to business need.
- Improve segmentation and monitoring around financial transaction infrastructure so discovery, lateral movement preparation, and remote access activity have fewer paths to critical systems.
- Maintain tested offline or otherwise resilient backups and recovery procedures for systems where destructive wiping would affect business continuity.
Analyst notes and limits
The official ATT&CK entry identifies APT38 as a North Korean state-sponsored group attributed to the Reconnaissance General Bureau and focused on financial cyber operations. It also notes overlap in North Korean group naming, with some researchers reporting related activity under Lazarus Group instead of separate clusters or subgroups. That naming ambiguity makes behavior-based detection and intelligence normalization important.
ATT&CK does not provide detection text, explicit tactics, or platforms for the APT38 intrusion-set object itself. Platform and tactic guidance here is derived only from supplied relationship context to software and techniques. Local relevance depends on whether the organization operates financial transaction systems, SWIFT/ATM infrastructure, cryptocurrency platforms, or similar high-value financial environments.
APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | APT38 has used Hermes ransomware to encrypt files with AES256.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1055 | Process Injection | APT38 has injected malicious payloads into the `explorer.exe` process.Citation1 - appv |
| Enterprise | T1033 | System Owner/User Discovery | APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1112 | Modify Registry | APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1049 | System Network Connections Discovery | APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.CitationFireEye APT38 Oct 2018CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1036.006 | Space after Filename Sub-technique | APT38 has put several spaces before a file extension to avoid detection and suspicion.Citation1 - appv |
| Enterprise | T1056.001 | Keylogging Sub-technique | APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.CitationCISA AA20-239A BeagleBoyz August 2020Citation1 - appv |
| Enterprise | T1543.003 | Windows Service Sub-technique | APT38 has installed a new Windows service to establish persistence.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | APT38 has used the legitimate application `ieinstal.exe` to bypass UAC.Citation1 - appv |
| Enterprise | T1189 | Drive-by Compromise | APT38 has conducted watering holes schemes to gain initial access to victims.CitationFireEye APT38 Oct 2018CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1083 | File and Directory Discovery | APT38 have enumerated files and directories, or searched in specific locations within a compromised host.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | APT38 has used the RC4 algorithm to decrypt configuration data. Citation1 - appv |
| Enterprise | T1059.005 | Visual Basic Sub-technique | APT38 has used VBScript to execute commands and other operational tasks.CitationCISA AA20-239A BeagleBoyz August 2020Citation1 - appv |
| Enterprise | T1529 | System Shutdown/Reboot | APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | APT38 has used links to execute a malicious Visual Basic script.Citation1 - appv |
| Enterprise | T1071.001 | Web Protocols Sub-technique | APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1685 | Disable or Modify Tools | APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.Citation1 - appv |
| Enterprise | T1027.002 | Software Packing Sub-technique | APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1217 | Browser Information Discovery | APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | APT38 clears Window Event logs and Sysmon logs from the system.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1218.005 | Mshta Sub-technique | APT38 has used a renamed version of `mshta.exe` to execute malicious HTML files.Citation1 - appv |
| Enterprise | T1070.006 | Timestomp Sub-technique | APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1686 | Disable or Modify System Firewall | APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1485 | Data Destruction | APT38 has used a custom secure delete function to make deleted files unrecoverable.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1110 | Brute Force | APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1135 | Network Share Discovery | APT38 has enumerated network shares on a compromised host.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1553.005 | Mark-of-the-Web Bypass Sub-technique | APT38 has used ISO and VHD files to deploy malware and to bypass Mark-of-the-Web (MOTW) security measures.Citation1 - appv |
| Enterprise | T1082 | System Information Discovery | APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1565.002 | Transmitted Data Manipulation Sub-technique | APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1686.002 | Network Device Firewall Sub-technique | APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | APT38 has renamed system utilities, such as `rundll32.exe` and `mshta.exe`, to avoid detection.Citation1 - appv |
| Enterprise | T1690 | Prevent Command History Logging | APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1505.003 | Web Shell Sub-technique | APT38 has used web shells for persistence or to ensure redundant access.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1115 | Clipboard Data | APT38 used a Trojan called KEYLIME to collect data from the clipboard.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.CitationCISA AA20-239A BeagleBoyz August 2020Citation1 - appv |
| Enterprise | T1565.003 | Runtime Data Manipulation Sub-technique | APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1583.001 | Domains Sub-technique | APT38 has created fake domains to imitate legitimate venture capital or bank domains.Citation1 - appv |
| Enterprise | T1106 | Native API | APT38 has used the Windows API to execute code within a victim's system.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1218.001 | Compiled HTML File Sub-technique | APT38 has used CHM files to move concealed payloads.CitationKaspersky Lazarus Under The Hood APR 2017 |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1565.001 | Stored Data Manipulation Sub-technique | APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.CitationFireEye APT38 Oct 2018 |
| Enterprise | T1005 | Data from Local System | APT38 has collected data from a compromised host.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | APT38 has used PowerShell to execute commands and other operational tasks.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1053.003 | Cron Sub-technique | APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | APT38 has conducted spearphishing campaigns using malicious email attachments.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique | APT38 has used `msiexec.exe` to execute malicious files.Citation1 - appv |
| Enterprise | T1569.002 | Service Execution Sub-technique | APT38 has created new services or modified existing ones to run executables, commands, or scripts.CitationCISA AA20-239A BeagleBoyz August 2020 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | APT38 has created a mutex to avoid duplicate execution.Citation1 - appv |
| Enterprise | T1057 | Process Discovery | APT38 leveraged Sysmon to understand the processes, services in the organization.CitationFireEye APT38 Oct 2018 |
Groups, software, and campaigns
S0593: ECCENTRICBANDWAGON
ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[1]
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0376: HOPLIGHT
S0002: Mimikatz
S0607: KillDisk
KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]
S0334: DarkComet
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.1 | Current bundle | 093f161abc03… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA AA20-239A BeagleBoyz August 2020
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
Open source URL -
[2]
FireEye APT38 Oct 2018
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
Open source URL -
[3]
DOJ North Korea Indictment Feb 2021
Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.
Open source URL -
[4]
Kaspersky Lazarus Under The Hood Blog 2017
GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
Open source URL -
[5]
APT38
(Citation: FireEye APT38 Oct 2018)
-
[6]
BeagleBoyz
(Citation: CISA AA20-239A BeagleBoyz August 2020)
-
[7]
Bluenoroff
(Citation: Kaspersky Lazarus Under The Hood Blog 2017)
-
[8]
COPERNICIUM
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
CrowdStrike GTR 2021 June 2021
CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.
Open source URL -
[10]
CrowdStrike Stardust Chollima Profile April 2018
Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.
Open source URL -
[11]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[12]
NICKEL GLADSTONE
(Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)
-
[13]
Sapphire Sleet
(Citation: Microsoft Threat Actor Naming July 2023)
-
[14]
SecureWorks NICKEL GLADSTONE profile Sept 2021
SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.
Open source URL -
[15]
Stardust Chollima
(Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)
-
[16]
mitre-attack G0082Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.