G0126: Higaisa
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]
Analyst context for executives and security teams
Higaisa is an ATT&CK group entry for a suspected South Korean-origin threat group reported against government, public, and trade organizations, especially related to North Korea, with activity also reported in several other countries. The decision value is not a single indicator or platform claim; it is the behavioral pattern: user-driven execution, client-side exploitation, scripting, remote access tools, obfuscation, scheduled persistence/transfer, discovery, and web-like command-and-control. For leaders, this makes Higaisa useful as a validation case for whether the organization can detect and investigate a targeted intrusion that blends common administration, scripting, and web traffic with RAT activity.
Executive priority
Prioritize Higaisa as a control-validation and readiness scenario for targeted intrusion against public-sector, trade, government-adjacent, or geopolitically exposed operations. The ATT&CK relationships point to business-relevant gaps: endpoint visibility for script and command execution, monitoring of scheduled tasks and masqueraded services, egress visibility for web-based or impersonated C2, and investigation readiness for PlugX, gh0st RAT, and certutil-related activity. Executives should ask whether SOC, IR, vulnerability management, and identity/endpoint teams can connect these signals into an incident narrative rather than treating each event as isolated noise.
Technical view
The group object has no official detection text and no platforms listed directly, so validation should be relationship-driven. ATT&CK links Higaisa to PlugX, gh0st RAT, certutil, malicious file execution, client exploitation, Windows command shell, Visual Basic, JavaScript, Native API execution, scheduled tasks, masqueraded tasks/services, process/system/network/time discovery, obfuscation and deobfuscation, web protocols, protocol/service impersonation, internal proxying, scheduled transfer, and exfiltration over C2. SOC teams should test whether endpoint, network, and proxy telemetry can correlate initial file/script execution with follow-on discovery, persistence, RAT-like behavior, and outbound C2-like traffic. Because several related techniques are common in legitimate administration, detections should emphasize unusual parent-child process chains, rare scheduled task names or descriptions, abnormal certutil use, suspicious script execution, unexpected outbound destinations, and timing patterns rather than single-event alerts alone.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially cmd, scripting engines, certutil, and unusual parent-child process relationships
- Windows scheduled task and service creation/modification logs, including names, descriptions, paths, and run contexts
- File creation and modification telemetry for compressed, encoded, padded, or otherwise obfuscated payloads
- EDR or host telemetry for RAT-like execution patterns associated with PlugX or gh0st RAT where signatures or behavioral analytics are available
- Network, proxy, DNS, and TLS metadata for web-protocol C2, protocol/service impersonation, unusual beaconing, and outbound traffic to rare destinations
Detection direction
- Validate correlation across the intrusion chain: malicious file or exploit-driven execution followed by scripting/command shell activity, discovery, persistence, and outbound communications.
- Tune scheduled task and service detections for masquerading: compare task names, descriptions, binaries, paths, and publishers against known-good baselines to reduce administrator false positives.
- Review certutil monitoring for decoding, downloading, or handling suspicious artifacts, while accounting for legitimate certificate administration use.
- Treat web traffic as insufficiently benign by default: inspect proxy/DNS/TLS metadata for rare destinations, periodicity, mismatched protocol behavior, or internal proxy patterns when content inspection is unavailable.
- Expect obfuscation to weaken hash-only controls; validate behavioral and file-analysis coverage for compressed, encoded, or padded payloads.
Mitigation priorities
- Start with exposure reduction for client-side execution paths: keep client applications patched and prioritize vulnerability management where user-opened documents or files can lead to code execution.
- Harden endpoint execution controls around script interpreters, command shell abuse, suspicious document-launched processes, and unnecessary use of administrative utilities.
- Restrict and monitor scheduled task/service creation to appropriate administrative roles and maintain baselines for legitimate recurring tasks.
- Improve egress governance with proxy, DNS, and firewall controls that limit direct outbound access and provide logging for web-protocol C2 investigation.
- Maintain endpoint detection coverage for RAT behavior and for living-off-the-land utility abuse, including certutil where applicable.
Analyst notes and limits
This take is based on the official ATT&CK Higaisa group object and its supplied relationships. The strongest defensive value comes from the linked techniques and software rather than the group description alone. The object indicates historical reporting and targeting context, but defenders should avoid assuming local exposure or attribution without corroborating telemetry, intelligence, and incident evidence.
MITRE provides no official detection guidance for this group object, the group object itself lists no platforms or tactics, and the supplied relationships do not include procedure-level details here. Platform references are therefore inferred only from related software and technique records, not from a direct Higaisa platform field. Local baselines, asset exposure, regional/geopolitical relevance, and telemetry quality are required to turn this into detection coverage or risk conclusions.
Higaisa
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | Higaisa has used VBScript code on the victim's machine.CitationPTSecurity Higaisa 2020 |
| Enterprise | T1106 | Native API | Higaisa has called various native OS APIs.CitationZscaler Higaisa 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Higaisa exfiltrated data over its C2 channel.CitationZscaler Higaisa 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the |
| Enterprise | T1124 | System Time Discovery | Higaisa used a function to gather the current time.CitationZscaler Higaisa 2020 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Higaisa discovered system proxy settings and used them if available.CitationZscaler Higaisa 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Higaisa used malicious e-mail attachments to lure victims into executing LNK files.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Higaisa used Base64 encoded compressed payloads.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Higaisa dropped and added |
| Enterprise | T1082 | System Information Discovery | Higaisa collected the system GUID and computer name.CitationPTSecurity Higaisa 2020CitationMalwarebytes Higaisa 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Higaisa has sent spearphishing emails containing malicious attachments.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Higaisa used HTTP and HTTPS to send data back to its C2 server.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Higaisa used a FakeTLS session for C2 communications.CitationZscaler Higaisa 2020 |
| Enterprise | T1203 | Exploitation for Client Execution | Higaisa has exploited CVE-2018-0798 for execution.CitationPTSecurity Higaisa 2020 |
| Enterprise | T1029 | Scheduled Transfer | Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.CitationPTSecurity Higaisa 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Higaisa used JavaScript to execute additional files.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020CitationPTSecurity Higaisa 2020 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Higaisa performed padding with null bytes before calculating its hash.CitationZscaler Higaisa 2020 |
| Enterprise | T1027.015 | Compression Sub-technique | Higaisa used Base64 encoded compressed payloads.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
| Enterprise | T1220 | XSL Script Processing | Higaisa used an XSL file to run VBScript code.CitationPTSecurity Higaisa 2020 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Higaisa used a payload that creates a hidden window.CitationPTSecurity Higaisa 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Higaisa used AES-128 to encrypt C2 traffic.CitationZscaler Higaisa 2020 |
| Enterprise | T1680 | Local Storage Discovery | Higaisa collected the system volume serial number.CitationPTSecurity Higaisa 2020CitationMalwarebytes Higaisa 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Higaisa added a spoofed binary to the start-up folder for persistence.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
| Enterprise | T1057 | Process Discovery | Higaisa’s shellcode attempted to find the process ID of the current process.CitationZscaler Higaisa 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Higaisa named a shellcode loader binary |
| Enterprise | T1016 | System Network Configuration Discovery | Higaisa used |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Higaisa used |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.CitationMalwarebytes Higaisa 2020CitationZscaler Higaisa 2020 |
Groups, software, and campaigns
S0013: PlugX
S0160: certutil
S0032: gh0st RAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | df717a491055… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Malwarebytes Higaisa 2020
Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
Open source URL -
[2]
Zscaler Higaisa 2020
Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
Open source URL -
[3]
PTSecurity Higaisa 2020
PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
Open source URL -
[4]
mitre-attack G0126Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.