Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0138: Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

EnterpriseG0138GroupObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Andariel matters less as a name to memorize and more as a planning case for resilient defense against state-sponsored activity that has included destructive operations and financially motivated intrusions. MITRE describes it as a North Korean state-sponsored group, considered a subset of Lazarus Group, with historical focus on South Korean government, military, domestic companies, ATMs, banks, and cryptocurrency exchanges. For leaders, the practical question is whether email, browser/client exploit exposure, RAT activity, internal discovery, tool transfer, and sensitive-data collection would be visible quickly enough to support containment and business continuity decisions.

Executive priority

Prioritize Andariel as a threat-intelligence driver for sectors, geographies, or business processes exposed to government, military, financial, ATM, banking, or cryptocurrency risk. Because ATT&CK notes overlap in North Korean group naming, executive reporting should avoid over-investing in actor-label precision and instead ask whether controls and evidence cover the behaviors linked to this group: spearphishing attachments, drive-by/client exploitation, remote access tools, discovery, tool transfer, and data collection. This is also relevant to audit and incident readiness: can the organization prove patching, email controls, endpoint telemetry, egress monitoring, and IR playbooks are in place before a destructive or financially disruptive event?

Technical view

ATT&CK provides no specific detection text and no group-level platforms or tactics for Andariel, so SOC validation should be relationship-driven. Coverage should be tested against the listed techniques and software: gh0st RAT and Rifdoor RAT activity; spearphishing attachments and malicious files; drive-by compromise and exploitation for client execution; process and network-connection discovery; ingress tool transfer; data collection from local systems; steganography; and pre-compromise reconnaissance of IP addresses and software. Detection engineering should map these behaviors to local platforms actually present rather than assuming universal coverage from the group page.

Likely telemetry

  • Email security logs for attachments, sender reputation, attachment detonation, and user interaction with malicious files
  • Endpoint telemetry for process creation, script or document-spawned execution, file writes, local data access, and RAT-like persistence or remote-control behavior
  • Browser, web proxy, DNS, and network security logs for drive-by compromise indicators, unusual downloads, and command-and-control-like connections
  • Vulnerability and patch-management evidence for client applications exposed to exploitation for execution
  • Network flow, firewall, and proxy telemetry for ingress tool transfer and unusual outbound or internal connections

Detection direction

  • Do not build detections only around the Andariel name or aliases; ATT&CK notes North Korean group definitions overlap and some researchers group this activity under Lazarus Group.
  • Validate behavioral detections for the relationship set: malicious attachments leading to execution, client exploit execution, remote access tooling, discovery commands, local data access, and tool transfer.
  • Treat gh0st RAT with caution in attribution workflows because ATT&CK notes its source code is public and it has been used by multiple groups.
  • Tune false positives around administrator discovery activity, legitimate software deployment, and normal file transfer by adding user, host role, parent process, destination, and timing context.
  • Confirm visibility across the platforms actually in scope locally; the Andariel object itself does not specify platforms, while related techniques and software list varying platform coverage.

Mitigation priorities

  • Start with exposure reduction: maintain inventory of public IP addresses and externally visible software, and prioritize patching of client applications that could enable execution.
  • Harden initial access paths with email attachment controls, detonation, safe handling of document and executable file types, and user reporting workflows for suspicious attachments.
  • Strengthen endpoint prevention and monitoring for RAT behavior, suspicious process discovery, local data staging, and unauthorized tool downloads.
  • Improve egress controls, DNS/proxy monitoring, and network segmentation so remote access tools and ingress tool transfer are harder to sustain unnoticed.
  • Prepare IR and resilience plans for destructive or financially disruptive scenarios, especially where banking, ATM, cryptocurrency, government, or military operations are relevant.
Analyst notes and limits

This take is based on the supplied ATT&CK intrusion-set fields, external references, and relationships. The object identifies Andariel aliases and states it is North Korean state-sponsored, considered a subset of Lazarus Group, with historical operations including destructive attacks and cyber financial operations. The most useful defensive value comes from the linked behaviors and software rather than from actor naming alone.

ATT&CK provides no official detection guidance, no group-level platforms, and no group-level tactics for this object. Relationship context gives associated software and techniques, but local telemetry, environment scope, and incident evidence are required before assessing exposure, coverage, or attribution. This summary does not claim current active exploitation or confirmed targeting of any specific organization.

Official MITRE ATT&CK definition

Andariel

Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]

Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

12 rows
Domain ID Name Relationship / procedure
Enterprise T1049 System Network Connections Discovery

Andariel has used the netstat -naop tcp command to display TCP connections on a victim's machine.CitationKaspersky Andariel Ransomware June 2021
Enterprise T1203 Exploitation for Client Execution

Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.CitationFSI Andariel Campaign Rifle July 2017CitationIssueMakersLab Andariel GoldenAxe May 2017CitationTrendMicro New Andariel Tactics July 2018
Enterprise T1005 Data from Local System

Andariel has collected large numbers of files from compromised network systems for later extraction.CitationFSI Andariel Campaign Rifle July 2017
Enterprise T1590.005 IP Addresses Sub-technique

Andariel has limited its watering hole attacks to specific IP address ranges.CitationAhnLab Andariel Subgroup of Lazarus June 2018
Enterprise T1189 Drive-by Compromise

Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.CitationAhnLab Andariel Subgroup of Lazarus June 2018CitationTrendMicro New Andariel Tactics July 2018
Enterprise T1057 Process Discovery

Andariel has used tasklist to enumerate processes and find a specific string.CitationKaspersky Andariel Ransomware June 2021
Enterprise T1592.002 Software Sub-technique

Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.CitationTrendMicro New Andariel Tactics July 2018
Enterprise T1588.001 Malware Sub-technique

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.CitationFSI Andariel Campaign Rifle July 2017
Enterprise T1204.002 Malicious File Sub-technique

Andariel has attempted to lure victims into enabling malicious macros within email attachments.CitationAhnLab Andariel Subgroup of Lazarus June 2018
Enterprise T1566.001 Spearphishing Attachment Sub-technique

Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.CitationAhnLab Andariel Subgroup of Lazarus June 2018CitationMalwareBytes Lazarus-Andariel Conceals Code April 2021
Enterprise T1027.003 Steganography Sub-technique

Andariel has hidden malicious executables within PNG files.CitationMalwareBytes Lazarus-Andariel Conceals Code April 2021CitationKaspersky Andariel Ransomware June 2021
Enterprise T1105 Ingress Tool Transfer

Andariel has downloaded additional tools and malware onto compromised hosts.CitationAhnLab Andariel Subgroup of Lazarus June 2018
Associated objects

Groups, software, and campaigns

Relationship explorer

All related ATT&CK context

uses · Malware S0433: Rifdoor Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1590.005: IP Addresses Enterprise uses · Technique T1189: Drive-by Compromise Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1592.002: Software Enterprise uses · Technique T1588.001: Malware Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1027.003: Steganography Enterprise uses · Malware S0032: gh0st RAT Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
8293469f25fcea8f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 8293469f25fc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FSI Andariel Campaign Rifle July 2017

    FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024.

    Open source URL
  2. [2]
    IssueMakersLab Andariel GoldenAxe May 2017

    IssueMakersLab. (2017, May 1). Operation GoldenAxe. Retrieved September 12, 2024.

    Open source URL
  3. [3]
    AhnLab Andariel Subgroup of Lazarus June 2018

    AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.

    Open source URL
  4. [4]
    TrendMicro New Andariel Tactics July 2018

    Chen, Joseph. (2018, July 16). New Andariel Reconnaissance Tactics Uncovered. Retrieved September 29, 2021.

    Open source URL
  5. [5]
    CrowdStrike Silent Chollima Adversary September 2021

    CrowdStrike. (2021, September 29). Silent Chollima Adversary Profile. Retrieved September 29, 2021.

    Open source URL
  6. [6]
    Treasury North Korean Cyber Groups September 2019

    US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.

    Open source URL
  7. [7]
    Andariel

    (Citation: FSI Andariel Campaign Rifle July 2017)

  8. [8]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  9. [9]
    Onyx Sleet

    (Citation: Microsoft Threat Actor Naming July 2023)

  10. [10]
    PLUTONIUM

    (Citation: Microsoft Threat Actor Naming July 2023)

  11. [11]
    Silent Chollima

    (Citation: CrowdStrike Silent Chollima Adversary September 2021)

  12. [12]
    mitre-attack G0138
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use