G0012: Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[1][2][3]
Analyst context for executives and security teams
Darkhotel matters because ATT&CK describes it as a long-running espionage-focused group associated with targeting traveling executives through hotel Internet networks, as well as spearphishing and peer-to-peer/file-sharing infection paths. For leadership, the decision value is not the name alone; it is whether high-value users, travel workflows, shared content, and endpoint controls are resilient when attacks begin outside the normal corporate perimeter.
Executive priority
Prioritize this as a test of executive protection, user-targeted intrusion readiness, and evidence quality. Ask whether the organization can protect and investigate traveling executives, detect malicious attachments or drive-by compromise, validate code-signing trust decisions, and respond when credentials or sensitive files may have been collected. Because MITRE provides no official detection text for this group, confidence should come from local telemetry, control validation, and incident response exercises rather than assumed coverage.
Technical view
SOC and IR teams should map coverage to the related ATT&CK techniques: initial access through drive-by compromise, malicious files, spearphishing attachments, removable media, and tainted shared content; execution through client exploitation and Windows command shell; discovery of system, network, process, file, time, and security software details; stealth through encoded files, masqueraded resource names, sandbox evasion, deobfuscation, and code signing; persistence through Windows Run keys/startup folders; collection through keylogging; and command-and-control/tool transfer using encrypted traffic and ingress tool transfer. Validate detections as behavior chains, not single indicators, because the supplied ATT&CK object has no official detection guidance.
Likely telemetry
- Email security and attachment detonation results for targeted spearphishing attachments
- Endpoint process creation, command-line, parent-child process, and script or shell execution logs
- File creation, modification, rename, and directory enumeration telemetry, including shared locations
- Windows Registry Run key and Startup Folder change events where Windows is in scope
- Browser, web proxy, DNS, and network session logs relevant to drive-by compromise and external tool transfer
Detection direction
- Build detections around sequences: initial file/web exposure followed by discovery commands, encoded or renamed payloads, persistence changes, and external file transfer.
- Tune for high-value user context, especially executives and travelers, while avoiding assumptions that every travel network event is malicious.
- Review whether sandbox and malware-analysis workflows account for samples that change behavior based on system checks or user activity checks.
- Validate coverage for signed-but-suspicious binaries; code signing should inform trust decisions, not automatically suppress investigation.
- Monitor shared drives, SaaS shared content, and internal repositories for unexpected executable or script content where Taint Shared Content is relevant.
Mitigation priorities
- Start with protection for high-risk users: hardened endpoints, phishing-resistant processes, safe travel guidance, and rapid reporting paths for suspicious hotel-network or attachment events.
- Maintain disciplined vulnerability and patch management for client applications because related behavior includes exploitation for client execution and drive-by compromise.
- Restrict and monitor execution from user-writable paths, shared content, removable media, and startup locations where business operations allow.
- Apply least privilege and application control principles to reduce the value of keylogging, command shell abuse, persistence, and tool transfer.
- Review code-signing policy so signed binaries are still subject to behavioral inspection and certificate anomalies can be investigated.
Analyst notes and limits
The supplied ATT&CK object identifies aliases Darkhotel, DUBNIUM, and Zigzag Hail, and describes targeting primarily in East Asia since at least 2004, including hotel Internet operations against traveling executives, spearphishing, and peer-to-peer/file-sharing infection. The relationship set is rich enough to guide defensive validation across initial access, execution, discovery, persistence, collection, command and control, and stealth behaviors, but it should be localized to the organization’s actual platforms and telemetry.
The group object lists no platforms, tactics, labels, or official detection text. Related techniques include platform information, but that does not prove every platform is used in every Darkhotel-related intrusion. This take does not claim current activity, customer exposure, attribution certainty beyond MITRE’s wording, or guaranteed detection coverage.
Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.CitationLastline DarkHotel Just In Time Decryption Nov 2015 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1080 | Taint Shared Content | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1189 | Drive-by Compromise | |
| Enterprise | T1091 | Replication Through Removable Media | |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.CitationLastline DarkHotel Just In Time Decryption Nov 2015 |
| Enterprise | T1497.001 | System Checks Sub-technique | Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
| Enterprise | T1124 | System Time Discovery | Darkhotel malware can obtain system time from a compromised host.CitationLastline DarkHotel Just In Time Decryption Nov 2015 |
| Enterprise | T1553.002 | Code Signing Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1203 | Exploitation for Client Execution | |
| Enterprise | T1204.002 | Malicious File Sub-technique |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 520ca8dca182… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Darkhotel
Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
Open source URL -
[2]
Securelist Darkhotel Aug 2015
Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
Open source URL -
[3]
Microsoft Digital Defense FY20 Sept 2020
Microsoft . (2020, September 29). Microsoft Digital Defense Report FY20. Retrieved April 21, 2021.
Open source URL -
[4]
Microsoft DUBNIUM June 2016
Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
Open source URL -
[5]
Microsoft DUBNIUM July 2016
Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
Open source URL -
[6]
DUBNIUM
(Citation: Microsoft Digital Defense FY20 Sept 2020)(Citation: Microsoft DUBNIUM June 2016)(Citation: Microsoft DUBNIUM Flash June 2016)(Citation: Microsoft DUBNIUM July 2016)
-
[7]
Darkhotel
(Citation: Kaspersky Darkhotel)
-
[8]
Microsoft DUBNIUM Flash June 2016
Microsoft. (2016, June 20). Reverse-engineering DUBNIUM’s Flash-targeting exploit. Retrieved March 31, 2021.
Open source URL -
[9]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[10]
Zigzag Hail
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
mitre-attack G0012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.