Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0082: APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

EnterpriseG0082GroupObject v3.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

APT38 matters because ATT&CK describes it as a North Korean state-sponsored group focused on financial cyber operations, with reported targeting of banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT endpoints, and ATMs across many countries. For leaders, the business issue is not only theft risk; the official description also notes destructive attacks, making resilience, transaction integrity, credential protection, and recovery readiness central concerns.

Executive priority

Prioritize APT38-relevant readiness where financial transaction systems, payment infrastructure, cryptocurrency operations, ATM/SWIFT-connected environments, or high-value financial workflows exist. Executives should ask whether the organization can prove control coverage for credential theft, remote access tooling, discovery, persistence, command execution, web-based command-and-control, local data collection, and destructive wiping scenarios. This object is also useful for audit and board discussions because it links financial crime risk to concrete ATT&CK behaviors and recovery requirements.

Technical view

MITRE provides no standalone detection text for APT38, so SOC and IR teams should validate coverage through the related software and techniques. Relationship context includes Windows-focused tooling such as Mimikatz, Net, DarkComet, HOPLIGHT, ECCENTRICBANDWAGON, PowerShell, Windows Command Shell, Scheduled Task, and Windows credential/collection behaviors, plus cross-platform behaviors such as process injection, file deletion, timestomping, web protocol C2, local data collection, and KillDisk on Windows/Linux. Detection engineering should map alerts and hunts to the behaviors rather than relying on the group name or aliases alone.

Likely telemetry

  • Endpoint process creation and command-line telemetry for PowerShell, cmd, Net, scheduled tasks, renamed utilities, and suspicious script execution
  • Windows security, authentication, credential access, and LSASS/credential-dumping relevant events where collected
  • EDR telemetry for process injection, packed executables, remote access tools, keylogging indicators, and suspicious parent-child process chains
  • File system telemetry for file deletion, timestomping, unusual executable names, local data staging, and disk-wiping indicators
  • Network telemetry for HTTP/HTTPS or other web-protocol command-and-control patterns, unusual external destinations, and suspicious beaconing

Detection direction

  • Do not build coverage around the name APT38 alone; tune around the related ATT&CK behaviors and known aliases such as BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM, and NICKEL GLADSTONE for intelligence correlation.
  • Validate whether credential dumping, keylogging, remote access Trojan behavior, and discovery activity can be detected before transaction manipulation or destructive actions occur.
  • Tune command-line analytics for administrative tools such as Net, PowerShell, cmd, scheduled tasks, and cron with context to reduce false positives from legitimate administration.
  • Hunt for stealth patterns including packed binaries, process injection, renamed legitimate utilities, file deletion, and timestomping; these may be missed by signature-only controls.
  • Review network detections for web-protocol C2 that blends into normal HTTP/S traffic, with allowlist and business-context tuning to manage false positives.

Mitigation priorities

  • Start with identity and privilege controls: reduce standing privileged access, harden administrative paths to financial systems, and monitor credential access attempts.
  • Harden and monitor endpoints that support payment, SWIFT, ATM, cryptocurrency, and financial operations, especially Windows systems reflected in several related tools and techniques.
  • Restrict and log administrative scripting and scheduling mechanisms such as PowerShell, cmd, scheduled tasks, cron, and Net usage according to business need.
  • Improve segmentation and monitoring around financial transaction infrastructure so discovery, lateral movement preparation, and remote access activity have fewer paths to critical systems.
  • Maintain tested offline or otherwise resilient backups and recovery procedures for systems where destructive wiping would affect business continuity.
Analyst notes and limits

The official ATT&CK entry identifies APT38 as a North Korean state-sponsored group attributed to the Reconnaissance General Bureau and focused on financial cyber operations. It also notes overlap in North Korean group naming, with some researchers reporting related activity under Lazarus Group instead of separate clusters or subgroups. That naming ambiguity makes behavior-based detection and intelligence normalization important.

ATT&CK does not provide detection text, explicit tactics, or platforms for the APT38 intrusion-set object itself. Platform and tactic guidance here is derived only from supplied relationship context to software and techniques. Local relevance depends on whether the organization operates financial transaction systems, SWIFT/ATM infrastructure, cryptocurrency platforms, or similar high-value financial environments.

Official MITRE ATT&CK definition

APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

56 rows
Domain ID Name Relationship / procedure
Enterprise T1486 Data Encrypted for Impact

APT38 has used Hermes ransomware to encrypt files with AES256.[2]
Enterprise T1055 Process Injection

APT38 has injected malicious payloads into the `explorer.exe` process.Citation1 - appv
Enterprise T1033 System Owner/User Discovery

APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.[1]
Enterprise T1112 Modify Registry

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.[2]
Enterprise T1049 System Network Connections Discovery

APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[2]
Enterprise T1070.004 File Deletion Sub-technique

APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.[2][1]
Enterprise T1036.006 Space after Filename Sub-technique

APT38 has put several spaces before a file extension to avoid detection and suspicion.Citation1 - appv
Enterprise T1056.001 Keylogging Sub-technique

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.[2]
Enterprise T1518.001 Security Software Discovery Sub-technique

APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.[1]Citation1 - appv
Enterprise T1543.003 Windows Service Sub-technique

APT38 has installed a new Windows service to establish persistence.[1]
Enterprise T1548.002 Bypass User Account Control Sub-technique

APT38 has used the legitimate application `ieinstal.exe` to bypass UAC.Citation1 - appv
Enterprise T1189 Drive-by Compromise

APT38 has conducted watering holes schemes to gain initial access to victims.[2][1]
Enterprise T1083 File and Directory Discovery

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.[2] Additionally, APT38 has used batch scripts.Citation1 - appv
Enterprise T1140 Deobfuscate/Decode Files or Information

APT38 has used the RC4 algorithm to decrypt configuration data. Citation1 - appv
Enterprise T1059.005 Visual Basic Sub-technique

APT38 has used VBScript to execute commands and other operational tasks.[1]Citation1 - appv
Enterprise T1529 System Shutdown/Reboot

APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.[2]
Enterprise T1204.001 Malicious Link Sub-technique

APT38 has used links to execute a malicious Visual Basic script.Citation1 - appv
Enterprise T1071.001 Web Protocols Sub-technique

APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.[2]
Enterprise T1105 Ingress Tool Transfer

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[2] Additionally, APT38 has downloaded other payloads onto a victim’s machine.Citation1 - appv
Enterprise T1685 Disable or Modify Tools

APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.Citation1 - appv
Enterprise T1027.002 Software Packing Sub-technique

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[2]
Enterprise T1217 Browser Information Discovery

APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.[1]
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

APT38 clears Window Event logs and Sysmon logs from the system.[2]
Enterprise T1218.005 Mshta Sub-technique

APT38 has used a renamed version of `mshta.exe` to execute malicious HTML files.Citation1 - appv
Enterprise T1070.006 Timestomp Sub-technique

APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.[1]
Enterprise T1686 Disable or Modify System Firewall

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.[1]
Enterprise T1485 Data Destruction

APT38 has used a custom secure delete function to make deleted files unrecoverable.[2]
Enterprise T1110 Brute Force

APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.[1]
Enterprise T1135 Network Share Discovery

APT38 has enumerated network shares on a compromised host.[1]
Enterprise T1553.005 Mark-of-the-Web Bypass Sub-technique

APT38 has used ISO and VHD files to deploy malware and to bypass Mark-of-the-Web (MOTW) security measures.Citation1 - appv
Enterprise T1082 System Information Discovery

APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.[1]
Enterprise T1565.002 Transmitted Data Manipulation Sub-technique

APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.[2]
Enterprise T1686.002 Network Device Firewall Sub-technique

APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. [1]
Enterprise T1561.002 Disk Structure Wipe Sub-technique

APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.[2]
Enterprise T1036.003 Rename Legitimate Utilities Sub-technique

APT38 has renamed system utilities, such as `rundll32.exe` and `mshta.exe`, to avoid detection.Citation1 - appv
Enterprise T1690 Prevent Command History Logging

APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.[1] Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.Citation1 - appv
Enterprise T1588.002 Tool Sub-technique

APT38 has obtained and used open-source tools such as Mimikatz.CitationESET Lazarus KillDisk April 2018
Enterprise T1505.003 Web Shell Sub-technique

APT38 has used web shells for persistence or to ensure redundant access.[1]
Enterprise T1115 Clipboard Data

APT38 used a Trojan called KEYLIME to collect data from the clipboard.[2]
Enterprise T1218.011 Rundll32 Sub-technique

APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.[1]Citation1 - appv
Enterprise T1565.003 Runtime Data Manipulation Sub-technique

APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.[2]
Enterprise T1583.001 Domains Sub-technique

APT38 has created fake domains to imitate legitimate venture capital or bank domains.Citation1 - appv
Enterprise T1106 Native API

APT38 has used the Windows API to execute code within a victim's system.[1]
Enterprise T1218.001 Compiled HTML File Sub-technique

APT38 has used CHM files to move concealed payloads.CitationKaspersky Lazarus Under The Hood APR 2017
Enterprise T1204.002 Malicious File Sub-technique

APT38 has attempted to lure victims into enabling malicious macros within email attachments.[1] Additionally, APT38 has used malicious Word documents and shortcut files.Citation1 - appv
Enterprise T1565.001 Stored Data Manipulation Sub-technique

APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.[2]
Enterprise T1005 Data from Local System

APT38 has collected data from a compromised host.[1]
Enterprise T1059.001 PowerShell Sub-technique

APT38 has used PowerShell to execute commands and other operational tasks.[1]
Enterprise T1053.003 Cron Sub-technique

APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.[1]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

APT38 has conducted spearphishing campaigns using malicious email attachments.[1]
Enterprise T1218.007 Msiexec Sub-technique

APT38 has used `msiexec.exe` to execute malicious files.Citation1 - appv
Enterprise T1569.002 Service Execution Sub-technique

APT38 has created new services or modified existing ones to run executables, commands, or scripts.[1]
Enterprise T1480.002 Mutual Exclusion Sub-technique

APT38 has created a mutex to avoid duplicate execution.Citation1 - appv
Enterprise T1057 Process Discovery

APT38 leveraged Sysmon to understand the processes, services in the organization.[2]
Associated objects

Groups, software, and campaigns

Malware Enterprise

S0593: ECCENTRICBANDWAGON

ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.[1]

Windows
Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Malware Enterprise

S0607: KillDisk

KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of BlackEnergy malware during cyber attacks against Ukraine in 2015. KillDisk has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some KillDisk variants.[1][2][3][4]

LinuxWindows
Relationship explorer

All related ATT&CK context

uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1055: Process Injection Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Malware S0593: ECCENTRICBANDWAGON Enterprise uses · Technique T1049: System Network Connections Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1036.006: Space after Filename Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Tool S0039: Net Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1548.002: Bypass User Account Control Enterprise uses · Technique T1189: Drive-by Compromise Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Malware S0376: HOPLIGHT Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1529: System Shutdown/Reboot Enterprise uses · Technique T1204.001: Malicious Link Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.1
Created
Modified
Raw hash
093f161abc03699b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.1 Current bundle 093f161abc03…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    CISA AA20-239A BeagleBoyz August 2020

    DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.

    Open source URL
  2. [2]
    FireEye APT38 Oct 2018

    FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    DOJ North Korea Indictment Feb 2021

    Department of Justice. (2021, February 17). Three North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes Across the Globe. Retrieved June 9, 2021.

    Open source URL
  4. [4]
    Kaspersky Lazarus Under The Hood Blog 2017

    GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.

    Open source URL
  5. [5]
    APT38

    (Citation: FireEye APT38 Oct 2018)

  6. [6]
    BeagleBoyz

    (Citation: CISA AA20-239A BeagleBoyz August 2020)

  7. [7]
    Bluenoroff

    (Citation: Kaspersky Lazarus Under The Hood Blog 2017)

  8. [8]
    COPERNICIUM

    (Citation: Microsoft Threat Actor Naming July 2023)

  9. [9]
    CrowdStrike GTR 2021 June 2021

    CrowdStrike. (2021, June 7). CrowdStrike 2021 Global Threat Report. Retrieved September 29, 2021.

    Open source URL
  10. [10]
    CrowdStrike Stardust Chollima Profile April 2018

    Meyers, Adam. (2018, April 6). Meet CrowdStrike’s Adversary of the Month for April: STARDUST CHOLLIMA. Retrieved September 29, 2021.

    Open source URL
  11. [11]
    Microsoft Threat Actor Naming July 2023

    Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.

    Open source URL
  12. [12]
    NICKEL GLADSTONE

    (Citation: SecureWorks NICKEL GLADSTONE profile Sept 2021)

  13. [13]
    Sapphire Sleet

    (Citation: Microsoft Threat Actor Naming July 2023)

  14. [14]
    SecureWorks NICKEL GLADSTONE profile Sept 2021

    SecureWorks. (2021, September 29). NICKEL GLADSTONE Threat Profile. Retrieved September 29, 2021.

    Open source URL
  15. [15]
    Stardust Chollima

    (Citation: CrowdStrike Stardust Chollima Profile April 2018)(Citation: CrowdStrike GTR 2021 June 2021)

  16. [16]
    mitre-attack G0082
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use