Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutives
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
    Contact Us
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Topics
  3. Cyber Threats and Advisories
  4. Advanced Persistent Threats
Share:
Generic coding language design with red background

North Korea Cyber Threat Overview and Advisories

Advanced Persistent Threats

  • China Cyber Threat Overview and Advisories
  • Russia Cyber Threat Overview and Advisories
  • North Korea Cyber Threat Overview and Advisories
  • Iran Cyber Threat Overview and Advisories
North Korea illustration

The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment states the following regarding the cyber threat posed by North Korea: “North Korea’s cyber program poses a sophisticated and agile espionage, cybercrime, and attack threat...[and]continues to adapt to global trends in cybercrime by conducting cryptocurrency heists..."

Recent North Korean state-sponsored cyber activity includes the launching of ransomware campaigns against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. To strengthen operational resilience against this threat, CISA advises organizations to implement the actionable mitigations that CISA and our partners in the U.S. government and around the world release. As a starting point, organizations should:

  • Prioritize mitigation of known exploited vulnerabilities. 
  • Implement the Cyber Performance Goals, which are a baseline set of broadly applicable cybersecurity practices with known risk-reduction value.  
  • Urgently report potential malicious activity to CISA or the FBI:
    • The easiest way is to go to CISA.gov and click the “report a cyber issue” button right up top.  
    • You can also contact CISA’s 24/7 Operations Center: cisa.gov/report | report@cisa.gov | 888-282-0870
    • Contact your local FBI field office or IC3.gov.
  • Sign up to receive CISA’s cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents. Review advisories on North Korean state-sponsored cyber threats outlined in the table below. CISA particularly recommends reviewing the following advisories:
    • #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities. Specific mitigations include implementing the following Cyber Performance Goals:
      • 2.K Strong and Agile Encryption
      • 2.E Separating User and Privileged Accounts
      • 2.L Secure Sensitive Data
      • 2.F Network Segmentation
      • 2.T Log Collection
    • Protecting Against Malicious Use of Remote Monitoring and Management Software, which outlines steps to help organizations harden networks against malicious use of remote monitoring and management software.
    • Technical Approaches to Uncovering and Remediating Malicious Activity, which outlines steps to help organizations identify intrusions across their enterprise.
  • Sign up for CISA’s free Vulnerability Scanning service to receive alerts when the service identifies vulnerabilities known to be exploited by North Korean state-sponsored cyber actors. 
  • Establish a relationship with a regional CISA Cybersecurity Advisor to access additional services, assessments, and guidance. 

 

Table 1: CISA and Joint CISA Publications

Publication Date

Title

Description
February 9, 2023

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

The NSA, FBI, CISA, Department of Health and Human Services, the Republic of Korea (ROK) National Intelligence Service, and the ROK Defense Security Agency issued a joint Cybersecurity Advisory to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
July 6, 2022

Joint FBI-CISA-Treasury CSA: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector

The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.

April 18, 2022

Joint FBI-CISA-Treasury CSA: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory highlighting the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat.

This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. 

February 17, 2021

Joint FBI-CISA-Treasury CSA: AppleJeus: Analysis of North Korea's Cryptocurrency Malware

MAR 10322463-1.v1: AppleJeus – Celas Trade Pro

MAR 10322463-2.v1: AppleJeus – JMT Trading

MAR 10322463-3.v1: AppleJeus – Union Crypto

MAR 10322463-4.v1: AppleJeus – Kupay Wallet

MAR 10322463-5.v1: AppleJeus – CoinGoTrade

MAR 10322463-6.v1: AppleJeus – Dorusio

MAR 10322463-7.v1: AppleJeus – Ants2Whale

CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”
October 27, 2020

Joint CISA-CNMF-FBI CSA: North Korean Advanced Persistent Threat Focus: Kimsuky

CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.
August 26, 2020

Joint CISA-Treasury-FBI-USCYBERCOM CSA: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON

MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT

MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows

CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
August 19, 2020

MAR 10295134.r1.v1: North Korean Remote Access Trojan: BLINDINGCAN

CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.
May 12, 2020

MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE

MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE

MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH

CISA, FBI, and DoD identified three malware variants used by the North Korean government. 

COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities.

TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.

May 12, 2020

U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities

CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.
April 15, 2020

U.S. Government Advisory: Guidance on the North Korean Cyber Threat

The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.
February 14, 2020

MAR 10265965-1.v1: North Korean Trojan: BISTROMATH

MAR 10265965-2.v1: North Korean Trojan: SLICKSHOES

MAR 10265965-3.v1: North Korean Trojan: CROWDEDFLOUNDER

MAR 10271944-1.v1: North Korean Trojan: HOTCROISSANT

MAR 10271944-2.v1: North Korean Trojan: ARTFULPIE

MAR 10271944-3.v1: North Korean Trojan: BUFFETLINE

MAR 10135536-8.v4: North Korean Trojan: HOPLIGHT Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.

CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.

BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.

SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.

CROWDEDFLOUNDER looks at Themida packed Windows executable.

HOTCROSSIANT is a full-featured beaconing implant.

ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.

BUFFETLINE is a full-featured beaconing implant.

HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.

September 9, 2019

MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.

MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.

CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.

ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.

BADCALL malware is an executable that functions as a proxy server and implements a "Fake TLS" method.

 

October 2, 2018

CISA Alert TA18-275A - HIDDEN COBRA FASTCash Campaign

MAR 10201537: HIDDEN COBRA FASTCash-Related Malware

CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity.
August 9, 2018

MAR 10135536-17: North Korean Trojan: KEYMARBLE

DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government.  KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.
June 14, 2018

MAR 10135536-12: North Korean Trojan: TYPEFRAME

DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.
May 29, 2018

CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

MAR 10135536-3: HIDDEN COBRA RAT/Worm

This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government:

A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.

 

March 28, 2018

MAR 10135536.11: North Korean Trojan: SHARPKNOT

STIX file for MAR 10135536.11

DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.
February 13, 2018

MAR 10135536-F: North Korean Trojan: HARDRAIN

STIX file for MAR 10135536-F

DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.
December 21, 2017

MAR 10135536: North Korean Trojan: BANKSHOT

STIX file for MAR 10135536

DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.

Two files are 32-bit Windows executables that function as Proxy servers and implement a "Fake TLS" method.

The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.

November 14, 2017

CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL

CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer

These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
August 23, 2017

MAR 10132963: Analysis of DeltaCharlie Attack Malware

STIX file for MAR 10132963

This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
June 13, 2017

CISA Alert TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure

This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.
May 12, 2017

CISA Alert TA17-132A: Indicators Associated With WannaCry Ransomware

This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.
Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback