ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Dalbit

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Dalbit

NamesDalbit (AhnLab)
CountryChina China
MotivationInformation theft and espionage
First seen2022
Description(AhnLab) This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the infected companies were using a certain Korean groupware solution. It is currently difficult to check whether this groupware product has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that companies could be affected gravely through the leakage of confidential information and ransomware behavior. Furthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means to communicate with the threat actor upon infiltration of another company.
ObservedSectors: Automotive, Chemical, Construction, Education, Energy, Food and Agriculture, High-Tech, Hospitality, Industrial, Maritime and Shipbuilding, Media, Shipping and Logistics, Technology and Consulting companies.
Countries: South Korea.
Tools usedAntSword, ASPXSpy, BadPotato, BlueShell, China Chopper, Cobalt Strike, EFSPotato, FRP, Godzilla, HTran, JuicyPotato, LadonGo, Metasploit, Mimikatz, NPS, ProcDump, PsExec, reGeorg, Remcom, RottenPotato, SweetPotato.

Last change to this card: 17 February 2023

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]