ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Subgroup: Bluenoroff, APT 38, Stardust Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Bluenoroff, APT 38, Stardust Chollima

NamesBluenoroff (Kaspersky)
APT 38 (Mandiant)
Stardust Chollima (CrowdStrike)
CTG-6459 (SecureWorks)
Nickel Gladstone (SecureWorks)
TEMP.Hermit (FireEye)
T-APT-15 (Tencent)
ATK 117 (Thales)
Black Alicanto (PWC)
Copernicium (Microsoft)
TA444 (Proofpoint)
Sapphire Sleet (Microsoft)
TAG-71 (Recorded Future)
CountryNorth Korea North Korea
MotivationFinancial crime
First seen2014
DescriptionA subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.

(Kaspersky) The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures Entertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself.
Tools used
Operations performedOct 2015Duuzer backdoor Trojan targets South Korea to take over computers
Symantec has found that South Korea is being impacted by an active back door Trojan, detected as Backdoor.Duuzer. While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers looking to obtain valuable information.
2015SWIFT Attack on a bank in the Philippines
Dec 2015Attempted Vietnamese TPBank SWIFT Attack
May 2016SWIFT Attack on Banco del Austro in Ecuador
Oct 2016Mexican and Polish Financial Attack
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.
2017In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them.
Oct 2017SWIFT Attack on Far Eastern International Bank (FEIB) in Taiwan
Jan 2018Attempted heist at Bancomext in Mexico
May 2018SWIFT attack on Banco de Chile in Chile
Aug 2018SWIFT attack on Cosmos Bank in India
Dec 2018ATM breach of Redbanc in Chile
Nov 2021The BlueNoroff cryptocurrency hunt is still on
2022TA444: The APT Startup Aimed at Acquisition (of Your Funds)
Sep 2022North Korean hackers spoof venture capital firms in Japan, Vietnam and US
Oct 2022BlueNoroff introduces new methods bypassing MoTW
Dec 2022Bluenoroff’s RustBucket campaign
Jun 2023The DPRK strikes using a new variant of RUSTBUCKET
Sep 2023BlueNoroff strikes again with new macOS malware
Oct 2023BlueNoroff: new Trojan attacking macOS users
Nov 2023Microsoft: BlueNoroff hackers plan new crypto-theft attacks
Counter operationsApr 2023Prison Time for 11 Involved in India's Cosmos Bank Heist

Last change to this card: 16 January 2024

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]