Threats

North Korea's Andariel Unveils New Malware Arsenal in 2025 Cyberattacks

Zero Day Wire

1 min read
North Korea's Andariel Unveils New Malware Arsenal in 2025 Cyberattacks

While much of the security industry's attention has been fixed on North Korea's sprawling IT worker infiltration schemes, Pyongyang's traditional cyber espionage units have been far from idle. New research from WithSecure reveals that Andariel—a state-sponsored group linked to the RGB's 3rd Bureau—has significantly expanded its offensive toolkit, deploying three newly identified remote access trojans alongside sophisticated anti-detection techniques in attacks discovered throughout 2025.

A Staging Server Goldmine

The investigation took a fortuitous turn when WithSecure researchers discovered an active Andariel staging server during its operational window. The access allowed them to pull artifacts directly from the infrastructure, providing rare visibility into the group's current capabilities and operational patterns.

The haul revealed a substantially modernized arsenal. Andariel has moved beyond its previously documented tooling to deploy JelusRAT, StarshellRAT, and GopherRAT—three remote access trojans that had not been publicly documented prior to this research.

New Implants, Familiar Tactics

Beyond the new RATs, WithSecure identified several additional tools and techniques in active use: a custom port scanner for network reconnaissance, a PetitPotato sample for privilege escalation, and BYOVD (Bring Your Own Vulnerable Driver) attacks targeting antivirus and EDR products.

The BYOVD approach has become increasingly common among sophisticated threat actors seeking to neutralize endpoint defenses. By loading legitimately signed but vulnerable drivers, attackers can exploit kernel-level flaws to disable security software before deploying their primary payloads.

Andariel's Operational Mandate

Andariel operates under North Korea's Reconnaissance General Bureau, the regime's primary foreign intelligence service. The group has historically focused on financial theft to fund state operations alongside traditional espionage targeting defense, aerospace, and nuclear sectors.

The discovery of this expanded toolkit suggests continued investment in Andariel's capabilities despite the regime's parallel focus on IT worker placement schemes—indicating these represent complementary rather than competing operational priorities.

IOCs and Technical Details: WithSecure has published indicators of compromise and additional technical analysis on GitHub.

Source: WithSecure Research

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire