Threats

North Korea's Andariel Unveils New Malware Arsenal in 2025 Cyberattacks

Zero Day Wire

1 min read
Share
North Korea's Andariel Unveils New Malware Arsenal in 2025 Cyberattacks

While much of the security industry's attention has been fixed on North Korea's sprawling IT worker infiltration schemes, Pyongyang's traditional cyber espionage units have been far from idle. New research from WithSecure reveals that Andariel—a state-sponsored group linked to the RGB's 3rd Bureau—has significantly expanded its offensive toolkit, deploying three newly identified remote access trojans alongside sophisticated anti-detection techniques in attacks discovered throughout 2025.

A Staging Server Goldmine

The investigation took a fortuitous turn when WithSecure researchers discovered an active Andariel staging server during its operational window. The access allowed them to pull artifacts directly from the infrastructure, providing rare visibility into the group's current capabilities and operational patterns.

The haul revealed a substantially modernized arsenal. Andariel has moved beyond its previously documented tooling to deploy JelusRAT, StarshellRAT, and GopherRAT—three remote access trojans that had not been publicly documented prior to this research.

New Implants, Familiar Tactics

Beyond the new RATs, WithSecure identified several additional tools and techniques in active use: a custom port scanner for network reconnaissance, a PetitPotato sample for privilege escalation, and BYOVD (Bring Your Own Vulnerable Driver) attacks targeting antivirus and EDR products.

The BYOVD approach has become increasingly common among sophisticated threat actors seeking to neutralize endpoint defenses. By loading legitimately signed but vulnerable drivers, attackers can exploit kernel-level flaws to disable security software before deploying their primary payloads.

Andariel's Operational Mandate

Andariel operates under North Korea's Reconnaissance General Bureau, the regime's primary foreign intelligence service. The group has historically focused on financial theft to fund state operations alongside traditional espionage targeting defense, aerospace, and nuclear sectors.

The discovery of this expanded toolkit suggests continued investment in Andariel's capabilities despite the regime's parallel focus on IT worker placement schemes—indicating these represent complementary rather than competing operational priorities.

IOCs and Technical Details: WithSecure has published indicators of compromise and additional technical analysis on GitHub.

Source: WithSecure Research

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire