{"id":10341,"date":"2026-01-22T09:00:00","date_gmt":"2026-01-22T09:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/andariel-2025\/"},"modified":"2026-01-22T09:00:00","modified_gmt":"2026-01-22T09:00:00","slug":"andariel-2025","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/andariel-2025\/","title":{"rendered":"To the past and beyond: Andariel\u2019s latest arsenal and cyberattacks"},"content":{"rendered":"\n
\n
\n

\n To the past and beyond: Andariel\u2019s latest arsenal and cyberattacks<\/span><\/h1>
\n
\n \n \n Attack Detection <\/span>\n \n Threat intelligence <\/span>\n <\/span>\n \n 22.01.2026 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n Jaa t\u00e4m\u00e4 <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \"\" <\/div>\n
\n

Mohammad Kazem Hassan Nejad<\/h3>\n \n

\n Senior Threat Intelligence Researcher, WithSecure <\/p>\n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n

\n

\n Download report <\/p>\n \n

\n
\n \n Download report
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

WithSecure proactively identified and notified a European customer belonging to the public\/legal sector of a breach attributed with high confidence to the Andariel group, a state-sponsored cyber group linked to the Reconnaissance General Bureau (RGB) 3rd bureau of Democratic People\u2019s Republic of Korea (DPRK).<\/p>\n

The attribution was based on the threat actor\u2019s usage of unique malware, such as TigerRAT, command execution patterns, infrastructure linkages, and other technical and non-technical evidence that linked it to previous reports of Andariel activity.<\/p>\n

We assess that the primary goal of this breach was cyberespionage. This was determined based on the group\u2019s past objectives and the intrusion activity, but most notably the threat actor accessing documents relating to anti-money laundering on the victim host. DPRK is notoriously known for its money-laundering activity to evade international sanctions.<\/p>\n

This investigation led WithSecure to the discovery of another set of attack conducted by this group against an Enterprise Resource Planning (ERP) software in Republic of Korea (ROK) in 2025. WithSecure determined that this particular ERP software had been a previous target of Andariel in 2017 and almost certainly again in 2024.<\/p>\n

This further on led to the discovery of three new, previously undocumented RATs that WithSecure attributes to Andariel, namely StarshellRAT, JelusRAT, and GopherRAT.<\/p>\n

The investigation also led WithSecure to discover a staging server used by the group. Through this staging server, we were able to find additional artifacts related to both attacks. We also discovered a mix of new and old techniques and tooling used by the group to conduct their latest attacks, including privilege escalation tools such as PrintSpoofer and PetitPotato, and the abuse of the trending bring-your-own-vulnerable-driver (BYOVD) technique that is used by other threat actors to kill AV\/EDR products.<\/p>\n

This report provides details on the two cyberattacks we investigated and analysis of the artifacts we found across the two attacks and on the staging server. WithSecure has engaged governments and select partners with advanced copies of this report.<\/p>\n<\/div>\n\n

\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n
\n
\n

\n What next?<\/span><\/h2>
\n
\n

Discover WithSecure\u2122 Elements Exposure Management.
\n– No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n Contact us<\/a> <\/div>\n <\/div> <\/div>\n <\/div>\n<\/section>\n\n\n\n\n\n
\n
\n

\n Related Labs content<\/span><\/h2>
\n
\n
\n

Find related content relating to this topic.<\/span><\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div> \n

\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n

On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Reverse engineering a Lumma infection<\/h3>\n

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n AI security<\/span>\n Attack Detection<\/span>\n Software Protection<\/span>\n <\/div>\n <\/div>\n

Machine learning-driven malware analysis<\/h3>\n

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n <\/div>\n
\n
\n <\/div>\n
\n
\n

WithSecure proactively identified and notified a European customer belonging to the public\/legal sector of a breach attributed with high confidence to the Andariel group, a state-sponsored cyber group linked to the Reconnaissance General Bureau (RGB) 3rd bureau of Democratic People\u2019s Republic of Korea (DPRK).<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[302,304],"labs_content_type":[305,346,327],"class_list":["post-10341","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-threat-intelligence"],"acf":[],"card":"

\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

To the past and beyond: Andariel\u2019s latest arsenal and cyberattacks<\/h3>\n

WithSecure proactively identified and notified a European customer belonging to the public\/legal sector of a breach attributed with high confidence to the Andariel group, a state-sponsored cyber group linked to the Reconnaissance General Bureau (RGB) 3rd bureau of Democratic People\u2019s Republic of Korea (DPRK).<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10341"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}