Home > List all groups > Subgroup: Bluenoroff, APT 38, Stardust Chollima

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Bluenoroff, APT 38, Stardust Chollima

NamesBluenoroff (Kaspersky)
APT 38 (Mandiant)
Stardust Chollima (CrowdStrike)
CTG-6459 (SecureWorks)
Nickel Gladstone (SecureWorks)
T-APT-15 (Tencent)
ATK 117 (Thales)
CountryNorth Korea North Korea
MotivationFinancial crime
First seen2014
DescriptionA subgroup of Lazarus Group, Hidden Cobra, Labyrinth Chollima.

(Kaspersky) The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures Entertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself.
Tools used
Operations performedOct 2015Duuzer backdoor Trojan targets South Korea to take over computers
Symantec has found that South Korea is being impacted by an active back door Trojan, detected as Backdoor.Duuzer. While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers looking to obtain valuable information.
2015SWIFT Attack on a bank in the Philippines
Dec 2015Attempted Vietnamese TPBank SWIFT Attack
May 2016SWIFT Attack on Banco del Austro in Ecuador
Oct 2016Mexican and Polish Financial Attack
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.
2017In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them.
Oct 2017SWIFT Attack on Far Eastern International Bank (FEIB) in Taiwan
Jan 2018Attempted heist at Bancomext in Mexico
May 2018SWIFT attack on Banco de Chile in Chile
Aug 2018SWIFT attack on Cosmos Bank in India
Dec 2018ATM breach of Redbanc in Chile

Last change to this card: 07 January 2021

Download this actor card in PDF or JSON format

Previous: Subgroup: BeagleBoyz
Next: Lead

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key