Experiencing a breach?
Select Language
Request demo
Languages
Request demo
Back to Home

Partners

Partner offeringPartner success services
Back to Home

Resources

Resources Hub Resources
Back to Resources

Resources Hub

See all
Contact us
Back to Resources

Resources

Success storiesWebinarsEventsPodcastsPressroomBlogW/Labs
Contact us
Back to Home

About

About WithSecureLeadershipCompany contacts & officesCareers at withSecureMuseum of Malware ArtAchievements & certificationsSustainabilityCompare Us
Contact us
Back to Home

Platform

Elements Cloud Elements capabilities
Back to Platform

Elements Cloud

See overview
Back to Platform

Elements capabilities

Exposure ManagementExtended Detection & ResponseCo-Security Services
Back to Home

Solutions

Industry Use case
Back to Solutions

Industry

Solution industry page linkSolution industry page linkSolution industry page link
Back to Solutions

Use case

ComplianceSolution use case page linkAI threatsSolution use case page linkSOC transformationSolution use case page link
Back to Home

Login

Back to Home

Languages

English Finnish French German Japanese

WithSecure research uncovers new Andariel cyberespionage operation and previously unseen malware

Global Malware MSP, Business Research 22 January, 2026

WithSecure media relations

WithSecure PR

WithSecure researchers have exposed a cyberespionage campaign carried out by the North Korean–aligned Andariel group, revealing new malware, supply‑chain compromise techniques, and a staging server tied to operations in both Europe and South Korea.

WithSecure, Europe’s trusted cybersecurity partner, has proactively identified and notified a European public/legal sector customer of a breach attributed with high confidence to Andariel, a state-sponsored threat actor linked to the Reconnaissance General Bureau (RGB) of the Democratic People’s Republic of Korea (DPRK).

The attribution was supported by the threat actor’s use of unique Andariel-associated malware such as TigerRAT, distinct command execution patterns, infrastructure linkages, and other technical and non-technical indicators consistent with past Andariel activity.

WithSecure assesses that the primary objective of the breach was cyberespionage, evidenced most clearly by the threat actor’s access to anti-money laundering (AML) documentation. DPRK is notoriously known for money laundering operations used to evade international sanctions, and the intrusion aligns with these longstanding intelligence priorities.

The investigation also uncovered an Andariel operation targeting an Enterprise Resource Planning (ERP) software vendor in the Republic of Korea (ROK) in 2025. WithSecure determined that the same ERP software was previously targeted by Andariel in 2017 and almost certainly again in 2024, indicating a long running interest in exploiting this supply chain.

“As Andariel evolves, we continue to see them mix new tooling with familiar methods that support DPRK’s intelligence priorities,” said a WithSecure researcher.

Across the two attacks and an associated Andariel staging server, WithSecure discovered three new, previously undocumented remote access trojans (RATs) – StarshellRAT, JelusRAT, and GopherRAT – alongside additional artifacts linking both intrusions. The staging server also revealed the group’s use of both new and legacy tooling, including PrintSpoofer, a customized PetitPotato sample, and the trending Bring Your Own Vulnerable Driver (BYOVD) technique used to disable AV/EDR products.

WithSecure recommends that organizations and MSPs strengthen endpoint visibility, validate software supply chain integrity, and review the indicators of compromise provided in the full report.

Read the full research report here: https://labs.withsecure.com/publications/andariel-2025

Why organisations choose WithSecure

WithSecure combines advanced technology with genuine human expertise to protect what matters most. Whether you are securing a growing business or a complex organisation, we work alongside your team to deliver outcomes that last.

How it works

  1. Complete this form
  2. We will review your enquiry and be in touch
  3. Get the support or information you need

The Benefits

  • Fast, frictionless deployment. Our single-agent setup minimises disruption and delivers effective protection from day one.
  • A unified platform that scales with you. Endpoint, identity, cloud, and collaboration security in one place – no unnecessary complexity, no tool sprawl.
  • Compliance built in, not bolted on. NIS2, GDPR, and DORA alignment are embedded in the platform, turning regulatory requirements into a competitive advantage.
  • Round-the-clock expertise, whenever you need it. Every alert is handled by a security professional who understands the full context of your environment.
  • Security grounded in European values. Established in Finland in 1988 and operating fully under EU jurisdiction, our commitment to privacy and trust is structural, not cosmetic.
  • From reactive to proactive. Exposure Management and AI-powered threat detection identify and address risks before they become incidents.
  • A long-term security partner. We begin with a focused conversation and remain invested in your organisation’s security posture well beyond initial onboarding.




















This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.