WithSecure proactively identified and notified a European customer belonging to the public/legal sector of a breach attributed with high confidence to the Andariel group, a state-sponsored cyber group linked to the Reconnaissance General Bureau (RGB) 3rd bureau of Democratic People’s Republic of Korea (DPRK).
The attribution was based on the threat actor’s usage of unique malware, such as TigerRAT, command execution patterns, infrastructure linkages, and other technical and non-technical evidence that linked it to previous reports of Andariel activity.
We assess that the primary goal of this breach was cyberespionage. This was determined based on the group’s past objectives and the intrusion activity, but most notably the threat actor accessing documents relating to anti-money laundering on the victim host. DPRK is notoriously known for its money-laundering activity to evade international sanctions.
This investigation led WithSecure to the discovery of another set of attack conducted by this group against an Enterprise Resource Planning (ERP) software in Republic of Korea (ROK) in 2025. WithSecure determined that this particular ERP software had been a previous target of Andariel in 2017 and almost certainly again in 2024.
This further on led to the discovery of three new, previously undocumented RATs that WithSecure attributes to Andariel, namely StarshellRAT, JelusRAT, and GopherRAT.
The investigation also led WithSecure to discover a staging server used by the group. Through this staging server, we were able to find additional artifacts related to both attacks. We also discovered a mix of new and old techniques and tooling used by the group to conduct their latest attacks, including privilege escalation tools such as PrintSpoofer and PetitPotato, and the abuse of the trending bring-your-own-vulnerable-driver (BYOVD) technique that is used by other threat actors to kill AV/EDR products.
This report provides details on the two cyberattacks we investigated and analysis of the artifacts we found across the two attacks and on the staging server. WithSecure has engaged governments and select partners with advanced copies of this report.
