AhnLab assessed Andariel as a suspected North Korea-backed group and possible Lazarus collaborator or subgroup that has operated primarily against South Korean targets since 2008. The 2020-2021 activity focused on defense, shipbuilding, telecommunications, universities, transport, IT services, and energy research, using spear phishing, watering-hole attacks, Korean software vulnerabilities, and IT management or security software abuse. The malware set included TigerDownloader, ApolloZeus, AndaBot, TigerRat, RemoteShell, Andalogger, LoginStealer, and Andasom ransomware, with many loaders decrypting payloads in memory. Several families appended date or junk data to files to change hashes per infection, which reduces the value of hash-only indicators and makes behavioral and infrastructure-based detection more important.