AhnLab’s October 2024 APT trend summary reports Andariel activity against U.S. private companies after the July 2024 U.S. Department of Justice indictment, with the attacks assessed as financially motivated. The Andariel section cites fake Tableau certificates, Preft and Nukebot backdoors, and public tools including Sliver, Chisel, PuTTY, and Megatools; Preft supported file download, upload, command execution, and plug-ins, while Nukebot supported command execution, file transfer, and screenshots. The same activity included keyloggers for clipboard and application keystroke collection, batch files to enable plaintext credentials, and Mimikatz for credential extraction. A second Andariel section says Unit 42 observed the group moving away from custom ransomware and using Play ransomware infrastructure, spreading Sliver and DTrack over SMB and using Impacket secretsdump.py for credential harvesting. The excerpt frames this as a notable possible link between Andariel and underground ransomware operations, including a potential Initial Access Broker or affiliate role.