APT43_Report.pdf (2 MB)

Mandiant assesses with high confidence that APT43 is a moderately sophisticated North Korean cyber operator supporting regime interests through espionage and cybercrime-funded operations. The group targets South Korea, the United States, Japan, and Europe, especially government, education, research, think tank, defense, aerospace, pharmaceutical, and other organizations tied to Korean peninsula policy, nuclear issues, and shifting Pyongyang priorities such as COVID-19. APT43 frequently uses tailored spear-phishing, spoofed domains and email addresses, fraudulent personas, and credential-harvesting infrastructure to collect strategic intelligence. The excerpt also notes collaboration with other North Korean operators and malware differences in some campaigns, including VENOMBITE, SWEETDROP, and BITTERSWEET in South Korea-focused COVID-19 activity.