SOCRadar profiles Andariel as a North Korea-linked threat group operating under the Reconnaissance General Bureau and widely assessed as a Lazarus sub-cluster. The group targets defense, aerospace, nuclear engineering, healthcare, financial, software, and critical infrastructure organizations across South Korea, the United States, Japan, Europe, and parts of Asia. Its intrusion lifecycle combines exploitation of internet-facing systems such as Log4Shell, Apache Tomcat, and SharePoint with spear-phishing, credential dumping, living-off-the-land tools, RDP/SSH/SMB lateral movement, and cloud-storage or tunneling-based exfiltration. Malware and tooling discussed include Maui ransomware, DTrack, TigerRAT, EarlyRat, Atharvan, Dora RAT, DurianBeacon, NukeSped-lineage malware, Mimikatz, ProcDump, 3Proxy, PLINK, and Stunnel. The report highlights Andariel’s dual role in strategic espionage and revenue generation through ransomware and cryptocurrency theft.