AhnLabAndariel_a_Subgroup_of_Lazarus203.pdf (2 MB)

AhnLab profiles Andariel as a Lazarus subgroup active since at least 2015, with historical links to Operation Black Mine, DarkSeoul-era activity, and earlier attacks affecting South Korean military, banking, and broadcaster targets. The report says Andariel targets military agencies, defense companies, political organizations, security firms, ICT and energy research organizations, and financial targets including ATMs, banks, travel agencies, cryptocurrency exchanges, and online gambling users. Its infection routes include macro-based spear phishing, watering-hole attacks using Active-X vulnerabilities, exploitation of central management and IT asset-management systems, and supply-chain attacks. The tooling set includes known backdoors such as Aryan and Gh0st RAT as well as self-developed backdoors including Andarat, Andaratm, Rifdoor, and Phandoor, making the activity relevant to defenders monitoring Korean IT environments and financial-sector intrusion paths.