Sophos profiles NICKEL HYATT as a North Korea-linked subgroup of NICKEL ACADEMY active since at least 2009, associated with aliases such as Andariel, APT45, Onyx Sleet, Stonefly, Jumpy Pisces, and Silent Chollima. The group has targeted financial institutions, defense contractors, government agencies, academic think tanks, cybersecurity vendors, and refugee-support organizations across South Korea, Japan, the United States, India, and other regions. Its activity spans espionage, destructive attacks, and financial crime. The profile cites publicly available RATs and custom malware including Rifle/Rifdoor, Valefor, UnitBot, and DTrack, with DTrack observed against an Indian nuclear power facility and a life sciences organization during COVID-19-era collection.