Andariel, also tracked as Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is described in the CISA AA24-207A response as a DPRK RGB 3rd Bureau-backed actor targeting defense, aerospace, nuclear, engineering, government, and military entities for intelligence collection. The source says the group gains access through exploitation of known web-server vulnerabilities such as Log4j and through phishing attachments, including LNK and HTA files inside ZIP archives. Post-compromise activity includes Scheduled Tasks for persistence, Mimikatz credential dumping, system and account discovery, RDP lateral movement, and custom malware, RATs, and open-source tools for execution, movement, and exfiltration. AttackIQ maps those observed behaviors into assessment scenarios for validating controls against the advisory.