AhnLab reports that Andariel used malicious files and a CreateHiddenAccount-style tool to perform RID hijacking during Windows intrusions. The technique modifies SAM registry values so a low-privilege or newly created hidden account is treated as having the RID of an administrator account, enabling privilege escalation and stealthy persistence. The observed chain used SYSTEM-level execution through tools such as PsExec, account creation with a trailing dollar sign, Remote Desktop Users and Administrators group membership, registry export and reimport, and hardcoded behavior tailored to the victim environment.