Threat Assessment: North Korean Threat Groups
2024-09-09 • Paloalto Networks •
https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
Unit 42 maps North Korean cyber activity to RGB-linked clusters rather than treating all public reporting as a single Lazarus label. The assessment separates Alluring Pisces, Gleaming Pisces, Jumpy Pisces, Selective Pisces, Slow Pisces, and Sparkling Pisces, covering missions that include espionage, financial theft, destructive attacks, cryptocurrency targeting, and ransomware activity. It also reviews recently active DPRK malware across Windows, macOS, and Linux, including RustBucket as an Alluring Pisces macOS backdoor, and frames the material around defenses and MITRE ATT&CK evaluation coverage.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 081804b491c70bfa63ecdbe9fd4618d… | 2024-09-09 | 2026-04-03 |
| HASH | 689cfaa9319f3f7529a31472ecf6b2e… | 2024-09-09 | 2025-12-31 |
| HASH | 2360a69e5fd7217e977123c81d3dbb6… | 2023-11-01 | 2025-12-31 |
| HASH | 973f7939ea03fd2c9663dafc21bb968… | 2024-02-29 | 2025-09-01 |
| DOMAIN | jdkgradle.com | 2024-02-29 | 2025-09-01 |
| HASH | 5e40d106977017b1ed235419b1e59ff… | 2021-02-18 | 2025-09-01 |
| HASH | 63fb47c3b4693409ebadf8a5179141a… | 2024-02-21 | 2025-02-16 |
| HASH | d8565d58ad8e4f5558b5cd70df0ad12… | 2024-09-09 | 2024-12-27 |
| HASH | 3c8dbfcbb4fccbaf924f9a650a04cb4… | 2024-09-09 | 2024-12-27 |
| HASH | cbf4cfa2d3c3fb04fe349161e051a8c… | 2024-09-09 | 2024-12-27 |
| HASH | 0b5db31e47b0dccfdec46e74c0e70c6… | 2024-09-09 | 2024-12-27 |
| HASH | 3ea2ead8f3cec030906dcbffe3efd5c… | 2024-09-09 | 2024-12-27 |
| HASH | c83c7b000a955f2b8cb92bb112ed606… | 2024-09-09 | 2024-12-27 |
| HASH | a03d13c9825e150810e6e6aaf053d71… | 2024-09-09 | 2024-12-27 |
| HASH | 99dbc6fe3c3e465052fcefa16428617… | 2024-09-09 | 2024-12-27 |
| HASH | 7667d1b8fcc4f712084e3e3f8b4ab50… | 2024-09-09 | 2024-12-27 |
| HASH | 15d53bb839e00405a34a8b690ec181f… | 2024-09-09 | 2024-12-27 |
| HASH | 5c907b722c53a5be256dc5f96b755bc… | 2024-09-09 | 2024-12-27 |
| HASH | c6a48365c3db9761bd60981bdcdd87a… | 2024-09-09 | 2024-12-27 |
| HASH | bfd74b4a1b413fa785a49ca4a9c0594… | 2024-09-09 | 2024-12-27 |
| HASH | f1713afaf5958bdf3e975ebbab8245a… | 2024-09-09 | 2024-12-27 |
| HASH | 2546d239a262c24a6f8ea01d890cbc4… | 2024-09-09 | 2024-12-27 |
| HASH | bce1eb513aaac344b5b8f7a9ba9c9e3… | 2024-09-09 | 2024-12-27 |
| HASH | f3b0da965a4050ab00fce727bb31e0f… | 2024-09-09 | 2024-12-27 |
| HASH | 479038eb12ed07893ee0dcc04fbdcf1… | 2024-09-09 | 2024-12-27 |
| HASH | 927b3564c1cf884d2a05e1d7bd24362… | 2024-09-09 | 2024-12-27 |
| HASH | c7f4aa77be7f7afe9d0665d3e705dbf… | 2023-12-15 | 2024-12-27 |
| HASH | c9a7b42c7b29ca948160f95f017e9e9… | 2023-12-15 | 2024-12-27 |
| HASH | 8bfa4fe0534c0062393b6a2597c3491… | 2023-11-13 | 2024-12-27 |
| HASH | db6a9934570fa98a93a979e7e0e218e… | 2023-08-24 | 2024-12-27 |
| HASH | 6c121f2b2efa6592c2c22b29218157e… | 2023-06-29 | 2024-12-27 |
| HASH | 492a643bd1efdaca4ca125ade1b606e… | 2023-04-20 | 2024-12-27 |
| HASH | a64fa9f1c76457ecc58402142a8728c… | 2023-03-30 | 2024-12-27 |
| HASH | 5009c7d1590c1f8c05827122172583d… | 2023-03-30 | 2024-12-27 |
| HASH | fee4f9dabc094df24d83ec1a8c4e4ff… | 2023-03-30 | 2024-12-27 |
| HASH | 87c5d0c93b80acf61d24e7aaf0faae2… | 2023-03-30 | 2024-12-27 |
| HASH | e6bbc33815b9f20b0cf832d7401dd89… | 2023-03-29 | 2024-12-27 |
| HASH | 91eaf215be336eae983d069de16630c… | 2021-02-18 | 2024-12-27 |
| DOMAIN | rgedist.com | 2023-04-24 | 2024-09-18 |
| DOMAIN | rebelthumb.net | 2022-12-01 | 2024-09-18 |
| IPv4 | 23.254.226.90 | 2023-11-01 | 2024-09-09 |
| DOMAIN | rentedpushy.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | contortonset.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | prontoposer.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | basketsalute.com | 2023-07-24 | 2024-09-09 |
| DOMAIN | relysudden.com | 2023-07-24 | 2024-09-09 |
| IPv4 | 146.19.173.125 | 2023-07-24 | 2024-09-09 |
| IPv4 | 198.244.135.250 | 2023-07-24 | 2024-09-09 |
| IPv4 | 23.227.202.54 | 2023-07-24 | 2024-09-09 |
| IPv4 | 38.132.124.88 | 2023-07-24 | 2024-09-09 |
| IPv4 | 88.119.174.148 | 2023-07-24 | 2024-09-09 |
| DOMAIN | primerosauxiliosperu.com | 2023-07-12 | 2024-09-09 |
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxphonenetwork.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxcloudeservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | levelframeblog.com | 2021-02-18 | 2024-09-09 |
| DOMAIN | globalkeystroke.com | 2021-02-18 | 2024-09-09 |
| DOMAIN | airbseeker.com | 2021-02-18 | 2024-09-09 |
Related Actors
Related Reports
2024-09-18 •
62% Match
Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Paloalto Networks
Shares tags: GleamingPisces, PondRAT • Shares 13 IOCs • Same author: Paloalto Networks • Published within a month
Shares tag: SparklingPisces • Same author: Paloalto Networks • Published within a month
Shares tags: SlowPisces, JumpyPisces • Same author: Paloalto Networks
Shares tag: JumpyPisces • Same author: Paloalto Networks
2025-02-26 •
37% Match
RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector
Paloalto Networks
Shares tag: AlluringPisces • Same author: Paloalto Networks
Shares tag: JumpyPisces • Same author: Paloalto Networks