WithSecure_Andariel_2025.pdf (4 MB)

WithSecure attributed a breach of a European public/legal-sector customer to Andariel with high confidence, citing TigerRAT use, command-execution patterns, infrastructure links, and overlaps with prior Andariel activity. The intrusion appeared focused on espionage, including access to anti-money-laundering documents on the victim host, a sensitive area given DPRK sanctions-evasion activity. The investigation also connected Andariel to attacks against Enterprise Resource Planning software in South Korea during 2025, after earlier targeting of the same software in 2017 and likely 2024. A staging server exposed artifacts from both operations, including the newly documented StarshellRAT, JelusRAT, and GopherRAT, as well as PrintSpoofer, PetitPotato, and BYOVD techniques used to disable security tooling.