Threat Actor Profile
High APT
Description

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Confidence Score
90%
Known Aliases
Higaisa
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (28)
T1001.003 - Protocol or Service Impersonation
Command and Control
T1071.001 - Web Protocols
Command and Control
T1090.001 - Internal Proxy
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1027.001 - Binary Padding
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1027.015 - Compression
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1220 - XSL Script Processing
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1016 - System Network Configuration Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.007 - JavaScript
Execution
T1106 - Native API
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.002 - Malicious File
Execution
T1029 - Scheduled Transfer
Exfiltration
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1566.001 - Spearphishing Attachment
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1574.001 - DLL
Persistence
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Higaisa'],
 'created': '2021-03-05T18:54:56.267Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Higaisa](https://attack.mitre.org/groups/G0126) is a threat '
                'group suspected to have South Korean origins. '
                '[Higaisa](https://attack.mitre.org/groups/G0126) has targeted '
                'government, public, and trade organizations in North Korea; '
                'however, they have also carried out attacks in China, Japan, '
                'Russia, Poland, and other nations. '
                '[Higaisa](https://attack.mitre.org/groups/G0126) was first '
                'disclosed in early 2019 but is assessed to have operated as '
                'early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: '
                'Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)',
 'external_references': [{'external_id': 'G0126',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0126'},
                         {'description': 'Malwarebytes Threat Intelligence '
                                         'Team. (2020, June 4). New LNK attack '
                                         'tied to Higaisa APT discovered. '
                                         'Retrieved March 2, 2021.',
                          'source_name': 'Malwarebytes Higaisa 2020',
                          'url': 'https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/'},
                         {'description': 'PT ESC Threat Intelligence. (2020, '
                                         'June 4). COVID-19 and New Year '
                                         'greetings: an investigation into the '
                                         'tools and methods used by the '
                                         'Higaisa group. Retrieved March 2, '
                                         '2021.',
                          'source_name': 'PTSecurity Higaisa 2020',
                          'url': 'https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/'},
                         {'description': 'Singh, S. Singh, A. (2020, June 11). '
                                         'The Return on the Higaisa APT. '
                                         'Retrieved March 2, 2021.',
                          'source_name': 'Zscaler Higaisa 2020',
                          'url': 'https://www.zscaler.com/blogs/security-research/return-higaisa-apt'}],
 'id': 'intrusion-set--54dfec3e-6464-4f74-9d69-b7c817b7e5a3',
 'modified': '2025-10-22T02:54:00.893Z',
 'name': 'Higaisa',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Daniyal Naeem, BT Security'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.2'}
Quick Actions
Related TTPs (28)
Protocol or Service Impersona…
Command and Control
Web Protocols
Command and Control
Internal Proxy
Command and Control
Symmetric Cryptography
Command and Control
Binary Padding
Defense Evasion
View All 28 TTPs
Back to Threat Actors
Dashboard Home