TIARAS - Darkhotel

Threat Actor Profile

High APT

Description

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

Confidence Score

90%

Known Aliases

Darkhotel DUBNIUM Zigzag Hail

First Seen

Unknown

Last Updated

Unknown

Active Status

Active

Created

April 29, 2026

MITRE ATT&CK Techniques (24)

T1056.001 - Keylogging

Collection

T1105 - Ingress Tool Transfer

Command and Control

T1573.001 - Symmetric Cryptography

Command and Control

T1027.013 - Encrypted/Encoded File

Defense Evasion

T1036.005 - Match Legitimate Resource Name or Locat…

Defense Evasion

T1140 - Deobfuscate/Decode Files or Information

Defense Evasion

T1497 - Virtualization/Sandbox Evasion

Defense Evasion

T1497.001 - System Checks

Defense Evasion

T1497.002 - User Activity Based Checks

Defense Evasion

T1553.002 - Code Signing

Defense Evasion

T1016 - System Network Configuration Discovery

Discovery

T1057 - Process Discovery

Discovery

T1082 - System Information Discovery

Discovery

T1083 - File and Directory Discovery

Discovery

T1124 - System Time Discovery

Discovery

T1518.001 - Security Software Discovery

Discovery

T1059.003 - Windows Command Shell

Execution

T1203 - Exploitation for Client Execution

Execution

T1204.002 - Malicious File

Execution

T1189 - Drive-by Compromise

Initial Access

T1566.001 - Spearphishing Attachment

Initial Access

T1080 - Taint Shared Content

Lateral Movement

T1091 - Replication Through Removable Media

Lateral Movement

T1547.001 - Registry Run Keys / Startup Folder

Persistence

Indicators of Compromise

Loading IOCs…

STIX Data

{'aliases': ['Darkhotel', 'DUBNIUM', 'Zigzag Hail'],
 'created': '2017-05-31T21:31:50.624Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Darkhotel](https://attack.mitre.org/groups/G0012) is a '
                'suspected South Korean threat group that has targeted victims '
                "primarily in East Asia since at least 2004. The group's name "
                'is based on cyber espionage operations conducted via hotel '
                'Internet networks against traveling executives and other '
                'select guests. '
                '[Darkhotel](https://attack.mitre.org/groups/G0012) has also '
                'conducted spearphishing campaigns and infected victims '
                'through peer-to-peer and file sharing networks.(Citation: '
                'Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug '
                '2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)',
 'external_references': [{'external_id': 'G0012',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0012'},
                         {'description': '(Citation: Kaspersky Darkhotel)',
                          'source_name': 'Darkhotel'},
                         {'description': '(Citation: Microsoft Digital Defense '
                                         'FY20 Sept 2020)(Citation: Microsoft '
                                         'DUBNIUM June 2016)(Citation: '
                                         'Microsoft DUBNIUM Flash June '
                                         '2016)(Citation: Microsoft DUBNIUM '
                                         'July 2016)',
                          'source_name': 'DUBNIUM'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Zigzag Hail'},
                         {'description': "Kaspersky Lab's Global Research & "
                                         'Analysis Team. (2015, August 10). '
                                         "Darkhotel's attacks in 2015. "
                                         'Retrieved November 2, 2018.',
                          'source_name': 'Securelist Darkhotel Aug 2015',
                          'url': 'https://securelist.com/darkhotels-attacks-in-2015/71713/'},
                         {'description': "Kaspersky Lab's Global Research and "
                                         'Analysis Team. (2014, November). The '
                                         'Darkhotel APT A Story of Unusual '
                                         'Hospitality. Retrieved November 12, '
                                         '2014.',
                          'source_name': 'Kaspersky Darkhotel',
                          'url': 'https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf'},
                         {'description': 'Microsoft . (2020, September 29). '
                                         'Microsoft Digital Defense Report '
                                         'FY20. Retrieved April 21, 2021.',
                          'source_name': 'Microsoft Digital Defense FY20 Sept '
                                         '2020',
                          'url': 'https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft. (2016, July 14). Reverse '
                                         'engineering DUBNIUM – Stage 2 '
                                         'payload analysis . Retrieved March '
                                         '31, 2021.',
                          'source_name': 'Microsoft DUBNIUM July 2016',
                          'url': 'https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/'},
                         {'description': 'Microsoft. (2016, June 20). '
                                         'Reverse-engineering DUBNIUM’s '
                                         'Flash-targeting exploit. Retrieved '
                                         'March 31, 2021.',
                          'source_name': 'Microsoft DUBNIUM Flash June 2016',
                          'url': 'https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/'},
                         {'description': 'Microsoft. (2016, June 9). '
                                         'Reverse-engineering DUBNIUM. '
                                         'Retrieved March 31, 2021.',
                          'source_name': 'Microsoft DUBNIUM June 2016',
                          'url': 'https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/'}],
 'id': 'intrusion-set--9e729a7e-0dd6-4097-95bf-db8d64911383',
 'modified': '2024-01-08T20:27:56.707Z',
 'name': 'Darkhotel',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Harry Kim, CODEMIZE'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.0'}

Quick Actions

Related TTPs (24)

Keylogging
Collection

Ingress Tool Transfer
Command and Control

Symmetric Cryptography
Command and Control

Encrypted/Encoded File
Defense Evasion

Match Legitimate Resource Nam…
Defense Evasion

View All 24 TTPs

Back to Threat Actors

Dashboard Home

Threat Actor Profile

Description

Confidence Score

Known Aliases

Tags

First Seen

Last Updated

Active Status

Created

MITRE ATT&CK Techniques (24)

T1056.001 - Keylogging

T1105 - Ingress Tool Transfer

T1573.001 - Symmetric Cryptography

T1027.013 - Encrypted/Encoded File

T1036.005 - Match Legitimate Resource Name or Locat…

T1140 - Deobfuscate/Decode Files or Information

T1497 - Virtualization/Sandbox Evasion

T1497.001 - System Checks

T1497.002 - User Activity Based Checks

T1553.002 - Code Signing

T1016 - System Network Configuration Discovery

T1057 - Process Discovery

T1082 - System Information Discovery

T1083 - File and Directory Discovery

T1124 - System Time Discovery

T1518.001 - Security Software Discovery

T1059.003 - Windows Command Shell

T1203 - Exploitation for Client Execution

T1204.002 - Malicious File

T1189 - Drive-by Compromise

T1566.001 - Spearphishing Attachment

T1080 - Taint Shared Content

T1091 - Replication Through Removable Media

T1547.001 - Registry Run Keys / Startup Folder

Indicators of Compromise

IOC KQL for Sentinel

STIX Data

Quick Actions

Related TTPs (24)

Please wait…