Threat Actor Profile
High APT
Description

Andarielis a North Korean state-sponsored threat group that has been active since at least 2009.Andarielhas primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges.Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5] Andarielis considered a sub-set ofLazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6] North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the nameLazarus Groupinstead of tracking clusters or subgroups.

Confidence Score
100%
Tags
mitre-attack crawled web-source mitre-group
First Seen

Unknown

Last Updated

April 29, 2026
18 hours, 39 minutes ago

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (12)
T1005 - Data from Local System
Collection
T1105 - Ingress Tool Transfer
Command and Control
T1027 - Obfuscated Files or Information
Defense Evasion
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1203 - Exploitation for Client Execution
Execution
T1204 - User Execution
Execution
T1189 - Drive-by Compromise
Initial Access
T1566 - Phishing
Initial Access
T1590 - Gather Victim Network Information
Reconnaissance
T1592 - Gather Victim Host Information
Reconnaissance
T1588 - Obtain Capabilities
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': [],
 'description': 'Andarielis a North Korean state-sponsored threat group that '
                'has been active since at least 2009.Andarielhas primarily '
                'focused its operations--which have included destructive '
                'attacks--against South Korean government agencies, military '
                'organizations, and a variety of domestic companies; they have '
                'also conducted cyber financial operations against ATMs, '
                "banks, and cryptocurrency exchanges.Andariel's notable "
                'activity includes Operation Black Mine, Operation GoldenAxe, '
                'and Campaign Rifle.[1][2][3][4][5] Andarielis considered a '
                'sub-set ofLazarus Group, and has been attributed to North '
                "Korea's Reconnaissance General Bureau.[6] North Korean group "
                'definitions are known to have significant overlap, and some '
                'security researchers report all North Korean state-sponsored '
                'cyber activity under the nameLazarus Groupinstead of tracking '
                'clusters or subgroups.',
 'external_references': [{'external_id': 'G0138',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0138/'}],
 'id': 'threat-actor--G0138',
 'metadata': {'crawled_at': '2026-04-29T14:32:24.341615+00:00',
              'mitre_group_id': 'G0138',
              'page_title': 'Andariel, Silent Chollima, PLUTONIUM, Onyx Sleet, '
                            'Group G0138 | MITRE ATT&CK®'},
 'name': 'Andariel',
 'type': 'threat-actor'}
Quick Actions
Related TTPs (12)
Data from Local System
Collection
Ingress Tool Transfer
Command and Control
Obfuscated Files or Informati…
Defense Evasion
System Network Connections Di…
Discovery
Process Discovery
Discovery
View All 12 TTPs
Back to Threat Actors
Dashboard Home