Threat Actor Profile
High
APT
Description
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
Confidence Score
Known Aliases
APT38
NICKEL GLADSTONE
BeagleBoyz
Bluenoroff
Stardust Chollima
Sapphire Sleet
COPERNICIUM
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (56)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['APT38',
'NICKEL GLADSTONE',
'BeagleBoyz',
'Bluenoroff',
'Stardust Chollima',
'Sapphire Sleet',
'COPERNICIUM'],
'created': '2019-01-29T21:27:24.793Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[APT38](https://attack.mitre.org/groups/G0082) is a North '
'Korean state-sponsored threat group that specializes in '
'financial cyber operations; it has been attributed to the '
'Reconnaissance General Bureau.(Citation: CISA AA20-239A '
'BeagleBoyz August 2020) Active since at least 2014, '
'[APT38](https://attack.mitre.org/groups/G0082) has targeted '
'banks, financial institutions, casinos, cryptocurrency '
'exchanges, SWIFT system endpoints, and ATMs in at least 38 '
'countries worldwide. Significant operations include the 2016 '
'Bank of Bangladesh heist, during which '
'[APT38](https://attack.mitre.org/groups/G0082) stole $81 '
'million, as well as attacks against Bancomext (Citation: '
'FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye '
'APT38 Oct 2018); some of their attacks have been '
'destructive.(Citation: CISA AA20-239A BeagleBoyz August '
'2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North '
'Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under '
'The Hood Blog 2017)\n'
'\n'
'North Korean group definitions are known to have significant '
'overlap, and some security researchers report all North '
'Korean state-sponsored cyber activity under the name [Lazarus '
'Group](https://attack.mitre.org/groups/G0032) instead of '
'tracking clusters or subgroups.',
'external_references': [{'external_id': 'G0082',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0082'},
{'description': '(Citation: CISA AA20-239A BeagleBoyz '
'August 2020)',
'source_name': 'BeagleBoyz'},
{'description': '(Citation: CrowdStrike Stardust '
'Chollima Profile April '
'2018)(Citation: CrowdStrike GTR 2021 '
'June 2021)',
'source_name': 'Stardust Chollima'},
{'description': '(Citation: FireEye APT38 Oct 2018)',
'source_name': 'APT38'},
{'description': '(Citation: Kaspersky Lazarus Under '
'The Hood Blog 2017)',
'source_name': 'Bluenoroff'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'Sapphire Sleet'},
{'description': '(Citation: Microsoft Threat Actor '
'Naming July 2023)',
'source_name': 'COPERNICIUM'},
{'description': '(Citation: SecureWorks NICKEL '
'GLADSTONE profile Sept 2021)',
'source_name': 'NICKEL GLADSTONE'},
{'description': 'CrowdStrike. (2021, June 7). '
'CrowdStrike 2021 Global Threat '
'Report. Retrieved September 29, '
'2021.',
'source_name': 'CrowdStrike GTR 2021 June 2021',
'url': 'https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf'},
{'description': 'Department of Justice. (2021, '
'February 17). Three North Korean '
'Military Hackers Indicted in '
'Wide-Ranging Scheme to Commit '
'Cyberattacks and Financial Crimes '
'Across the Globe. Retrieved June 9, '
'2021.',
'source_name': 'DOJ North Korea Indictment Feb 2021',
'url': 'https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and'},
{'description': 'DHS/CISA. (2020, August 26). '
"FASTCash 2.0: North Korea's "
'BeagleBoyz Robbing Banks. Retrieved '
'September 29, 2021.',
'source_name': 'CISA AA20-239A BeagleBoyz August '
'2020',
'url': 'https://us-cert.cisa.gov/ncas/alerts/aa20-239a'},
{'description': 'FireEye. (2018, October 03). APT38: '
'Un-usual Suspects. Retrieved '
'November 17, 2024.',
'source_name': 'FireEye APT38 Oct 2018',
'url': 'https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf'},
{'description': 'GReAT. (2017, April 3). Lazarus '
'Under the Hood. Retrieved April 17, '
'2019.',
'source_name': 'Kaspersky Lazarus Under The Hood '
'Blog 2017',
'url': 'https://securelist.com/lazarus-under-the-hood/77908/'},
{'description': 'Meyers, Adam. (2018, April 6). Meet '
'CrowdStrike’s Adversary of the Month '
'for April: STARDUST CHOLLIMA. '
'Retrieved September 29, 2021.',
'source_name': 'CrowdStrike Stardust Chollima '
'Profile April 2018',
'url': 'https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/'},
{'description': 'Microsoft . (2023, July 12). How '
'Microsoft names threat actors. '
'Retrieved November 17, 2023.',
'source_name': 'Microsoft Threat Actor Naming July '
'2023',
'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
{'description': 'SecureWorks. (2021, September 29). '
'NICKEL GLADSTONE Threat Profile. '
'Retrieved September 29, 2021.',
'source_name': 'SecureWorks NICKEL GLADSTONE profile '
'Sept 2021',
'url': 'https://www.secureworks.com/research/threat-profiles/nickel-gladstone'}],
'id': 'intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340',
'modified': '2025-01-22T21:54:11.727Z',
'name': 'APT38',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Hiroki Nagahama, NEC Corporation',
'Manikantan Srinivasan, NEC Corporation India',
'Pooja Natarajan, NEC Corporation India'],
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '3.1'}