Dashboard / Threat Actors / UNC1069

🇰🇵

UNC1069

APT Group ETDA ✓

Also Known As 2 names

MASAN CryptoCore

Target Countries

No target country recorded

Sectors Targeted

No targeted sector recorded

Details

Origin 🇰🇵 KP

Last Updated 03 Feb 2026

MITRE ATT&CK 8

T1005 - Data from Local System T1027 - Obfuscated Files or Information T1057 - Process Discovery T1059.002 - AppleScript T1059.004 - Unix Shell T1078.004 - Cloud Accounts T1082 - System Information Discovery T1105 - Ingress Tool Transfer

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 16 entries

Bluenoroff Kaspersky

APT 38 Mandiant

Stardust Chollima CrowdStrike

CTG-6459 SecureWorks

Nickel Gladstone SecureWorks

TEMP.Hermit FireEye

T-APT-15 Tencent

ATK 117 Thales

Black Alicanto PWC

Copernicium Microsoft

TA444 Proofpoint

Sapphire Sleet Microsoft

TAG-71 Recorded Future

Alluring Pisces Palo Alto

Selective Pisces Palo Alto

G0082 MITRE

Description

A subgroup of {{Lazarus Group, Hidden Cobra, Labyrinth Chollima}}. (Kaspersky) The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures Entertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself.

Operations 22

2015-10 Duuzer backdoor Trojan targets South Korea to take over computers Symantec has found that South Korea is being impacted by an active back door Trojan, detected as Backdoor.Duuzer. While the malware attack has not been exclusively targeting the region, it has been focusing on the South Korean manufacturing industry. Duuzer is a well-designed threat that gives attackers remote access to the compromised computer, downloads additional files, and steals data. It’s clearly the work of skilled attackers looking to obtain valuable information. https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers

2015 SWIFT Attack on a bank in the Philippines https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks

2015-12 Attempted Vietnamese TPBank SWIFT Attack https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105

2016-05 SWIFT Attack on Banco del Austro in Ecuador https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD

2016-10 Mexican and Polish Financial Attack Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks. https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0

2017 In this campaign, the group sends spear-phishing emails containing an archived Windows shortcut file. The file names are disguised as security or cryptocurrency related files in order to entice users into executing them. https://securelist.com/apt-trends-report-q2-2020/97937/

2017-10 SWIFT Attack on Far Eastern International Bank (FEIB) in Taiwan https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html

2018-01 Attempted heist at Bancomext in Mexico https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret

2018-05 SWIFT attack on Banco de Chile in Chile https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/

2018-08 SWIFT attack on Cosmos Bank in India https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678

2018-12 ATM breach of Redbanc in Chile https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/

2021-11 The BlueNoroff cryptocurrency hunt is still on https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

2022 TA444: The APT Startup Aimed at Acquisition (of Your Funds) https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

2022-09 North Korean hackers spoof venture capital firms in Japan, Vietnam and US https://therecord.media/north-korean-hacking-group-spoofs-venture-capital-firms-finance-japan-vietnam

2022-10 BlueNoroff introduces new methods bypassing MoTW https://securelist.com/bluenoroff-methods-bypass-motw/108383/

2022-12 Bluenoroff’s RustBucket campaign https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/

2023-04 BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/

2023-06 The DPRK strikes using a new variant of RUSTBUCKET https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket

2023-09 BlueNoroff strikes again with new macOS malware https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/

2023-10 BlueNoroff: new Trojan attacking macOS users https://securelist.com/bluenoroff-new-macos-malware/111290/

2023-11 Microsoft: BlueNoroff hackers plan new crypto-theft attacks https://www.bleepingcomputer.com/news/security/microsoft-bluenoroff-hackers-plan-new-crypto-theft-attacks/

2025-06 Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis

Reports & References 2

https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/ https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/

ETDA Profile

Bluenoroff, APT 38, Stardust Chollima

Origin

North Korea

First Seen 2014

Motivation

Financial crime

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0082/

View on ETDA APT Groups ↗