June 7, 2024
By Research and Developement

North Korea's Andariel Threat Group Strikes with New Dora RAT Malware

Doesn’t the nature of the North Korea-linked Andariel threat group rising out of the ashes remind you of the proverb that goes “Beware of the quiet ones",

This threat actors have recently been observed launching new sophisticated attacks against targets in South Korea.

The Hack:

The Andariel group has been leveraging a new Golang-based backdoor called Dora RAT in its attacks targeting educational institutes, manufacturing firms, and construction businesses in South Korea. The group has also employed a vulnerable Apache Tomcat server to distribute the malware.

The Tools:

In addition to the Dora RAT, the Andariel group's arsenal includes a keylogger, an information stealer, and a SOCKS5 proxy - some of which share similarities with tools used by the notorious Lazarus Group.

The Process:

The attack chain typically involves the use of spear-phishing, watering hole attacks, and known software vulnerabilities to gain initial access to targeted networks. The group then deploys its suite of malware, including the Nestdoor variant and the newly discovered Dora RAT.

The Targets:

Andariel's targets are primarily located in South Korea, with a focus on educational institutions, manufacturing companies, and construction businesses. The group's strategic interests appear to be aligned with North Korea's objectives.

The Takeaway:

The Andariel group's persistent and sophisticated tactics, techniques, and procedures (TTPs) underscore the need for organizations to remain vigilant and proactively strengthen their cybersecurity defenses, especially against known North Korean threat actors.


Regularly patch and update systems, especially for known vulnerabilities in widely used software like Apache Tomcat.

Implement robust endpoint protection and incident response plans to detect and respond to advanced threats like Dora RAT and its associated malware.

Educate employees on the latest social engineering tactics used by threat actors and encourage the reporting of suspicious activities.

Collaborate with cybersecurity authorities and share threat intelligence to stay informed on emerging trends and strengthen the overall defense posture.