Diamond Sleet

Threat Actor updated a month ago (2024-11-29T13:49:58.395Z)
Download STIX
Preview STIX
Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply chain attack methodology, specifically utilizing vulnerabilities in CyberLink software to infiltrate systems. The group's tactics include the deployment of FudModule, a rootkit shared with another APT group, Citrine Sleet. Once installed, this rootkit allows the attacker to operate at the kernel level of the system, making detection extremely difficult. It creates a challenging environment for security tools on the endpoint, potentially giving the attacker an upper hand. Microsoft has tracked Diamond Sleet's activities and noted shared infrastructure and tools between Diamond Sleet and Citrine Sleet. The analysis indicates a potential shared use of the FudModule malware between these threat actors. The association of the FudModule rootkit with Diamond Sleet further emphasizes the sophisticated cyberespionage capabilities of this North Korea-linked group.
Description last updated: 2024-09-10T03:19:29.076Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Onyx Sleet is a possible alias for Diamond Sleet. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activ
4
ZINC is a possible alias for Diamond Sleet. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa
4
Lazarus Group is a possible alias for Diamond Sleet. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitati
3
Fudmodule is a possible alias for Diamond Sleet. FudModule is a sophisticated malware that has been associated with various North Korean hacking campaigns since October 2021. It uses direct kernel object manipulation (DKOM) techniques to bypass kernel security checks and has seen significant improvements since its initial discovery three years ago
3
HIDDEN COBRA is a possible alias for Diamond Sleet. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s
2
temp.hermit is a possible alias for Diamond Sleet. Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Teamcity
Malware
Espionage
Apt
Korean
Backdoor
Exploit
Vulnerability
Payload
Rootkit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Citrine Sleet Threat Actor is associated with Diamond Sleet. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybeUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-42793 Vulnerability is associated with Diamond Sleet. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurrehas used
6
The Foresttiger Vulnerability is associated with Diamond Sleet. ForestTiger is a software vulnerability that has been exploited by threat actors, specifically Diamond Fleet, to compromise system security. The flaw in the software design or implementation has enabled the group to execute malicious activities, primarily through PowerShell scripts to download two pUnspecified
2
Source Document References
Information about the Diamond Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
4 months ago
DARKReading
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
DARKReading
7 months ago
InfoSecurity-magazine
7 months ago
BankInfoSecurity
7 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago