Diamond Sleet

Threat Actor updated 2 months ago (2024-09-10T04:18:30.762Z)

Download STIX

Preview STIX

Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply chain attack methodology, specifically utilizing vulnerabilities in CyberLink software to infiltrate systems. The group's tactics include the deployment of FudModule, a rootkit shared with another APT group, Citrine Sleet. Once installed, this rootkit allows the attacker to operate at the kernel level of the system, making detection extremely difficult. It creates a challenging environment for security tools on the endpoint, potentially giving the attacker an upper hand. Microsoft has tracked Diamond Sleet's activities and noted shared infrastructure and tools between Diamond Sleet and Citrine Sleet. The analysis indicates a potential shared use of the FudModule malware between these threat actors. The association of the FudModule rootkit with Diamond Sleet further emphasizes the sophisticated cyberespionage capabilities of this North Korea-linked group.

Description last updated: 2024-09-10T03:19:29.076Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Onyx Sleet is a possible alias for Diamond Sleet. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activ	4
ZINC is a possible alias for Diamond Sleet. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa	4
Lazarus Group is a possible alias for Diamond Sleet. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North K	3
Fudmodule is a possible alias for Diamond Sleet. FudModule is a sophisticated malware that has been associated with various North Korean hacking campaigns since October 2021. It uses direct kernel object manipulation (DKOM) techniques to bypass kernel security checks and has seen significant improvements since its initial discovery three years ago	3
HIDDEN COBRA is a possible alias for Diamond Sleet. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s	2
temp.hermit is a possible alias for Diamond Sleet. Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Teamcity

Malware

Espionage

Apt

Korean

Backdoor

Exploit

Vulnerability

Payload

Rootkit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Citrine Sleet Threat Actor is associated with Diamond Sleet. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-42793 Vulnerability is associated with Diamond Sleet. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre	has used	6
The Foresttiger Vulnerability is associated with Diamond Sleet. ForestTiger is a software vulnerability that has been exploited by threat actors, specifically Diamond Fleet, to compromise system security. The flaw in the software design or implementation has enabled the group to execute malicious activities, primarily through PowerShell scripts to download two p	Unspecified	2

Source Document References

Information about the Diamond Sleet Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	2 months ago	Threat Assessment: North Korean Threat Groups
DARKReading	3 months ago	North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
BankInfoSecurity	3 months ago	North Korean Hackers Tied to Exploits of Chromium Zero-Day
Securityaffairs	3 months ago	North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit - Security Affairs
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	6 months ago	Microsoft: 'Moonstone Sleet' APT Melds Espionage, Financial Goals
InfoSecurity-magazine	6 months ago	New North Korean Hacking Group Identified by Microsoft
BankInfoSecurity	6 months ago	Microsoft Warns of North Korea's 'Moonstone Sleet'
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION