Hermit

Malware Profile Updated a month ago
Download STIX
Preview STIX
Hermit is a malicious software (malware) linked to North Korea, also known as the "Hermit Kingdom" due to its isolationist policies. This malware, along with others like Pegasus and DevilsTongue, targeted Apple users leading to a wave of sophisticated attacks in July 2022. In response, Apple developed a new security feature called lockdown mode to protect against such cyberattacks. The Hermit malware has been associated with ScarCruft, a notorious North Korean state-sponsored threat actor known for targeting high-value individuals and organizations that align with North Korea's geopolitical objectives. The NSA's hacking operations against North Korea years prior to the Sony attack provided further evidence implicating North Korea in these cyber activities. Unit 42, a cybersecurity group, expressed moderate confidence that Contagious Interview, another cyber threat, was run by a North Korean state-sponsored actor, and high confidence that Wagemole was part of North Korea’s cyber campaigns. Furthermore, an unnamed US diplomat claimed that North Korea generates about half of its foreign-currency income from cyber-attacks on cryptocurrency and related targets. The Moonstone Sleet hackers, another group linked to North Korea, deployed a custom ransomware variant named "FakePenny," demanding higher extortion rates than previous examples. The Pyongyang threat group, associated with North Korea, has a history of using aggressive social engineering tactics against think tanks, governments, and journalists to gain intelligence on external perceptions of the Hermit Kingdom. After its launch in October 2022, Sinbad, a tool used to launder funds, was initially used in the $100m heist of Horizon and has since laundered tens of millions in stolen crypto-cash for North Korea. Reports indicate that North Korea’s state-sponsored hackers are among the world’s most relentless, stealing millions in cryptocurrency each year to fund the nation's nuclear programs. Lastly, ScarCruft targeted a trading company linked to Russia and North Korea using a novel phishing attack chain, signifying the Hermit Kingdom's ongoing attempts to target Russia.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Pegasus
1
Pegasus is a highly sophisticated malware developed by the NSO Group, known for its advanced and invasive capabilities. It is classified as mercenary spyware, often used by governments to target individuals such as journalists, political activists, and others of interest. Pegasus is particularly not
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Crowdstrike
Sony
Mandiant
Apple
State Sponso...
Fbi
Ransomware
Phishing
Encrypt
Korean
Extortion
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DevilstongueUnspecified
1
None
ROKRATUnspecified
1
RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
KimsukyUnspecified
1
Kimsuky is a North Korea-linked advanced persistent threat (APT) group that conducts global cyber-attacks to gather intelligence for the North Korean government. The group has been identified as a significant threat actor, executing actions with malicious intent, and has recently targeted victims vi
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Apt43Unspecified
1
APT43, also known as Kimsuky, is a North Korean state-sponsored advanced persistent threat (APT) group that has been actively involved in cybercrime and espionage. The group has been implicated in a series of attacks exploiting vulnerabilities, which have drawn the attention of various cybersecurity
ScarCruftUnspecified
1
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
SinbadUnspecified
1
Sinbad is a threat actor suspected to be operated by North Korean operatives, primarily for the purpose of laundering stolen cryptocurrency. According to Chainalysis, Sinbad processed $24 million in December and January, indicating its use as a new mixing service. However, it's effectiveness is yet
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hermit Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
InfoSecurity-magazine
a month ago
Suspected North Korean Attack Drains $2m from CoinStats Wallets
BankInfoSecurity
2 months ago
Microsoft Warns of North Korea's 'Moonstone Sleet'
BankInfoSecurity
2 months ago
Breach Roundup: Kimsuky Serves Linux Trojan
InfoSecurity-magazine
a year ago
Resurrected Crypto-mixer Launders $100m in North Korean Funds
CERT-EU
a year ago
Send nukes
CERT-EU
a year ago
North Korean Hackers Are Attacking US Hospitals
CERT-EU
9 months ago
Lazarus Group Targeting Defense Experts with Fake Interviews via Trojanized VNC Apps
Securityaffairs
3 months ago
Apple warns of mercenary spyware attacks on iPhone users in 92 countries
BankInfoSecurity
a year ago
North Korean Hackers Find Value in LinkedIn
CERT-EU
6 months ago
It’s 2024. Time to Have Attribution Standards in Cyberspace
CERT-EU
a year ago
Russian Missile Manufacturer Breached By North Korean Hackers
CERT-EU
a year ago
Cybersecurity readiness still lacking worldwide
CERT-EU
10 months ago
North Korean Hackers Continue to Refine Their Arsenal of Tactics & Techniques
CERT-EU
7 months ago
To stem North Korea’s missiles program, White House looks to its hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
BankInfoSecurity
8 months ago
US Sanctions North Korean Cyber Unit After Satellite Launch
CERT-EU
a year ago
FBI: North Korean hackers transferred $40 million in stolen cryptocurrency funds in one day
CERT-EU
8 months ago
North Korea attacks tech recruitment market at both ends
CERT-EU
a year ago
Years into these games’ histories, attackers are still creating “Fortnite” and “Roblox”-related scams
CERT-EU
a year ago
Taiwanese infosec crew challenges Microsoft’s China findings
CERT-EU
a year ago
Linux malware from Lazarus Group resembles tools used in 3CX compromise