HIDDEN COBRA

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
Hidden Cobra, also known as the Lazarus Group and Sapphire Sleet, is a North Korean cyberespionage group that has been active since at least 2009. The U.S. Government uses the term Hidden Cobra to refer to malicious cyber activities by the North Korean government, with the BeagleBoyz representing a subset of this activity. The group has been linked to various threat groups including Kimsuky, KONNI, APT37, and Diamond Sleet (aka Lazarus, Hidden Cobra). Hidden Cobra's tactics, techniques, and procedures (TTPs) align with those of previous operations from 2017 using the same defense contractors as lures, with indicators from their 2020 campaign pointing to similar activity. The malware FALLCHILL is typically used by Hidden Cobra to infect systems, usually as a file dropped by other malware associated with the group. Initially, the actors used websites posing as legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware; however, they have now diversified their initial infection vectors to include phishing, social networking, and social engineering techniques to get users to download the malware. The domain mireene.com and its various sub-domains were used by Hidden Cobra in 2020 for these activities. In 2023, the group actively conducted espionage operations and destructive attacks in regions beyond the UAE, undermining the common perception that attacks against the UAE are primarily motivated by regional geopolitics. As part of their Operation Dream Job campaign, the group continued to leverage trojanized Virtual Network Computing apps targeted at defense industry and nuclear engineers, impacting over 100 devices in countries such as Japan, Taiwan, Canada, and the US. This indicates that Hidden Cobra represents a significant ongoing cybersecurity threat.
What's your take? (Question 1 of 4)
ce0635a9-bbe6-4173-a853-ec9ac9518b80 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lazarus Group
2
The Lazarus Group, also known as Diamond Sleet, is a notorious threat actor attributed to numerous cyber-attacks and illicit activities. This group is associated with North Korea and has been implicated in several high-profile incidents, including Operation DreamJob in Spain, which was attributed to
Diamond Sleet
2
Diamond Sleet is a North Korea-linked Advanced Persistent Threat (APT) group that has been implicated in numerous cyberattacks. This threat actor, which could be an individual, a private company, or part of a government entity, executes actions with malicious intent. The group has demonstrated its c
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CobraUnspecified
2
Cobra is a type of malware, short for malicious software, designed to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Cobra has the potential to steal personal information, disrup
WannaCryUnspecified
2
WannaCry is a type of malware, specifically ransomware, that became infamous in 2017 as the largest attack of its kind at the time. It exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143, to infect systems and encr
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the HIDDEN COBRA Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware
MITRE
6 months ago
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? | McAfee Blog
MITRE
a year ago
North Korean Advanced Persistent Threat Focus: Kimsuky | CISA
DARKReading
3 months ago
150K+ UAE Network Devices & Apps Exposed Online
MITRE
a year ago
BLINDINGCAN Remote Access Trojan - NHS Digital
MITRE
a year ago
HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL | CISA
MITRE
a year ago
FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks | CISA
CERT-EU
8 months ago
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
InfoSecurity-magazine
6 months ago
North Korea Blamed For CyberLink Supply Chain Attacks
Krypos Logic
a year ago
A Brief Look At North Korean Cryptography
CERT-EU
8 months ago
Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
MITRE
a year ago
MAR-10135536-12 – North Korean Trojan: TYPEFRAME | CISA
MITRE
a year ago
MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT | CISA
ESET
a year ago
WinorDLL64: A backdoor from the vast Lazarus arsenal? | WeLiveSecurity
CERT-EU
7 months ago
Trojanized VNC apps leveraged in defense-targeted Lazarus Group attacks
MITRE
a year ago
HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure | CISA
CERT-EU
8 months ago
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU
a year ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of global financial institutions
MITRE
a year ago
MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE | CISA
MITRE
a year ago
HIDDEN COBRA – North Korean Trojan: Volgmer | CISA