Higaisa

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Higaisa is a threat actor, or hacking group, believed to have its origins in South Korea according to Tencent's analysis. The group has been identified as targeting primarily North Korean government and trade organizations, but it has also extended its operations to China, Japan, Russia, Poland, and other nations. Higaisa utilizes real news and current events to distribute messages that contain malware, demonstrating a sophisticated approach to initial infection. In March 2020, PT Expert Security Center analyzed the activities of Higaisa, revealing the group's use of malicious shortcuts resembling a sample named "20200308-sitrep-48-covid-19.pdf.lnk". This particular technique was later borrowed by another threat actor, Winnti (APT41). The infection chain used by these LNK files was found to be very similar to an instance observed by Anomali in the same month, with the C&C network infrastructure correlating to Higaisa APT. The group's evolution over time was evident in May 2020 when several new malware samples were detected, seemingly originating from Higaisa. Unlike previous instances, the script copied the payload to the folder C:\Users\Public\Downloads, achieved persistence by adding itself to the startup folder and scheduler task, and ran the payload. This new attack instance indicates that Higaisa is actively updating their tactics, techniques, and procedures (TTPs), incorporating new backdoors with evasion techniques.
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Higaisa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Higaisa or Winnti? APT41 backdoors, old and new
MITRE
a year ago
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
MITRE
a year ago
Return of the Higaisa APT | Zscaler Blog
MITRE
a year ago
New LNK attack tied to Higaisa APT discovered | Malwarebytes Labs