Higaisa

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Higaisa is a threat actor, or hacking group, believed to have its origins in South Korea according to Tencent's analysis. The group has been identified as targeting primarily North Korean government and trade organizations, but it has also extended its operations to China, Japan, Russia, Poland, and other nations. Higaisa utilizes real news and current events to distribute messages that contain malware, demonstrating a sophisticated approach to initial infection. In March 2020, PT Expert Security Center analyzed the activities of Higaisa, revealing the group's use of malicious shortcuts resembling a sample named "20200308-sitrep-48-covid-19.pdf.lnk". This particular technique was later borrowed by another threat actor, Winnti (APT41). The infection chain used by these LNK files was found to be very similar to an instance observed by Anomali in the same month, with the C&C network infrastructure correlating to Higaisa APT. The group's evolution over time was evident in May 2020 when several new malware samples were detected, seemingly originating from Higaisa. Unlike previous instances, the script copied the payload to the folder C:\Users\Public\Downloads, achieved persistence by adding itself to the startup folder and scheduler task, and ran the payload. This new attack instance indicates that Higaisa is actively updating their tactics, techniques, and procedures (TTPs), incorporating new backdoors with evasion techniques.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Decoy

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Winnti	Unspecified	1	Winnti is a sophisticated threat actor group, first identified by Kaspersky in 2013, with activities dating back to at least 2007. The group has been associated with the Chinese nation-state and is part of a collective known as APT41, which also includes subgroups like Wicked Panda, Suckfly, and Bar
APT41	Unspecified	1	APT41, also known as Winnti, Wicked Panda, and Wicked Spider, is a sophisticated threat actor attributed to China. This group has been active since at least 2012, targeting organizations across 14 countries. The group is known for its extensive use of various code families and tools, with at least 4

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Winnti Apt41	Unspecified	1	None

Source Document References

Information about the Higaisa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
MITRE	a year ago	Return of the Higaisa APT \| Zscaler Blog
MITRE	a year ago	New LNK attack tied to Higaisa APT discovered \| Malwarebytes Labs
CERT-EU	a year ago	Higaisa or Winnti? APT41 backdoors, old and new