G0138 Nation-stateour call,
not MITRE’s ATT&CK Group

Andariel

How MITRE ATT&CK characterizes this group¹: Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine…

Origin / sponsor: not established from a curated public advisory — see Coverage & confidence. Not asserted here.

Also tracked as: Silent Chollima PLUTONIUM Onyx Sleet — ATT&CK group page¹

Read this as · tier is our editorial call, not MITRE’s

Read as a state-directed operator, not a smash-and-grab.

A nation-state classification means patience, tradecraft, and an intelligence objective. When this name attaches to a vulnerability, the question shifts from “will someone exploit it” to “has a well-resourced service already built it into an operation.” All tradecraft below is sourced to MITRE ATT&CK.

Techniques

ATT&CK count¹

Named tools / malware

ATT&CK count²

Attributed campaigns

ATT&CK count¹

Tactics spanned

ATT&CK count¹

coverage gap

Activity bounds

no attributed campaign

Known for

— signature moves, each sourced to ATT&CK

ArsenalNamed tooling. ATT&CK attributes 2 tools/malware to this group, including gh0st RAT, Rifdoor.¹⁵

ReachFurthest outcome. This actor's cited tradecraft reaches as far as outcome 4 — Data at risk — exfiltration. (editorial mapping over ATT&CK tactics).

Tradecraft heatmap

— ATT&CK techniques mapped onto the five attacker-outcome narratives

Each row is a documented technique (MITRE ATT&CK). Each column is one of the five attacker-outcome narratives a defender funds against. A filled cell means this technique’s own ATT&CK tactic defensibly advances that outcome. The mapping of technique→outcome is our editorial alignment over ATT&CK's tactic data, not a separately-sourced MITRE edge. A filled cell means one of the technique's own ATT&CK tactics defensibly advances that outcome; enabler tactics (C2, Defense Evasion, Discovery) heat no column.

1Front door

2Keys to the kingdom

3Lateral reach

4Data at risk

5Lights out

T1005 Data from Local SystemCollection

●

T1027.003 SteganographyDefense Evasion

T1049 System Network Connections DiscoveryDiscovery

T1057 Process DiscoveryDiscovery

T1105 Ingress Tool TransferCommand & Control

T1189 Drive-by CompromiseInitial Access

●

T1203 Exploitation for Client ExecutionExecution

●

T1204.002 Malicious FileExecution

●

T1566.001 Spearphishing AttachmentInitial Access

●

T1588.001 MalwareResource Development

T1590.005 IP AddressesReconnaissance

T1592.002 SoftwareReconnaissance

Reach: this actor’s cited techniques light columns 1·4 — furthest is 4 · Data at risk. (furthest-position idiom, reused from the landing map).

A dot = this technique advances that outcomeColumn 2 (Keys to kingdom) is empty — Compare: a credential-theft / identity actor lights column 2.Column 3 (Lateral reach) is empty — Compare: a hands-on-keyboard intruder lights column 3.Column 5 (Lights out) is empty — Compare: a ransomware or wiper actor lights column 5.

Editorial: the technique→outcome alignment is our call over ATT&CK’s tactic data, not a separately-sourced MITRE edge — same basis the landing page declares. Enabler tactics (C2, defense evasion, discovery) heat no column.¹

Arsenal

— named tools & malware ATT&CK attributes to this group

gh0st RATS0032 · Malware

ATT&CK S0032 ↗

RifdoorS0433 · Malware

ATT&CK S0433 ↗

Campaign highlights

— attributed operations in the ATT&CK record

No attributed campaigns — coverage gap

Stated, not hidden

ATT&CK lists no first-class campaign object for G0138 at this snapshot. Public reporting may tie this actor to operations; those enter only with a named advisory under the same cite-or-die rule.

Latest activity

— with explicit confidence, and what we cannot yet claim

ATT&CK
snapshot

The most recent cited activity in this card is the ATT&CK record itself. We do not paste a “last seen this week” line we cannot source. Recency from secondary reporting appears here only when attached to a named advisory.

ATT&CK snapshot, compiled 2026-06-22Coverage gap — live “currently active” status not asserted

CVE ↔ actor bridge — Known exploits / Linked CVEs every link below traces to a named source; tier is explicit

Inferred / reported — lower confidence, never headline attribution 1 link(s)

These are not confirmed attribution. An inferred link is a structural ATT&CK chain (this group uses a tool whose reference cites the CVE); it is back-cited to the original report and never claims the source names the group.

CVE-2015-5119 →

ATT&CK attributes gh0st RAT (S0032) to this group, and that software’s ATT&CK reference cites CVE-2015-5119. Structural chain — not a statement that the report names the group.

original report (cited on the ATT&CK software page) ↗

Coverage & confidence

— what we know, and what we don’t

Established (cited)

Group identity, aliases, description — MITRE ATT&CK group page

12 techniques — ATT&CK technique pages (linked per row)

2 software (arsenal) — ATT&CK software pages

7 third-party research citations — ATT&CK external references

Coverage gaps — stated, not hidden

Origin/sponsor not established from a curated public advisory. ATT&CK prose may imply attribution but is not asserted here — absence of a curated source is a coverage finding, not a clean bill of attribution.

Threat tier is OUR editorial classification (rule-based), not a MITRE field — labeled as such.

Technique → outcome heatmap is editorial alignment over ATT&CK tactic data, not a separately-sourced MITRE edge.

Activity bounds are a floor from attributed-campaign dates only — flagged approx., not a true active-since range.

ATT&CK has no first-class group→CVE relationship; this card asserts no specific CVE without a named advisory.

No attributed ATT&CK campaign object — activity bounds cannot be established.

Empty heatmap column(s): Keys to kingdom, Lateral reach, Lights out — consistent with this actor's nature, stated as a finding.