← All Threat Actors
Threat Actor Profile

DarkHotel

APT-C-06 ATK52 DUBNIUM Fallout Team G0012 Karba Luder Nemim Nemin Pioneer Shadow Crane SIG25 T-APT-02 Tapaoux TUNGSTEN BRIDGE Zigzag Hail
▲ High Threat
Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'
Origin South Korea
Sponsor Korea (Republic of)
Motivation Espionage

Target Sectors

Private sector

Known TTPs

Security Software Discovery
User Activity Based Checks
Encrypted/Encoded File
Symmetric Cryptography
Taint Shared Content
System Information Discovery
Keylogging
Spearphishing Attachment
Process Discovery
Deobfuscate/Decode Files or Information
Drive-by Compromise
Replication Through Removable Media
Virtualization/Sandbox Evasion
System Checks
System Time Discovery
Code Signing
System Network Configuration Discovery
File and Directory Discovery
Windows Command Shell
Match Legitimate Resource Name or Location
Ingress Tool Transfer
Registry Run Keys / Startup Folder
Exploitation for Client Execution
Malicious File

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD