North Koreas Andariel Pivots to Play Ransomware Games

The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.

One of North Koreas most
prominent state-sponsored threat groups
has pivoted to using Play ransomware in recent attacks, signifying the first time the group has partnered up with an underground ransomware network. Worryingly, it sets the stage for future high-impact attacks, researchers surmise.
According to Palo Alto Networks Unit 42, which tracks the advanced persistent threat (APT) as Jumpy Pisces (aka Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), Andariel is now working with the Play ransomware gang, but whether its as an initial access broker (IAB) or affiliate of the ransomware group is not clear, the
researchers observed
in a blog post on Oct. 31. Previously, Andariel
was associated
with a ransomware strain called Maui thats been active since at least 2022.
Unit 42 researchers believe the group is responsible for a Play ransomware attack discovered last month in which attackers gained initial access to a network via a compromised user account several months before, in May. Andariel moved laterally after its initial network breach and maintained persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol, according to Unit 42. Months later, in early September, it deployed the Play payload.
This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape, Unit 42 researchers wrote in the post. This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally.
Play ransomware, maintained and deployed by a group tracked as Fiddling Scorpius, made its claim to fame by
targeting the city of Oakland, Calif.,
in February 2023 with a crippling attack. It then quickly rose up the threat ranks to become a major player in the game.
Some researchers have suggested that Fiddling Scorpius has transitioned from mounting its own attacks to a ransomware-as-a-service (RaaS) model, according to Unit 42. However, the group itself has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem, according to the researchers. If this is true, then Andariel most likely acted as an IAB in the attack rather than an affiliate, they said.
Either way, network defenders should view … [the] activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance, according to Unit 42.
There were several clues in the attack sequence that point to collaboration between Andariel and the Play ransomware. For one, the compromised account that attackers used for initial access and subsequent spreading of Andariels signature tools, including Silver and Dtrack, was the same one used prior to ransomware deployment.
The ransomware actor leveraged the account to abuse Windows access tokens, move laterally and escalate to SYSTEM privileges via PsExec, according to the post. This eventually led to the mass uninstallation of endpoint detection and response (EDR) sensors and the onset of Play ransomware activity.
The researchers also observed command-and-control (C2) communication with the Silver malware the day before Play ransomware was deployed. Moreover, Play ransomware attacks are known for leaving tools in the in the folder C:UsersPublicMusic, and some tools used prior to ransomware deployment in the Andariel attack also were located there, the researchers noted.
Andariel has been active for several years and has mounted a number of high-profile attacks that have targeted critical defense, aerospace, nuclear, and engineering companies as well as
global managed service providers
.
Andariel is controlled by North Koreas military intelligence agency, the Reconnaissance General Bureau, which is involved in the nations illicit arms trade and responsible for its malicious cyber activity. The groups antics already have drawn the attention of international law enforcement, including the US National Security Agency (NSA), which considers the group an ongoing threat to various industry sectors, particularly in the US, South Korea, Japan, and India.
The US Department of States Rewards for Justice (RFJ) is even offering a reward of up to $10 million for information that could lead it to Rim Jong Hyok, a key player in Andariels management structure, or any co-conspirators in the group.
Given the need for worldwide organizations to be on alert, Unit 42 included a list of indicators of compromise (IoCs) in its blog post. The researchers advised that defenders leverage the latest threat intelligence to identify malware on networks, and advanced URL filtering and DNS security products to spot known URLs and domains associated with Andariels malicious activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Koreas Andariel Pivots to Play Ransomware Games