North Koreas Stonefly APT Swarms US Private Cos. for Profit

Despite a $10 million bounty on one member, APT45 is not slowing down, pivoting from intelligence gathering to extorting funds for Kim Jong-Uns regime.

A well-known North Korean advanced persistent threat (APT) has shifted its focus to targeting private companies in the US for financial gain.
Researchers at Symantecs Threat Hunter Team said this week that the state-sponsored group it tracks as Stonefly (aka Andariel, APT45, Silent Chollima, and Onyx Sleet) is flaunting an indictment and a
$10 million bounty
from the US Department of Justice (DoJ), in order to rack up more funds for the Kim Jong-Un regime.
Sometimes when you see an indictment against a certain actor, theyll disappear or retool, even if theyre based in another jurisdiction, Dick O’Brien, part of the Threat Hunters team at Symantec, tells Dark Reading. In this case, it seems to be very much business as usual for Stonefly.
Stonefly, which is part of North Koreas Reconnaissance General Bureau (RGB), mounted assaults on three organizations in the US in August, about a month after the DoJ moved against the group. The victims, the researchers noted, had no obvious intelligence value, and were likely being prepped for a ransomware whammy — though the intrusions were detected before the endgame could play out.
The focus on snapping up funds is a relatively new flex for the group, Symantec researchers stressed, even though other North Korean APTs are dedicated to grifting
foreign currency for the regime
. Stonefly in the past targeted hospitals and other healthcare providers during the pandemic (which drew the DoJ scrutiny), and is known for going after
high-value espionage targets
like US Air Force bases, NASA Office of Inspector General, and government organizations in China,
South Korea
, and Taiwan.
This is a significant development for Stonefly, says OBrien. Theyre one of the more adept North Korean groups and have a history of compromising high-value targets. We previously considered them as something of an elite unit who wouldnt get involved in financial attacks. Theres either increased pressure to raise money or theyve been doing it all along and just havent been detected until quite recently.
With Stoneflys less-targeted focus on siphoning funds from unsuspecting private companies, it pays for everyday businesses that might not normally think of themselves as APT targets to get familiar with the groups indicators of compromise (IoCs). Stoneflys activity is, after all, likely much more prolific than just the campaigns flagged by Symantec.
There are likely many more victims, OBrien stresses. The attacks we observed were only those mounted against our customers. The true figure is likely going to be multiples of this.
And there are many IoCs to incorporate into defenses. While the ransomware never deployed in the August attacks, and the initial compromise path isnt clear, Stonefly still managed to smuggle in plenty of tools from its kit before being ultimately thwarted, which can be used to fingerprint the groups activity.
In several of the attacks, Stoneflys custom malware Backdoor.Preft (aka Dtrack, Valefor) was deployed, according to Symantecs
blog post
. In addition … attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates that appear to be unique to this campaign.
The toolbox also included Nukebot, which is a backdoor capable of executing commands, downloading and uploading files, and taking screenshots; Mimikatz; two different keyloggers; the
Sliver open source cross-platform penetration testing framework
; the PuTTY SSH client; Plink; Megatools; a utility that takes snapshots of folder structures on a hard drive and saves them as HTML files; and FastReverseProxy, which can expose local servers to the public Internet.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
North Koreas Stonefly APT Swarms US Private Cos. for Profit