3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Higaisa

Higaisa

ID: 79d7fbc6ef93162410575461edf91a2675141
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
North Korea UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009. Ref: https://attack.mitre.org/groups/G0126/


Technique Technique name Tactics Evidence
T1001.003 Protocol or Service Impersonation TA0011
  • Data Obfuscation: Protocol or Service Impersonation - Higaisa used a FakeTLS session for C2 communications. · ref
T1027.001 Binary Padding TA0005
  • Obfuscated Files or Information: Binary Padding - Higaisa performed padding with null bytes before calculating its hash. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Higaisa used Base64 encoded compressed payloads. · ref
T1027.015 Compression TA0005
  • Obfuscated Files or Information: Compression - Higaisa used Base64 encoded compressed payloads. · ref
T1036.004 Masquerade Task or Service TA0005
  • Masquerading: Masquerade Task or Service - Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Higaisa dropped and added officeupdate.exe to scheduled tasks. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Higaisa used cmd.exe for execution. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Higaisa has used VBScript code on the victim's machine. · ref
T1059.007 JavaScript TA0002
  • Command and Scripting Interpreter: JavaScript - Higaisa used JavaScript to execute additional files. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Higaisa used HTTP and HTTPS to send data back to its C2 server. · ref
T1090.001 Internal Proxy TA0011
  • Proxy: Internal Proxy - Higaisa discovered system proxy settings and used them if available. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Higaisa used malicious e-mail attachments to lure victims into executing LNK files. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Higaisa added a spoofed binary to the start-up folder for persistence. · ref
T1564.003 Hidden Window TA0005
  • Hide Artifacts: Hidden Window - Higaisa used a payload that creates a hidden window. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Higaisa has sent spearphishing emails containing malicious attachments. · ref
T1573.001 Symmetric Cryptography TA0011
  • Encrypted Channel: Symmetric Cryptography - Higaisa used AES-128 to encrypt C2 traffic. · ref
T1574.001 DLL TA0003 TA0004 TA0005
  • Hijack Execution Flow: DLL - Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.