3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Andariel

Andariel

ID: 8ebad4679004dd23b57cae31fc26a9c103951
Cybercrime State-Sponsored
Threat types: Intrusion, Destruction, Financial Theft
North Korea UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 49% Completeness: 48% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
Onyx Sleet PLUTONIUM Si*************
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Silent Chollima / Andariel — DPRK-linked group with espionage and revenue operations; spearphishing and exploitation of public-facing apps, valid accounts, custom loaders/backdoors, and data exfiltration are routinely observed.


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2015–2025 — Frequent spearphishing for initial access in sector-focused campaigns. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2015–2025 — Exploitation of public-facing applications observed across multiple operations. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2015–2025 — Use of stolen/valid credentials for persistence and lateral movement. · ref
T1105 Ingress Tool Transfer TA0011
  • 2015–2025 — Ingress tool transfer for custom loaders/backdoors over C2 channels. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2015–2025 — Data exfiltration over C2 for espionage/revenue objectives. · ref
T1486 Data Encrypted for Impact TA0040
  • 2019–2025 — Ransomware/impact behavior seen in select operations. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T00:29:24+00:00
Silent Chollima (Andariel / Silent PLUTONIUM / Onyx Sleet) — DPRK Threat Group (G0138)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Silent Chollima (a.k.a. Andariel, Silent PLUTONIUM, Onyx Sleet) is a North Korea–linked threat group conducting both espionage and revenue-generation operations, including banking theft and ransomware-style impact. Open sources and MITRE note consistent use of spearphishing, public-facing app exploitation, valid-account abuse, and custom loaders/backdoors, with living-off-the-land behavior and tunneling. Target sectors include defense, manufacturing, financial, and South Korea–focused entities, with activity spanning 2015–2025. Confidence: high (MITRE G0138 + vendor/LE reporting).


State-linked cluster aligned with DPRK intelligence/economic goals; overlaps in tooling/infrastructure with other DPRK groups are documented in public research, complicating granular attribution.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.