Threat-actor profile

← Back to main site

Home/ Threat Actors/ Bluenoroff

🇰🇵Bluenoroff

🇰🇵 Bluenoroff is a tracked threat actor in the Clankerusecase corpus. Attributed to KP. Primary motivation: State. We map 26 detection use cases to this actor across 71 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-05-14 to 2026-05-14.

crit 1

View full actor card → All threat actors MITRE ATT&CK group spec (G0098) ↗

26Use cases

1Articles

71Techniques

1IOCs

Known aliases

BluenoroffSapphire SleetTA444APT38NICKEL GLADSTONEBeagleBoyzStardust ChollimaCOPERNICIUM

Top techniques

T1027 · Obfuscated Files or Information T1053.005 · Scheduled Task T1059.001 · PowerShell

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1005 · Data from Local System T1021.002 · SMB/Windows Admin Shares T1027.002 · Software Packing T1033 · System Owner/User Discovery T1036.003 · Rename Legitimate Utilities T1036.006 · Space after Filename T1049 · System Network Connections Discovery T1053.003 · Cron T1055 · Process Injection T1056.001 · Keylogging T1057 · Process Discovery T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1070.004 · File Deletion T1070.006 · Timestomp T1071 · Application Layer Protocol T1071.001 · Web Protocols T1071.004 · DNS T1082 · System Information Discovery T1083 · File and Directory Discovery T1105 · Ingress Tool Transfer T1106 · Native API T1110 · Brute Force T1112 · Modify Registry T1115 · Clipboard Data T1135 · Network Share Discovery T1140 · Deobfuscate/Decode Files or Information T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1204.001 · Malicious Link T1204.002 · Malicious File T1204.004 · Malicious Copy and Paste T1217 · Browser Information Discovery T1218 · System Binary Proxy Execution T1218.001 · Compiled HTML File T1218.005 · Mshta T1218.007 · Msiexec T1218.010 · Regsvr32 T1218.011 · Rundll32 T1480.002 · Mutual Exclusion T1485 · Data Destruction T1486 · Data Encrypted for Impact T1505.003 · Web Shell T1518.001 · Security Software Discovery T1529 · System Shutdown/Reboot T1543.003 · Windows Service T1547.001 · Registry Run Keys / Startup Folder T1548.002 · Bypass User Account Control T1553.005 · Mark-of-the-Web Bypass T1555.003 · Credentials from Web Browsers T1561.002 · Disk Structure Wipe T1564.003 · Hidden Window T1565.001 · Stored Data Manipulation T1565.002 · Transmitted Data Manipulation T1565.003 · Runtime Data Manipulation T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1569.002 · Service Execution T1583.001 · Domains T1588.002 · Tool T1685 · Disable or Modify Tools T1685.005 · Clear Windows Event Logs T1686 · Disable or Modify System Firewall T1686.002 · Network Device Firewall T1690 · Prevent Command History Logging

Detection use cases (26)

Bluenoroff / Sapphire Sleet fake-meeting / recruiter installer chain (msiexec spawning LOLBin from crypto/VC-themed package) AI · profile SΣDD Bluenoroff / APT38 AppleJeus persistence: Run-key pointing at user-writable cryptocurrency-themed binary AI · profile SΣDD Kimsuky HelloDoor 'tdll' Run-key persistence with regsvr32 loader Bespoke Kimsuky httpMalice persistence: 'Everything 1.9a-/1.8a-' Run-key or CacheDB service install Bespoke Kimsuky JSE dropper: wscript -> powershell hidden + certutil -decode chain Bespoke Beaconing — periodic outbound to small set of destinations Internal Network connections to article IPs / domains Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Scheduled task created with suspicious image / encoded args Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal PowerShell encoded / obfuscated command Internal Ransomware-style mass file rename / extension change Internal 1Password failed sign-in burst MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match

Threat-intel articles (1)

crit Kimsuky targets organizations with PebbleDash-based tools · 2026-05-14

Tracked indicators

Domains (1)

female-disorder-beta-met