Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Darkhotel

🌐Darkhotel

🌐 Darkhotel is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 24 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0012) ↗
14Use cases
0Articles
24Techniques
0IOCs

About this actor (MITRE)

[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

Known aliases

DarkhotelDUBNIUMZigzag Hail

Top techniques

T1016 · System Network Configuration DiscoveryT1027.013 · Encrypted/Encoded FileT1036.005 · Match Legitimate Resource Name or Location

All other tracked techniques

T1056.001 · KeyloggingT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1080 · Taint Shared ContentT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1091 · Replication Through Removable MediaT1105 · Ingress Tool TransferT1124 · System Time DiscoveryT1140 · Deobfuscate/Decode Files or InformationT1189 · Drive-by CompromiseT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileT1497 · Virtualization/Sandbox EvasionT1497.001 · System ChecksT1497.002 · User Activity Based ChecksT1518.001 · Security Software DiscoveryT1547.001 · Registry Run Keys / Startup FolderT1553.002 · Code SigningT1566.001 · Spearphishing AttachmentT1573.001 · Symmetric Cryptography

Detection use cases (14)

Darkhotel (DUBNIUM/Zigzag Hail) fake-software-update dropper from hotel/captive-portal staging path AI · profile S Darkhotel spearphish: Office/HWP decoy spawning binary masquerading as Windows system file with HKCU Run-key persistence AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match