Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Higaisa

🌐Higaisa

🌐 Higaisa is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 28 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0126) ↗
14Use cases
0Articles
28Techniques
0IOCs

About this actor (MITRE)

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Known aliases

Higaisa

Top techniques

T1001.003 · Protocol or Service ImpersonationT1016 · System Network Configuration DiscoveryT1027.001 · Binary Padding

All other tracked techniques

T1027.013 · Encrypted/Encoded FileT1027.015 · CompressionT1029 · Scheduled TransferT1036.004 · Masquerade Task or ServiceT1041 · Exfiltration Over C2 ChannelT1053.005 · Scheduled TaskT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1071.001 · Web ProtocolsT1082 · System Information DiscoveryT1090.001 · Internal ProxyT1106 · Native APIT1124 · System Time DiscoveryT1140 · Deobfuscate/Decode Files or InformationT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileT1220 · XSL Script ProcessingT1547.001 · Registry Run Keys / Startup FolderT1564.003 · Hidden WindowT1566.001 · Spearphishing AttachmentT1573.001 · Symmetric CryptographyT1574.001 · DLLT1680 · Local Storage Discovery

Detection use cases (14)

Higaisa LNK-spearphish chain: cmd.exe + find.exe + mshta self-extracting from .lnk AI · profile SΣ Higaisa persistence: schtasks creating tasks pointing to %APPDATA%\Microsoft staged payloads AI · profile SΣ Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match