🇰🇵 KP2 malware families

vedalia

Also known asvedalia

Vedalia is a North Korea-linked espionage group also known as APT37. The provided content identifies Vedalia as the first known threat actor to use the Microsoft Graph API for command-and-control. It developed the Bluelight malware, a second-stage payload capable of communicating with multiple cloud services for C2. Volexity analyzed a Bluelight variant that used the Graph API to communicate with Microsoft OneDrive. The content places Vedalia/APT37 in the broader trend of state-linked espionage actors abusing trusted cloud services to blend malicious traffic with legitimate activity.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BLUELIGHTThe first known usage was by the North Korea-linked Vedalia espionage group (aka APT37), which developed Bluelight, a second-stage payload that could communicate with several different cloud services for C&C purposes.2May 26, 2026

KONNI“The KONNI RAT was first spotted by Cisco Talos researchers in 2017… it can execute arbitrary code on target systems and steal data.”1Mar 18, 2026

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

symantec blogNews

Aug 7, 2024

Cloud Cover: How Malicious Actors Are Leveraging Cloud Services | SECURITY.COM

North Korea-linked espionage group cited as an early adopter of cloud-service-based C2 via the BlueLight malware.

symantec blogNews

May 2, 2024

Graph: Growing number of threats leveraging Microsoft API | SECURITY.COM

Espionage group linked to early use of Microsoft Graph API for command-and-control via OneDrive using the Bluelight payload.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.