Remote-access Guide

north korean remote access trojan ahnlab

by Aron Powlowski Published 1 year ago Updated 1 year ago

Is North Korea hacking South Korea with rokrat Trojan?

A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government.

What is the North Korean rat Trojan?

The trojan was attributed by the two agencies to the North Korean government-sponsored hacking group tracked as HIDDEN COBRA (aka Lazarus Group and APT38). According to the agencies' analysis, the RAT comes with "built-in functions for remote operations that provide various capabilities on a victim’s system."

What are the North Korean malware variants exposed by US government?

Three more North Korean malware variants were exposed in May, including a remote access tool known as COPPERHEDGE and used in attacks against cryptocurrency exchanges, and two trojans known as TAINTEDSCRIBE and PEBBLEDASH. The US govt issued six other security advisories with info on North Korean malware in mid-February exposing:

What is remote access trojan (RAT)?

The Remote Access Trojan (RAT) has been connected to attacks based on the exploit of a Korean language word processor commonly used in South Korea for several years; specifically, the compromise of Hangul Office documents (.HWP).



This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is marked TLP:WHITE.


This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant is known as TYPEFRAME. The U.S.


NCCIC would like to remind users and administrators to consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Contact Information

NCCIC continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL:

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense.


This product is provided subject to this Notification and this Privacy & Use policy.

What is Rokrat malware?

In the past, the malware has been used in phishing campaigns that lure victims through emails containing attachments with a political theme -- such as Korean unification and North Korean human rights. RokRat is believed to be the handiwork of APT37, also known as ScarCruft, Reaper, and Group123.

What is a rokrat?

RokRat is a malware variant that will also attempt to maintain stealth by checking for sandboxes and for the presence of VMWare, scan for debugging software, and analyzes DLLs related to Microsoft and iDefense.

Who is the trojan attributed to?

The trojan was attributed by the two agencies to the North Korean government-sponsored hacking group tracked as HIDDEN COBRA (aka Lazarus Group and APT38).

What is RAT malware?

U.S. government agencies today published a malware analysis report exposing information on a remote access trojan (RAT) malware used by North Korean hackers in attacks targeting government contractors. The malware was identified by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) ...

How much is the reward for DPRK hacking?

In April 2020, the U.S. government offered a reward of up to $5 million for information on DPRK hackers' cyber activity, including past or ongoing operations, that leads to the disruption of DPRK-related illegal activities or to the identification or location of North Korean actors.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9