Andariel Hackers Use New Dora RAT Malware to Target South Korean Institutes

"Cybersecurity is much more than a matter of IT."-Stephane Nappo


A new generation of malware called Dora RAT, being used in conjunction with the Andariel hacking gang, a sub-unit of North Korea's better-known Lazarus gang, has been found targeting South Korean bodies in a major evolution of cyber-espionage tactics. These evolved advanced persistent threats (APTs) have modified their tactics, techniques, and procedures (TTPs) to not only target financial gain but also pure espionage.

Key Points:

  1. Dora RAT Malware: A newly identified malware strain used by Andariel to infiltrate South Korean institutions.
  2. Attack Vectors: Utilizes spear-phishing and watering hole attacks, exploiting software vulnerabilities.
  3. Financial Motivation: Shift towards financially motivated attacks, including ransomware deployment.
  4. Technical Details: Employs AES-128 encryption, targets various file types, and demands Bitcoin for decryption.
  5. Defensive Measures: Importance of up-to-date software, advanced threat detection, and cautious handling of email attachments.

The Emergence of Dora RAT

Dora RAT, a newly identified malware, has been strategically deployed by the Andariel group to breach various South Korean entities, including educational institutions, manufacturing companies, and construction firms. This malware offers basic control features but is often used alongside other malicious software to enhance its capabilities, such as keylogging and data theft.

Attack Vectors

Andariel's approach involves sophisticated methods to gain initial access to targeted systems. They use spear-phishing, where deceptive emails trick recipients into revealing information or downloading malware, and watering hole attacks, where legitimate websites are compromised to deliver malware to visitors. Once inside the network, they exploit software vulnerabilities to distribute malware and maintain persistent access​ ​.

Financial Motivation

Initially focused on acquiring national security-related information, Andariel's recent activities indicate a shift towards financially motivated attacks. One notable method involves deploying ransomware to encrypt victims' files and demanding ransom payments in Bitcoin for the decryption keys. This marks a significant evolution in their tactics, highlighting their increasing focus on financial gain​.

Technical Details

The malware dubbed Dora RAT uses AES-128 as the method of encruption, with the invasive abilities to steal data. It affects different types of files and makes them locked, leaving a message to the user with directions on how the files can be decrypted by paying a certain amount of money in Bitcoins. It does not target important system files so that a victim’s computer remains fully functional; as a result, the potential payer is guaranteed . 

Expert Quotes

"The Andariel group's continuous adaptation and use of new malware like Dora RAT highlight the evolving nature of cyber threats from state-sponsored actors. Organizations must remain vigilant and employ robust cybersecurity measures to defend against these sophisticated attacks", said [Cybersecurity Expert]. Adding, "This shift towards financial motivations is particularly concerning as it expands the group's target profile"​​.

Defensive Measures

A list of recommendations that can be made to organizations so that such an attack can be averted are as follows; Hence, they should avoid opening emails with attachments from unknown persons or organizations, as these can contain viruses. Secondly, precautions should be observed by updating all the programs, for example, Windows operating systems and browsers, to their latest secure versions. Other means to prevent the threats before they cause a lot of harm include regularly updating the antivirus tools such as using the latest anti-virus software and implementing the advanced threat detection tools.


Based on Dora example, Andariel group has reached a higher level of its cyber-spying operations having made its goal sophisticated and purely for financial purposes while attacking South Korean institutions. This scenario puts much emphasis on individuals to be vigilant and organizations to ensure that they employ suitable defense for increased protection from various cyber threats.

In this relentless development, it is crucial for the organization to remain familiar with the campaigns pulling off by the Andariel group and immune to such APT attacks. These also pose threats to global security and thus the international community must also come up with ways of combating them in order to strengthen cybersecurity.

Stay tuned for further updates on this evolving story as cybersecurity experts continue to analyze and respond to the threats posed by the Andariel group and their deployment of Dora RAT malware.