>samit_hota
Back to adversary profiles
G0082CriticalActive

APT38: North Korea's Relentless Financial Cyber Offensive

Samit Hota·
Suspected Origin
North Korea
Motivation
Financial Gain, Sanctions Evasion, Funding State Programs
Aliases
NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM
Target Sectors
Financial Institutions, Banks, Cryptocurrency Exchanges, SWIFT System Endpoints, ATMs, Casinos, Decentralized Finance (DeFi) Platforms
Associated Malware
QUICKRIDE, NESTEGG, KEYLIME, CLOSESHAVE, BOOTWRECK, CLEANTOAD, Mimikatz, RATANKBA, Manuscrypt, BLINDINGCAN, COPPERHEDGE, FASTCash, CROWDEDFLOUNDER, HOPLIGHT, VIVACIOUSGIFT, ELECTRICFISH, ECCENTRICBANDWAGON, Bistromath, Bitsran, Hermes, WannaCry, Dtrack, MATA, AppleJeus, TraderTraitor, Cryptoistic
#threat-actor#g0082

Overview

APT38 (G0082), also tracked by aliases such as NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, and COPERNICIUM, is a highly sophisticated and prolific North Korean state-sponsored threat group. Officially attributed to the Reconnaissance General Bureau (RGB), this adversary stands out for its singular focus on financial cyber operations, distinguishing it from many other nation-state actors primarily driven by espionage or sabotage. Their motivation is explicitly tied to generating illicit revenue to circumvent international sanctions and fund North Korea’s state programs, including the development of weapons of mass destruction and ballistic missiles.

Active since at least 2014, APT38 demonstrates exceptional patience and meticulous planning, often maintaining a presence within victim networks for months, sometimes even up to two years, before initiating any financial theft. Their operations are characterized by deep reconnaissance, a thorough understanding of financial transaction systems, and an aggressive willingness to deploy destructive malware to cover their tracks and impede forensic investigations. While often discussed in conjunction with the broader Lazarus Group, APT38’s specialized financial mandate, unique toolset, and operational patterns warrant separate tracking to provide defenders with a focused understanding of this distinct and dangerous adversary. Their targeting is global, impacting banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries. Publicly reported attempted thefts alone exceed $1.1 billion in traditional finance, with billions more attributed to their cryptocurrency operations.

Tactics & Techniques

APT38 employs a diverse array of tactics, techniques, and procedures (TTPs), demonstrating adaptability and a willingness to evolve their methods. Initial access typically involves spear phishing campaigns, often utilizing malicious email attachments (e.g., Word documents, shortcut files) that leverage macros or Visual Basic scripts. They also employ watering hole attacks and exploit vulnerabilities in public-facing applications. In recent years, social engineering has become a cornerstone, with threat actors orchestrating elaborate fake job offers across platforms like LinkedIn, Telegram, GitHub, and even leveraging AI-powered deepfake Zoom meetings to target software developers, blockchain engineers, and DeFi teams. They are also known to exploit zero-day vulnerabilities for initial compromise and privilege escalation.

Once inside, APT38 conducts extensive reconnaissance, sometimes dwelling in networks for extended periods to map network topology, gather credentials, collect browser bookmark information, and enumerate system details like operating systems, versions, and installed security software. For persistence, they deploy custom backdoors, create new services, modify existing ones, utilize scheduled tasks (via Windows Task Scheduler or Linux cron), and implement web shells. Privilege escalation is achieved through methods like UAC bypass (e.g., via ieinstal.exe) and exploitation of Windows kernel flaws.

Defense evasion is a critical aspect of their operations. APT38 employs secure file deletion utilities (e.g., CLOSESHAVE), modifies data timestamps, and removes non-native files to reduce their forensic footprint. They pack implants using various methods (Themida, Enigma, VMProtect, Obsidium), rename system utilities (rundll32.exe, mshta.exe), and prepend spaces to terminal commands to avoid logging. Lateral movement techniques include credential theft using tools like Mimikatz, Pass-the-Hash, and enumerating network shares. Their command and control (C2) infrastructure often relies on custom backdoors such as QUICKRIDE and NESTEGG, communicating over HTTP, HTTPS, or raw TCP.

The final stages of an APT38 operation involve fund transfer and destruction. They deploy specialized malware to insert fraudulent SWIFT transactions, alter transaction histories, and orchestrate ATM cash-out schemes (FASTCash). Following the theft, APT38 often deploys destructive wiper malware, such as BOOTWRECK, to render victim networks inoperable, securely delete logs, and obliterate evidence, creating chaos that further aids their escape and money laundering efforts.

Notable Campaigns

APT38 has been linked to some of the most significant and audacious financial cyber incidents in history:

  • 2016 Bank of Bangladesh Heist: A highly coordinated operation that attempted to steal nearly $1 billion via the SWIFT system, ultimately netting $81 million due to a typo that prevented further transfers.
  • Attacks on Bancomext and Banco de Chile (2018): These incidents involved significant financial theft attempts and included the deployment of destructive wiper malware, such as in the Banco de Chile attack where thousands of workstations and hundreds of servers were destroyed.
  • FASTCash Campaigns (2016-Present): APT38 orchestrated automated teller machine (ATM) cash-out schemes, targeting banks’ retail payment infrastructure that processes ISO 8583 messages. These campaigns have involved withdrawing cash from ATMs in dozens of countries simultaneously and have evolved to target regional interbank payment processors.
  • Far Eastern International Bank of Taiwan (2017): This operation involved the theft of tens of millions of dollars, with funds moved to other accounts and the Hermes ransomware deployed.
  • Ongoing Cryptocurrency Thefts (2018-Present): APT38 has shifted significant focus to the cryptocurrency sector, exploiting vulnerabilities in blockchain bridges, decentralized finance (DeFi) platforms, and exchanges. Notable incidents include the $620 million theft from the Ronin Bridge, the $100 million Harmony Horizon Bridge hack, and a staggering $1.5 billion heist from the Bybit exchange in February 2025. Blockchain analysis attributes approximately $1.34 billion in crypto thefts across 47 incidents to the group in 2024 alone.
  • Earlier Bank Heists: Prior to these high-profile events, APT38 was involved in thefts from Banco del Austro in Ecuador ($12 million) and Vietnam’s Tien Phong Bank, as well as targeting banks in Poland and Mexico.
  • Supply Chain Attacks (2023): More recently, APT38 has adapted to industry defenses by engaging in sophisticated supply chain attacks, exploiting legitimate software to compromise organizations worldwide.

While often broadly attributed to the Lazarus Group, the destructive Sony Pictures Entertainment hack (2014) and the WannaCry ransomware campaign (2017) are also closely associated with North Korean state-sponsored activity, and APT38’s destructive methodology aligns with aspects of these attacks.

Associated Malware & Tools

APT38 boasts an extensive and continuously evolving arsenal of custom-developed malware, alongside the strategic use of legitimate and open-source tools:

  • Backdoors and Remote Access Trojans (RATs): QUICKRIDE, NESTEGG, KEYLIME (also a keylogger), CROWDEDFLOUNDER, HOPLIGHT, COPPERHEDGE, Manuscrypt (aka NukeSped), BLINDINGCAN, Bistromath, Dtrack, MATA, and Cryptoistic.
  • Wipers and Destructive Tools: BOOTWRECK (custom MBR wiper), CLOSESHAVE (secure file deletion), and various other custom disk-wiping malware used to destroy evidence and render systems inoperable. The Hermes ransomware has also been observed in their destructive operations.
  • Financial-Specific Malware: FASTCash (for both UNIX and Windows) is crucial for their ATM cash-out schemes, enabling them to generate fraudulent ISO 8583 messages to authorize withdrawals.
  • Information Stealers and Loaders: InvisibleFerret (Python-based reconnaissance, credential and wallet theft), BeaverTail (JavaScript-based information stealer and first-stage loader), and Bitsran (dropper/spreader for payloads).
  • Network Utilities: VIVACIOUSGIFT and ELECTRICFISH (network proxy tunneling tools) are used for maintaining access and C2.
  • Other Custom Tools: CLEANTOAD (modifies Registry keys), ECCENTRICBANDWAGON (keystroke and screen logging).
  • Commodity and Open-Source Tools: APT38 frequently leverages legitimate system utilities and open-source tools to blend in with normal network activity. This includes Mimikatz for credential dumping, ieinstal.exe for UAC bypass, mshta.exe, msiexec.exe, rundll32.exe for code execution, and Sysmon for reconnaissance.
  • Cryptocurrency-Focused Malware: AppleJeus and TraderTraitor are examples of trojanized cryptocurrency applications used to compromise victims in the crypto space.

Current Status

APT38 remains a highly active, evolving, and exceptionally dangerous threat to global financial stability. The group has demonstrated remarkable adaptability, transitioning its primary focus from traditional SWIFT banking systems to the burgeoning cryptocurrency and decentralized finance (DeFi) sectors since 2018. This shift is driven by the high liquidity and anonymity offered by crypto, which facilitates sanctions evasion and asset laundering.

Recent activities, extending into 2025 and even projections for 2026, indicate an intensification of their operations, with massive cryptocurrency thefts continuing to be attributed to the group. Their techniques are becoming more sophisticated, incorporating advanced social engineering tactics like multi-stage fake job offers on professional networking sites and even leveraging AI-powered deepfake Zoom meetings to enhance credibility. They are also expanding their attack surface to include cloud environments and supply chains, consistently developing cross-platform malware compatible with Windows, macOS, and Linux systems.

Despite international indictments, sanctions, and diplomatic efforts to curtail their activities, APT38 continues its relentless pursuit of funds to support the North Korean regime. Their operational patience, technical prowess, and willingness to employ destructive measures ensure they remain a critical and persistent threat to financial institutions worldwide. Security professionals must recognize that this adversary is well-resourced, highly motivated, and will continue to innovate its TTPs to achieve its financial objectives.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call