>samit_hota
Back to adversary profiles
G0126HighActive

Higaisa (G0126) Threat Actor Profile

Samit Hota·
Suspected Origin
South Korea (suspected)
Motivation
Espionage
Aliases
None documented
Target Sectors
Government, Public, Trade, Diplomatic Entities, Human Rights Organizations
Associated Malware
Gh0st, PlugX, Custom Droppers, Custom Downloaders, Rust-based malware, Shellcode Loaders
#threat-actor#g0126

Overview

Higaisa, identified by MITRE ATT&CK as G0126, is an advanced persistent threat (APT) group believed to originate from South Korea. This attribution, initially disclosed by Tencent Security Threat Intelligence Center in early 2019, is supported by circumstantial evidence found in their operational code, such as references to the “NIS” (National Intelligence Service of the Republic of Korea) and the South Korean film “Parasite” (SK_Parasite). While first publicly documented in 2019, Higaisa’s activities are assessed to have begun as early as 2009, with some reports tracing their malicious operations back to at least 2016.

The primary motivation behind Higaisa’s operations appears to be espionage and intelligence collection. The group consistently targets entities that align with geopolitical interests, particularly those concerning North Korea. Their victimology extends beyond government bodies to include public organizations, trade organizations, diplomatic missions, human rights groups, and even North Korean residents abroad. Geographically, Higaisa’s campaigns have predominantly focused on North Korea, but they have also launched attacks in other nations across Asia and Europe, including China, Japan, Russia, Poland, Nepal, Singapore, and Switzerland. Recent activity in late 2023 indicates a specific focus on Chinese users.

Tactics & Techniques

Higaisa demonstrates a consistent and evolving set of tactics, techniques, and procedures (TTPs) aimed at achieving persistent access and exfiltrating sensitive information. Their initial access frequently relies on spear-phishing campaigns, using carefully crafted lures delivered via email. These lures often capitalize on current events, such as the COVID-19 pandemic, or significant cultural and political dates like New Year greetings, Chinese Lantern Festival wishes, or North Korean national holidays. Malicious attachments are a hallmark of their initial infection vector, often appearing as LNK files disguised as legitimate documents (e.g., PDFs), RTF documents, or XSL files. More recently, Higaisa has been observed using phishing websites that mimic legitimate software portals, such as OpenVPN, Google Meet, and Zoom, to distribute their payloads.

Upon successful execution, Higaisa employs various methods for code execution and persistence. They are known to leverage native operating system utilities like cmd.exe and scripting languages such as VBScript and JavaScript. The group has exploited vulnerabilities like CVE-2018-0798 for execution. For persistence, Higaisa often places spoofed binaries in startup folders, uses scheduled tasks (e.g., by dropping officeupdate.exe), or manipulates registry keys to ensure their malware launches as a system service upon boot. A notable technique involves DLL side-loading, where a legitimate Microsoft Office 2007 package is used to load a malicious OINFO12.OCX dynamic link library.

Defense evasion is a key aspect of Higaisa’s operations. They frequently spoof legitimate processes and files, such as naming a shellcode loader svchast.exe to impersonate svchost.exe. They utilize certutil.exe for decoding Base64 binaries at runtime and employ anti-debugging and decryption operations within their shellcode to hinder analysis. The use of valid digital signatures on their malware further reduces the likelihood of detection by security solutions. To gather information about compromised systems, Higaisa collects system GUIDs, computer names, volume serial numbers, and network configuration details using tools like ipconfig. They also probe for system proxy settings. Command and Control (C2) communications often occur over HTTP and HTTPS, sometimes using deceptive FakeTLS sessions. They employ AES-128 encryption for C2 traffic and embed victim identifiers in User-Agent strings. Data exfiltration typically occurs via these established C2 channels.

Notable Campaigns

Higaisa has a history of adapting its lures and delivery mechanisms to maximize effectiveness. In March 2020, they were observed leveraging the global concern around the COVID-19 pandemic, distributing malicious files disguised as COVID-19 related reports or updates. Concurrent campaigns in May 2020 continued to utilize LNK files as a primary infection vector, with Zscaler attributing these to Higaisa based on code overlap and similar TTPs.

A significant recent campaign was identified in October 2023 by Cyble Research and Intelligence Labs (CRIL). This campaign specifically targeted Chinese users through highly deceptive phishing websites. These sites mimicked popular software, including OpenVPN, Google Meet, and Zoom, to trick users into downloading and executing malicious installers. The installers delivered Rust-based malware and shellcode, establishing encrypted Command and Control (C2) communications with the threat actors. This illustrates Higaisa’s ongoing activity and their consistent effort to refine their attack infrastructure and maintain evasion capabilities.

Associated Malware & Tools

Higaisa employs a blend of well-known and custom-developed malware. Historically, they have been associated with widely used Trojans such as Gh0st and PlugX, as well as mobile malware. Their custom toolkit includes sophisticated droppers and downloaders, often utilizing simple RC4 decryption with specific keys like ssove0117 and Higaisakora.0 to unpack their payloads.

Recent campaigns, particularly the October 2023 activity, have featured the deployment of Rust-based malware and shellcode loaders. The shellcode itself is designed with anti-analysis features, performing anti-debugging and multi-stage decryption operations. While some initial analyses in May 2020 temporarily linked Higaisa to the Crosswalk, ShadowPad, and FunnySwitch backdoors, further detailed investigation by Positive Technologies determined these samples actually belonged to the Winnti group (APT41). Therefore, these specific backdoors are not directly attributable to Higaisa, though the initial confusion highlights the overlapping nature of certain TTPs among APT groups.

Current Status

Higaisa remains an active and evolving threat group. Public reporting, including analyses from August 2024 (referencing a March 2020 study) and February 2024, confirms their ongoing operations. The October 2023 campaign, specifically targeting Chinese users with phishing sites and Rust-based malware, demonstrates their sustained capability and willingness to update their TTPs and toolset. Security researchers consistently observe Higaisa adapting their evasion techniques and network communication protocols to counter detection, indicating a persistent and resourceful adversary. Organizations, particularly those in government, public, and trade sectors in their target regions, should continue to monitor for Higaisa’s evolving methods and implement robust defenses against spear-phishing, supply chain compromises, and malware delivery via deceptive websites.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call