G0012 · 25 ATT&CK techniques · 0 correlated reports

Darkhotel

Aliases: DUBNIUM, Zigzag Hail

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.

Open interactive actor investigation

ATT&CK techniques

T1518.001
Security Software DiscoveryT1497.002
User Activity Based ChecksT1027.013
Encrypted/Encoded FileT1573.001
Symmetric CryptographyT1080
Taint Shared ContentT1082
System Information DiscoveryT1056.001
KeyloggingT1566.001
Spearphishing AttachmentT1057
Process DiscoveryT1140
Deobfuscate/Decode Files or InformationT1189
Drive-by CompromiseT1091
Replication Through Removable MediaT1497
Virtualization/Sandbox EvasionT1497.001
System ChecksT1124
System Time DiscoveryT1553.002
Code SigningT1016
System Network Configuration DiscoveryT1083
File and Directory DiscoveryT1059.003
Windows Command ShellT1036.005
Match Legitimate Name or LocationT1105
Ingress Tool TransferT1547.001
Registry Run Keys / Startup FolderT1203
Exploitation for Client ExecutionT1204.002
Malicious FileT1547.009
Shortcut Modification

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research