Higaisa
Aliases: None listed
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.
Open interactive actor investigation
ATT&CK techniques
T1059.005
Visual BasicT1106
Native APIT1041
Exfiltration Over C2 ChannelT1574.002
DLL Side-LoadingT1124
System Time DiscoveryT1090.001
Internal ProxyT1204.002
Malicious FileT1027.013
Encrypted/Encoded FileT1053.005
Scheduled TaskT1082
System Information DiscoveryT1566.001
Spearphishing AttachmentT1071.001
Web ProtocolsT1001.003
Protocol or Service ImpersonationT1203
Exploitation for Client ExecutionT1029
Scheduled TransferT1059.007
JavaScriptT1027.001
Binary PaddingT1220
XSL Script ProcessingT1564.003
Hidden WindowT1573.001
Symmetric CryptographyT1547.001
Registry Run Keys / Startup FolderT1057
Process DiscoveryT1036.004
Masquerade Task or ServiceT1016
System Network Configuration DiscoveryT1059.003
Windows Command ShellT1140
Deobfuscate/Decode Files or Information
Visual BasicT1106
Native APIT1041
Exfiltration Over C2 ChannelT1574.002
DLL Side-LoadingT1124
System Time DiscoveryT1090.001
Internal ProxyT1204.002
Malicious FileT1027.013
Encrypted/Encoded FileT1053.005
Scheduled TaskT1082
System Information DiscoveryT1566.001
Spearphishing AttachmentT1071.001
Web ProtocolsT1001.003
Protocol or Service ImpersonationT1203
Exploitation for Client ExecutionT1029
Scheduled TransferT1059.007
JavaScriptT1027.001
Binary PaddingT1220
XSL Script ProcessingT1564.003
Hidden WindowT1573.001
Symmetric CryptographyT1547.001
Registry Run Keys / Startup FolderT1057
Process DiscoveryT1036.004
Masquerade Task or ServiceT1016
System Network Configuration DiscoveryT1059.003
Windows Command ShellT1140
Deobfuscate/Decode Files or Information