Darkhotel
G00121 reportsaliases · Darkhotel · DUBNIUM · Zigzag Hail
1
Reports
2
Techniques
2
Tactics
1
Countries
100%
Hunt coverage
3
Aliases
Analyst assessment — key judgments
- Signature techniques: T1589.002 (Email Addresses), T1027.007 (Dynamic API Resolution).
- Primary targeting: JP.
- Currently dormant: 0 report(s) in last 30d vs 0 prior (+0%).
- Hunt coverage 100% of 2 observed techniques (0 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
DormantLast 30d: 0 vs 0 prior (+0%)· first reported 2025-11-05 · last 2025-11-05
0
7d
0
30d
0
90d
1
All
0.0
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
Dropped (90d+)
T1589.002T1027.007Overview
Analyst triage
Intelligence summary
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1589.002 · Email Addressesconf 601
- T1027.007 · Dynamic API Resolutionconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|