THREATOPS Actor Dossier
LIVE ← Dashboard

APT38

G00822 reports
aliases · APT38 · NICKEL GLADSTONE · BeagleBoyz · Bluenoroff · Stardust Chollima · Sapphire Sleet · COPERNICIUM
Export dossier:
2
Reports
12
Techniques
9
Tactics
5
Countries
28%
Hunt coverage
7
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1053.005 (Scheduled Task), T1113 (Screen Capture), T1033 (System Owner/User Discovery).
  • Primary targeting: KR, US, CN, IN.
  • Steady activity: 1 report(s) in last 30d vs 1 prior (+0%).
  • Recent movement: 5 new technique(s), 7 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 28% of 43 observed techniques (31 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

SteadyLast 30d: 1 vs 1 prior (+0%)· first reported 2026-05-22 · last 2026-06-23
0
7d
1
30d
2
90d
2
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1588.006T1195T1552.004T1098.001T1589.001
Targeting gained
US
Targeting lost
CNINKP
New infrastructure
https://devops.com/github-takes-down-73-https://openssf.org/projects/slsa/https://whiteintel.io/blog/red-hat-miasmhttps://arstechnica.com/security/2026/03https://spycloud.com/resource/report/spyhttps://cybersecuritynews.com/binding-gyhttps://connect.tenable.com/category/new

Overview

Analyst triage
Intelligence summary

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected