Skip to content

Hide Navigation Hide TOC

Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383)

Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 1
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 1
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 1
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 1
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 2
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548) Microsoft Activity Group actor Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 2
DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a) Microsoft Activity Group actor Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 2
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548) Microsoft Activity Group actor 3
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a) Microsoft Activity Group actor 3