Andariel
A North Korea-linked RGB unit (Lazarus umbrella) that blends cyber-espionage with revenue generation. The U.S. sanctioned it in 2019 and, in 2024, indicted member Rim Jong Hyok for deploying Maui ransomware against U.S. hospitals and laundering the proceeds to fund further espionage.
Also known as: Andariel, Onyx Sleet, APT45, Silent Chollima, DarkSeoul, Stonefly, Rim Jong Hyok
On attribution: Andariel is a North Korea-linked cluster within the Lazarus/RGB umbrella; attributions are those of the cited authorities (U.S. DOJ, CISA, Treasury).
Overview
Andariel — also tracked as Onyx Sleet, APT45, Silent Chollima, DarkSeoul, and Stonefly/Clasiopa — is a unit of North Korea's Reconnaissance General Bureau (3rd Bureau). It was sanctioned by the U.S. Treasury in September 2019. CISA and partners describe it as having evolved from destructive attacks into cyber-espionage (targeting defense, aerospace, nuclear, and engineering sectors) plus financially motivated ransomware. [1][2]
Maui ransomware and indictment
In July 2024 the U.S. DOJ unsealed an indictment charging Andariel member Rim Jong Hyok with conspiring to deploy "Maui" ransomware against U.S. hospitals and healthcare companies, extorting ransoms and laundering the proceeds — which were then used to fund further espionage intrusions against government, defense, and technology targets. The State Department offered up to $10 million for information; Rim remains at large. [1][2]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
Sources (2)
See also
- Angel DrainerOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
- Monkey DrainerOrganizations & groupsAn early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
- Phemex hackExchanges & platforms
This page was last updated on Jun 8, 2026. View revision history.