Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Analyze North Korea-Linked NukeSped RAT

Fortinet security researchers took a deep dive into NukeSped malware samples that share multiple similarities with other malware families used by North Korean threat actors.

Fortinet security researchers took a deep dive into NukeSped malware samples that share multiple similarities with other malware families used by North Korean threat actors.

The remote access Trojan (RAT) is associated with the state-sponsored Lazarus Group, which is tracked by the U.S. government as Hidden Cobra. Last year, security researchers linked several North Korean hacking groups to Lazarus via code reuse and the newly analyzed samples reinforce that connection.

The analyzed malware samples, Fortinet reveals, share multiple characteristics, starting with the fact that they were compiled for 32-bit systems. They also feature encrypted strings to hinder analysis, and have compilation timestamps spanning from May 4, 2017 to February 13, 2018.

Most of the samples have the language ID for Korean and, in some cases, they even show the reuse of some functions, Fortinet’s security researchers have discovered.

The malware resolves functions dynamically, meaning that, at first, it appeared to invoke only few APIs. Furthermore, the import table was found to be short and to import a small number of common DLLs and functions.

NukeSped, the researchers also discovered, would also encrypt API names in an attempt to hinder static analysis. They also noticed that the order of the functions being loaded is very similar to other samples.

For persistence, the RAT inserts itself into a Run registry key, though in some cases it installs itself as a service.

The main functionality of the malware is to provide attackers with remote administration of the infected host.

Its list of features includes the ability to iterate files in a folder, create a process as another user, iterate processes and modules, terminate or create a process, write or read a file, move a file, get information about installed disks (including the disk type and the amount of free space on the disk), get the current directory, and change to a different directory.

The malware can also connect to a remote host, retrieve and launch additional payloads from the Internet, and remove itself and artifacts associated with it from the infected system.

Based on the analysis of the pattern of the encrypted strings and how the string is used for API loading, as well as the fact that the feature set and the structure of the main function (RAT) are reminiscent of FALLCHILL, Fortinet’s researchers believe the malware is linked to North Korea.

This conclusion, they say, is also based on the use of a specific cryptography blob in most samples of NukeSped, and on the fact that there are some file name references shared with HOPLIGHT. On top of that, 7 out of 10 NukeSped samples are in Korean.

“Given all the evidence so far, we can conclude that the NukeSped RATs have some relation to North Korea threat actors (HIDDEN COBRA),” Fortinet notes.

Related: U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

Related: U.S. Attributes New Trojan to North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.