T1074.001 | lazarus.day

#T1074.001 Local Data Staging

Technique

Tactics: Collection
Description:
Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)
First Seen: North Korean Advanced Persistent Threat Focus: Kimsuky • 2020-10-27

MITRE ATT&CK

17

Tagged Reports
11

Unique Authors
1,912

Active Days

Tagged Reports

2026-01-20

Picus Security

BlueNoroff Group: The Financial Cybercrime Arm of Lazarus

#Bluenoroff #T1593 #T1589 #T1543.001 #T1562.001 #T1059.002 #T1016 #T1059.005 #T1018 #T1566.003 #T1552.001 #T1583.003 #T1027.002 #T1204.004 #T1082 #T1548.002 #T1598.001 #T1074.001 #T1087.001 #T1547.001 #T1588.002 #T1005 #T1059.007 #T1587.001 #T1056.002 #T1176.001 #T1071.001 #T1543.004 #T1055 #T1027.010 #T1583.001 #T1036.005 #T1566.002 #T1548.006 #T1657

2025-08-13

Cyfirma

APT PROFILE – LAZARUS GROUP

#Lazarus #T1090.001 #T1134.002 #T1562.001 #T1543.003 #T1059.003 #T1553.002 #T1614.001 #T1074.001 #T1485 #T1591 #T1218.011 #T1620 #T1078 #T1587.001 #T1027.007 #T1010 #T1571 #T1090.002 #T1218.010 #T1542.003 #T1583.001 #T1033 #T1497.001 #T1560.002 #T1203 #T1036 #T1012 #T1016 #T1059.005 #T1106 #T1027 #T1566.003 #T1027.002 #T1562.004 #T1529 #T1049 #T1140 #T1585.001 #T1005 #T1053.005 #T1564.001 #T1608.001 #T1105 #T1046 #T1491.001 #T1055.001 #T1070 #T1589.002 #T1036.005 #T1110 #T1547.009 #T1489 #T1110.003 #T1534 #T1047 #T1573 #T1588.004 #T1104 #T1036.003 #T1591.004 #T1001.003 #T1057 #T1082 #T1561.002 #T1566.001 #T1574.013 #T1561.001 #T1608.002 #T1585.002 #T1218 #T1588.002 #T1036.004 #T1204.001 #T1041 #T1560 #T1202 #T1071.001 #T1218.005 #T1059.001 #T1593.001 #T1189 #T1124 #T1056.001 #T1070.006 #T1008 #T1102.002 #T1048.003 #T1583.006 #T1221 #T1557.001 #T1098 #T1547.001 #T1567.002 #T1584.004 #T1087.002 #T1070.004 #T1560.003 #T1070.003 #T1583.004 #T1132.001 #T1588.003 #T1021.002 #T1204.002 #T1220 #T1574.002 #T1083 #T1566.002 #T1021.001 #T1021.004 #T1584.001

2025-02-20

ESET

DeceptiveDevelopment targets freelance developers

#BeaverTail #DeceptiveDevelopment #InvisibleFerret #T1025 #T1567.004 #T1555.001 #T1027.013 #T1016 #T1071.002 #T1566.003 #T1564.003 #T1552.001 #T1583.003 #T1082 #T1614 #T1119 #T1059.003 #T1074.001 #T1140 #T1030 #T1585.001 #T1005 #T1059.007 #T1587.001 #T1041 #T1564.001 #T1010 #T1219 #T1608.001 #T1204.002 #T1571 #T1071.001 #T1059.006 #T1115 #T1083 #T1124 #T1555.003 #T1056.001 #T1133 #T1021.001 #T1095 #T1560.002 #T1657 #T1217

2025-02-12

Cyfirma

APT PROFILE – APT43

#APT43 #T1055.012 #T1562.001 #T1190 #T1587 #T1543.003 #T1059.003 #T1074.001 #T1553.002 #T1591 #T1218.011 #T1587.001 #T1588.005 #T1598.003 #T1594 #T1218.010 #T1557 #T1007 #T1583.001 #T1555.003 #T1036 #T1012 #T1016 #T1059.005 #T1027 #T1071.002 #T1027.002 #T1562.004 #T1111 #T1003.001 #T1140 #T1585.001 #T1005 #T1114.003 #T1053.005 #T1608.001 #T1105 #T1114.002 #T1589.002 #T1036.005 #T1534 #T1078.003 #T1552.001 #T1560.001 #T1136.001 #T1057 #T1082 #T1550.002 #T1518.001 #T1176 #T1566.001 #T1071.003 #T1585.002 #T1588.002 #T1036.004 #T1204.001 #T1586.002 #T1041 #T1219 #T1589.003 #T1071.001 #T1564.002 #T1112 #T1218.005 #T1059.001 #T1593.001 #T1040 #T1546.001 #T1056.001 #T1070.006 #T1102.002 #T1583.006 #T1564.003 #T1098 #T1593.002 #T1547.001 #T1567.002 #T1059.007 #T1070.004 #T1560.003 #T1505.003 #T1583.004 #T1204.002 #T1055 #T1059.006 #T1083 #T1133 #T1566.002 #T1021.001 #T1584.001

2024-12-27

Picus Security

Exposing the Steps of the Kimsuky APT Group

#Kimsuky #RandomQuery #GoldDragon #xRAT #T1055 #T1114.003 #T1082 #T1566.001 #T1059.001 #T1074.001 #T1219 #T1560 #T1059.005 #T1059.004 #T1027 #T1056.001 #T1573.001 #T1048 #T1547.001 #T1562.004 #T1071.001 #T1003

2024-09-12

Cyfirma

APT PROFILE – KIMSUKY

#Kimsuky #T1055.012 #T1562.001 #T1190 #T1587 #T1543.003 #T1059.003 #T1074.001 #T1553.002 #T1591 #T1218.011 #T1587.001 #T1588.005 #T1598.003 #T1594 #T1218.010 #T1557 #T1007 #T1583.001 #T1555.003 #T1036 #T1012 #T1016 #T1059.005 #T1027 #T1071.002 #T1027.002 #T1562.004 #T1111 #T1003.001 #T1140 #T1585.001 #T1005 #T1114.003 #T1053.005 #T1608.001 #T1105 #T1114.002 #T1589.002 #T1036.005 #T1534 #T1078.003 #T1552.001 #T1560.001 #T1136.001 #T1057 #T1082 #T1550.002 #T1518.001 #T1176 #T1566.001 #T1071.003 #T1585.002 #T1588.002 #T1036.004 #T1204.001 #T1586.002 #T1041 #T1219 #T1589.003 #T1071.001 #T1564.002 #T1112 #T1218.005 #T1059.001 #T1593.001 #T1040 #T1546.001 #T1056.001 #T1070.006 #T1102.002 #T1583.006 #T1564.003 #T1098 #T1593.002 #T1547.001 #T1567.002 #T1059.007 #T1070.004 #T1560.003 #T1505.003 #T1583.004 #T1204.002 #T1055 #T1059.006 #T1083 #T1133 #T1566.002 #T1021.001 #T1584.001

2024-08-05

KRNCSC

북한 해킹조직의 건설ㆍ기계 분야 기술절취 주의

#Kimsuky #DoraRAT #TrollAgent #Andariel #T1119 #T1005 #T1083 #T1036 #T1074.001 #T1041 #T1113 #T1573.002 #T1195 #T1189 #T1204.002 #T1027.002 #T1071.001 #T1217

2024-07-16

Rapid7

Kimsuky's Phishing and Payload Tactics

#Kimsuky #T1547.001 #T1053.005 #T1074.001 #T1543.003 #T1218

2024-04-05

Plainbit

Analysis of *.chm malware

#CHM #T1059.003 #T1083 #T1566 #T1053.005 #T1059.001 #T1074.001 #T1041 #T1132.001 #T1485 #T1059.005 #T1057 #T1204.002 #T1560.001 #T1105 #T1218.001 #T1082

2023-09-27

Ptsecurity

Dark River. You can't see them, but they're there

#MataDoor #DarkRiver #CVE-2021-40444 #T1090.001 #T1016 #T1106 #T1018 #T1622 #T1543.003 #T1027.002 #T1071 #T1057 #T1082 #T1572.001 #T1059.003 #T1566.001 #T1074.001 #T1572 #T1218.011 #T1620 #T1135 #T1049 #T1140 #T1030 #T1005 #T1036.004 #T1041 #T1129 #T1572.002 #T1571 #T1090.002 #T1046 #T1218.010 #T1132 #T1112 #T1083 #T1124 #T1033 #T1095 #T1560.002 #T1090.003 #T1008

2023-04-26

Attack IQ

Emulating Kimsuky's Espionage Operations

#Kimsuky #T1047 #T1016 #T1057 #T1082 #T1518.001 #T1074.001 #T1218.011 #T1547.001 #T1140 #T1053.005 #T1041 #T1105 #T1071.001 #T1218.010 #T1087 #T1115 #T1083 #T1033 #T1056.001 #T1048.002

2023-01-05

Attack IQ

Emulating the Highly Sophisticated North Korean Adversary Lazarus Group

#Trend #DreamJob #Inception #MagicRAT #Sharpshooter #ThreatNeedle #T1025 #T1047 #T1012 #T1016 #T1543.003 #T1057 #T1082 #T1552.002 #T1074.001 #T1572 #T1218.011 #T1547.001 #T1049 #T1003.002 #T1053.005 #T1041 #T1048.001 #T1105 #T1071.001 #T1220 #T1046 #T1218.010 #T1055 #T1112 #T1083 #T1007 #T1033 #T1036.005 #T1003

2022-12-22

Attack IQ

Emulating the Politically Motivated North Korean Adversary Andariel

#Andariel #T1012 #T1016 #T1057 #T1082 #T1074.001 #T1016.001 #T1120 #T1218.011 #T1547.001 #T1197 #T1049 #T1041 #T1053.005 #T1105 #T1071.001 #T1218.010 #T1083 #T1486 #T1033 #T1036.005 #T1217

2022-11-30

ESET

Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin

#Scarcruft #Dolphin #T1025 #T1102.002 #T1203 #T1016 #T1106 #T1027 #T1082 #T1119 #T1518.001 #T1074.001 #T1016.001 #T1547.001 #T1567.002 #T1005 #T1059.007 #T1053.005 #T1539 #T1010 #T1113 #T1020 #T1055.002 #T1071.001 #T1059.006 #T1083 #T1189 #T1124 #T1555.003 #T1033 #T1056.001 #T1560.002

2022-04-29

PWC

Cyber Threats 2021: A Year in Retrospect

#Trend #BlackBanshee #BlackAlicanto #T1589 #T1069 #T1190 #T1608 #T1036 #T1573 #T1036.007 #T1059.005 #T1068 #T1027 #T1570 #T1595 #T1048 #T1592 #T1615 #T1071 #T1482 #T1057 #T1082 #T1056 #T1059.003 #T1221 #T1566.001 #T1566 #T1074.001 #T1614.001 #T1016.001 #T1591 #T1548 #T1090 #T1547.001 #T1620 #T1049 #T1021 #T1135 #T1005 #T1078 #T1204.001 #T1070.004 #T1053.005 #T1041 #T1113 #T1132.001 #T1555 #T1560 #T1204.002 #T1105 #T1071.001 #T1039 #T1132 #T1547 #T1112 #T1070 #T1087 #T1083 #T1486 #T1124 #T1033 #T1210 #T1110 #T1095 #T1204 #T1059 #T1003

« Back