The ERP Breach: North Korea’s Andariel Group Strikes Europe with New Malware

The North Korean-aligned cyber-espionage syndicate Andariel has reasserted its presence through a sophisticated offensive targeting entities across Europe and South Korea. A comprehensive analysis by WithSecure elucidates that the collective is not merely intensifying its surveillance of governmental frameworks but is also actively refining its proprietary arsenal, introducing hitherto undocumented Remote Access Trojans (RATs).

In 2025, specialists intercepted a clandestine incursion within Europe, primarily targeting a public-sector institution. The adversaries established a persistent foothold utilizing the TigerRAT malware, which served as a perennial ingress point. Through this conduit, they manually orchestrated system maneuvers, harvested telemetry, and executed lateral movement across the network architecture.

Of particular interest to the attackers were dossiers pertaining to anti-money laundering protocols. Investigators contend that the quintessential objective of this operation was strategic espionage, aligning with the DPRK’s broader imperative to procure sensitive intelligence to circumvent international sanctions.

The investigation further unveiled a staging server maintained by Andariel, which harbored a suite of offensive instruments and command-and-control (C2) infrastructure. Forensic examination of this repository exposed an expansive campaign centered on South Korea, where the group infiltrated a prominent ERP (Enterprise Resource Planning) software provider. Given that this provider’s solutions are utilized by over 2,200 organizations across the public sector, IT, healthcare, and manufacturing, the potential for systemic compromise was immense.

The assault was manifested through the subversion of update servers; malicious artifacts supplanted legitimate ERP binaries, surreptitiously installing three nascent Trojans: JelusRAT, StarshellRAT, and GopherRAT. These instruments empower the orchestrators to command infected hosts, exfiltrate files, capture screen imagery, and establish covert communication channels.

The report highlights Andariel’s adoption of cutting-edge evasion tactics, most notably the BYOVD (Bring Your Own Vulnerable Driver) technique. By weaponizing susceptible, legitimate drivers to neutralize antivirus and EDR (Endpoint Detection and Response) systems, the group demonstrates an escalating technical maturity and a commitment to operational invisibility.

According to WithSecure, Andariel remains a preeminent threat actor within the North Korean cyber landscape. While its operations were historically localized to the Korean Peninsula, its current reach is global, with objectives fluctuating between financial gain and classical espionage. The group’s synthesis of innovative tooling with battle-tested methodologies renders it a formidable adversary for sovereign institutions and multinational corporations alike.