The North Korean-based Stonefly group, also known by aliases such as APT45 and Silent Chollima, has been observed continuing its financially motivated cyber-attacks against US organizations despite a recent indictment by the US Department of Justice (DoJ).
The group, linked to North Korea’s Reconnaissance General Bureau, has shifted its focus from espionage to targeting private companies in sectors with little intelligence value.
Evidence of these attacks was discovered by Symantec’s Threat Hunter Team, which uncovered Stonefly’s use of sophisticated malware tools during intrusions into three US organizations in August 2024.
“The attackers used a fake Tableau certificate documented by Microsoft in addition to two other certificates [...] that appear to be unique to this campaign,” Symantec explained.
One of the most notable tools deployed was Backdoor.Preft, a multi-stage backdoor associated exclusively with Stonefly, capable of downloading files, executing commands and deploying additional plugins. Other malware was also identified, including Nukebot and the penetration testing framework Sliver.
Researchers noted several signs that these attacks were financially driven, rather than for gathering state intelligence. Though no ransomware was successfully deployed, the group’s recent shift toward using these tactics marks a significant change in its operational strategy.
According to Symantec, Stonefly’s reliance on public tools such as Mimikatz, Snap2HTML and Megatools illustrates a calculated blend of custom and open source software. This approach allows the group to maintain flexibility while obscuring their operations by using widely available technologies.
In July 2024, a member of Stonefly was indicted by US authorities for his role in extorting hospitals and other institutions.
“While Stonefly’s move into financially motivated attacks is a relatively recent development, the spotlight shone on the group’s activities due to the indictment naming one of its members has not yet led to a cessation of activity,” Symantec said. “The group is likely continuing to attempt to mount extortion attacks against organizations in the US.”