ANDARIEL is described as a North Korea–linked threat group operating under the Reconnaissance General Bureau (RGB), widely viewed by security researchers as a sub-cluster of the Lazarus Group. Since around 2009, it has shifted from regional disruption campaigns to global cyber-espionage and revenue-driven operations, targeting defence contractors, nuclear engineering firms, financial institutions, healthcare providers, and software vendors.
The group blends intelligence collection with ransomware activity and cryptocurrency theft, reflecting a state strategy that uses cyber operations for both strategic intelligence and hard currency generation, and it maintains close alignment with BlueNoroff and other Lazarus-linked clusters.
Andariel’s campaigns include ransomware strains such as Maui and SHATTEREDGLASS, deployed against healthcare providers, energy companies and other critical infrastructure targets, and the group operates as a structured component of North Korea’s state-directed cyber apparatus, integrating espionage, disruption and financial operations under central command.
According to SOCRadar, MITRE ATT&CK techniques observed include initial access via phishing and exploitation, credential dumping, east–west movement, data exfiltration, and ransomware deployment.