Several ransomware strains are being attributed to the Korean gang APT38

Ransomware Strains North Korea Hacker Gang APT38 Beaf ChiChi PXJ ZZZZ Extortion

Researchers have attributed the North Korean-based advanced persistent threat group APT38 to multiple ransomware strains currently circulating in cyberspace. Many cybersecurity experts consider these threat actors a subgroup of the notorious Lazarus APT.

APT38 has been linked to multiple cyberattacks and fund stealing incidents against numerous financial institutions worldwide.

A researcher claimed that the threat operators of the APT had utilised multiple ransomware strains such as Beaf, ChiChi, PXJ, and ZZZZ to conduct extortion tactics against its victims. In addition, three of these strains share a VHD source code connected to the Lazarus group.

Although ChiChi and Tflower ransomware strain shares few codes with the other three families, the overlap was for generic functions instead of standard shared features. Moreover, they monitored a couple of strains launched by APT38 on victims’ networks using the cross-platform MATA malware framework. The MATA malware framework is a malicious tool exclusive to Lazarus members.


Other analysts discovered that APT38 ransomware strains share source code and functions with VHD and Tflower ransomware. Beaf and ZZZZ are identical, and researchers believe they are clones of one another.


On the other hand, ChiChi ransomware’s codebase has nearly no standard points. However, a shared email address was being utilised by both ZZZZ and ChiChi in their ransom note demands.

Experts claimed that cyberattacks using these ransomware families exclusively target businesses in the APAC region. Therefore, finding the victims’ names is more complex since there were negotiation chats or leak sites.

However, other researchers attempted to locate additional links by analysing the cryptocurrency transfers behind ransom payments. However, they discovered no overlap in the crypto wallets to gather the ransom.

Researchers have attributed these ransomware strains to APT38 with the utmost confidence. This investigation further reveals the true nature of North Korean hackers in using ransomware is to gain monetary profits.

Cybersecurity experts suggest that organisations use reliable anti-malware solutions to stay protected from these attacks.

About the author

Leave a Reply