Despite the indictment of one of its alleged members, the North Korean APT group known as Stonefly (aka APT45) continues to target U.S. companies, according to warnings from Symantec threat analysts. Stonefly, also referred to as Andariel and OnyxFleet, is linked to the Reconnaissance General Bureau (RGB), a North Korean military intelligence agency.
The group has been active since at least 2009 and originally focused on espionage campaigns against government agencies and defense industries. However, in recent years, they have expanded their efforts to include financially motivated attacks, targeting organizations in the financial sector, nuclear-related entities, and health research.
In August 2024, Stonefly launched three separate attacks on U.S. organizations, though none successfully deployed ransomware. The attacks, believed to be financially motivated, lacked clear intelligence value, with all victims being private companies. Stonefly’s involvement was confirmed by the use of Preft, a custom backdoor exclusively associated with the group, and other indicators of compromise linked to their previous operations. The group also utilized additional malware, including Nukebot, keyloggers, and publicly available tools like Mimikatz and Sliver. Symantec’s analysts believe that Stonefly is likely to continue its extortion attempts against U.S. organizations.