Threat actor · all actors
APT38G0082 state
🇰🇵 KP · RGB
aka APT38, NICKEL GLADSTONE, BeagleBoyz, Bluenoroff, Stardust Chollima, Sapphire Sleet, COPERNICIUM
Last updated: 2026-07-03
About this actor
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (Citation: FireEye APT38 Oct 2018) and Banco de Chile (Citation: FireEye APT38 Oct 2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017) North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2016 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2016-4119 | 7.0 | 9.8 | 0.0396 | 2016-08-26 | see CVE |
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1005T1027T1027.002T1033T1036T1036.003T1036.006T1049T1053T1053.003T1053.005T1055T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1070T1070.004T1070.006T1071T1071.001T1082T1083T1105T1106T1110T1112T1115T1135T1140T1189T1204T1204.001T1204.002T1217T1218T1218.001T1218.005T1218.007T1218.011T1480T1480.002T1485T1486T1505T1505.003T1518T1518.001T1529T1543T1543.003T1548T1548.002T1553T1553.005T1561T1561.002T1565T1565.001T1565.002T1565.003T1566T1566.001T1569T1569.002T1583T1583.001T1588T1588.002T1685T1685.005T1686T1686.002T1690
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 51 / 77 | 66% |
CM-2 | 47 / 77 | 61% |
CM-6 | 44 / 77 | 57% |
AC-3 | 35 / 77 | 45% |
SI-3 | 35 / 77 | 45% |
AC-6 | 34 / 77 | 44% |
SI-7 | 34 / 77 | 44% |
CM-7 | 30 / 77 | 39% |
AC-2 | 27 / 77 | 35% |
CA-7 | 27 / 77 | 35% |
AC-5 | 21 / 77 | 27% |
CM-5 | 18 / 77 | 23% |
IA-2 | 18 / 77 | 23% |
RA-5 | 15 / 77 | 19% |
SI-2 | 15 / 77 | 19% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
- FIN7 1 shared CVEs
Similar actors
Similar TTPs
- APT32 0.33
- Lazarus Group 0.31
- Operation Honeybee 0.30
- Medusa Group 0.30
- Gamaredon Group 0.30
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
- Operation Dream Job 1.00
- 3CX Supply Chain Attack 1.00
- Lazarus Group 1.00
- APT37 1.00
- Kimsuky 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00