{"id":57551,"date":"2024-10-31T13:53:55","date_gmt":"2024-10-31T13:53:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36539\/North-Korean-Nation-State-Threat-Actor-Using-Play-Ransomware.html"},"modified":"2024-10-31T13:53:55","modified_gmt":"2024-10-31T13:53:55","slug":"north-korean-nation-state-threat-actor-using-play-ransomware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/","title":{"rendered":"North Korean Nation State Threat Actor Using Play Ransomware"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/files.cyberriskalliance.com\/wp-content\/uploads\/2024\/10\/AdobeStock_476385633.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>A North Korean state-sponsored threat actor is suspected of collaborating with the Play ransomware gang in a September cyberattack, <a href=\"https:\/\/unit42.paloaltonetworks.com\/north-korean-threat-group-play-ransomware\/\" target=\"_blank\" rel=\"noreferrer noopener\">Palo Alto Networks Unit 42 reported Wednesday.<\/a><\/p>\n<p>The group tracked by Unit 42 as Jumpy Pisces, also known as Andariel, Onyx Sleet and Stonefly, made initial access via a compromised account in May 2024 and then deployed open-source and custom tools for lateral movement and persistence.<\/p>\n<p>By September, the initial access established by Jumpy Pisces was leveraged to conduct pre-ransomware activity and ultimately deploy the Play ransomware payload. Unit 42 believes with \u201cmoderate confidence\u201d that this points to a collaboration between Jumpy Pisces and Play.<\/p>\n<p>\u201cThis change marks the first observed instance of the group using existing ransomware infrastructure, potentially acting as an initial access broker (IAB) or an affiliate of the Play ransomware group,\u201d the Unit 42 researchers wrote. \u201cThis shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape.\u201d<\/p>\n<p>Jumpy Pisces, which has ties to the Reconnaissance General Bureau of the Korean People\u2019s Army of North Korea, has used its own custom ransomware in the past; in July, the U.S. Department of Justice <a href=\"https:\/\/www.scworld.com\/news\/us-charges-north-korean-hacker-for-ransomware-attacks-on-health-sector\" target=\"_blank\" rel=\"noreferrer noopener\">indicted a member of the group<\/a> for his alleged role in using the custom Maui ransomware to target U.S. healthcare organizations.<\/p>\n<p>While it has traditionally been associated with cyberespionage, Jumpy Pisces has recently been shifting to apparent <a href=\"https:\/\/www.scworld.com\/news\/north-koreans-stonefly-shifts-from-espionage-to-ransomware-extortion\" target=\"_blank\" rel=\"noreferrer noopener\">financially motivated attacks<\/a>, potentially used to fund further cyberattacks or other North Korean government and military activities.<\/p>\n<p>\u201cThese North Korean actors are good at gaining access to networks. However, they are late to joining the ransomware game, so collaboration with a group that already has the infrastructure, processes, and procedures in place is a wise move,\u201d Erich Kron, a security awareness advocate at KnowBe4, told SC Media. \u201cOnly time will tell if this collaboration continues or if the North Korean group moves on to creating their own ransom infrastructure.\u201d<\/p>\n<p>Unit 42 noted that this apparent shift in tactics means organizations should consider the activity and indicators of nation-state actors like Jumpy Pisces to be a potential precursor to ransomware and use heightened vigilance when defending against these types of threats.<\/p>\n<h2>How North Korean attacker paved the way for Play ransomware<\/h2>\n<p>Unit 42 responded to the attack on one of its customers in early September and traced the threat actor\u2019s activity back to the initial access via a compromised account in late May.<\/p>\n<p>The threat actor first began spreading a customized version of the open-source red teaming tool Sliver, as well as its own custom-developed tool called Dtrack across multiple hosts at the victim organization over the Server Message Block (SMB) protocol. They also used a customized version of the open-source credential dumping tool Mimikatz during this early stage of the attack.<\/p>\n<p>Throughout June, the threat actor continued to spread Sliver and used Sliver beacons to communicate with a command-and-control (C2) server at an IP address that has previously been linked to Jumpy Pisces. In August, the attacker began to create malicious services, gather network configuration information and launch Remote Desktop Protocol (RDP) sessions using a dedicated tool to create privileged user accounts.<\/p>\n<p>Days before the ransomware deployment, Jumpy Pisces began to extract Windows Security Account Manager (SAM), Security and System registry hives, continued its use of Mimikatz and continued to communicate with the C2 server via Sliver beaconing. Communications with Jumpy Pisces C2 server continued up until the day of the ransomware deployment, Sept. 5, and the C2 server has been offline ever since, Unit 42 noted.<\/p>\n<p>On Sept. 5, the compromised account that was initially used for the intrusion was accessed again, and this access was leveraged to conduct pre-ransomware activities, including dumping of Local Security Authority Subsystem Service (LSASS) credentials using the task Manager, abuse of Windows access tokens, escalation to system privileges via PsExec and additional lateral movement. Mass uninstallation of endpoint detection and response (EDR) sensors was also conducted just prior to the ransomware deployment.<\/p>\n<p>The attack culminated in the Play ransomware encryption of multiple hosts on the victim\u2019s network on Sept. 5. Based on the use of the same account for initial access and timeline of Sliver C2 communications, Unit 42 concluded that Jumpy Pisces likely coordinated with Play to conduct the attack, either as an affiliate or IAB, although Play currently claims to not run a ransomware-as-a-service (RaaS) program. &nbsp;<\/p>\n<p>The researchers noted that in addition to Sliver, Mimikatz and its own DTrack infostealer, Jumpy Pisces also used a trojanized binary designed to steal browser history, autofill information and credit card details from Chrome, Edge and Brave browsers during the attack. The pre-ransomware activity conducted on Sept. 5, including use of TokenPlayer for Windows access token abuse and PsExec \u2013 both stored in the public \u201cMusic\u201d folder \u2013 was also noted to be consistent with previous Play attacks.<\/p>\n<p>Nation-state threat actors have been increasingly been observed deploying ransomware or working with ransomware groups, shifting from cyberespionage and sabotage to potentially financially motivated crimes. In June, suspected China-sponsored threat groups APT41 and ChamelGang <a href=\"https:\/\/www.scworld.com\/brief\/global-ransomware-attacks-deployed-by-suspected-china-north-korea-linked-hackers\" target=\"_blank\" rel=\"noreferrer noopener\">were linked, along with Andariel, by SentinelOne and Recorded Future researchers<\/a> to a wave of ransomware attacks between 2021 and 2023.<\/p>\n<p>Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) warned in August that the Iran-backed threat actor Pioneer Kitten had worked with affiliates of NoEscape, Ransomhouse and ALPHV\/BlackCat to provide initial access to victims\u2019 networks in exchange for a cut of the ransomware payouts.<\/p>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/36539\/North-Korean-Nation-State-Threat-Actor-Using-Play-Ransomware.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":57552,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[11097],"class_list":["post-57551","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinegovernmentmalwarecybercrimecyberwarcryptographynorth-korea"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>North Korean Nation State Threat Actor Using Play Ransomware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"North Korean Nation State Threat Actor Using Play Ransomware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-31T13:53:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/files.cyberriskalliance.com\/wp-content\/uploads\/2024\/10\/AdobeStock_476385633.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"North Korean Nation State Threat Actor Using Play Ransomware\",\"datePublished\":\"2024-10-31T13:53:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/\"},\"wordCount\":901,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg\",\"keywords\":[\"headline,government,malware,cybercrime,cyberwar,cryptography,north korea\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/\",\"name\":\"North Korean Nation State Threat Actor Using Play Ransomware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg\",\"datePublished\":\"2024-10-31T13:53:55+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg\",\"width\":800,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/north-korean-nation-state-threat-actor-using-play-ransomware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,government,malware,cybercrime,cyberwar,cryptography,north korea\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinegovernmentmalwarecybercrimecyberwarcryptographynorth-korea\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"North Korean Nation State Threat Actor Using Play Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"North Korean Nation State Threat Actor Using Play Ransomware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"North Korean Nation State Threat Actor Using Play Ransomware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-10-31T13:53:55+00:00","og_image":[{"url":"https:\/\/files.cyberriskalliance.com\/wp-content\/uploads\/2024\/10\/AdobeStock_476385633.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"North Korean Nation State Threat Actor Using Play Ransomware","datePublished":"2024-10-31T13:53:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/"},"wordCount":901,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/11\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg","keywords":["headline,government,malware,cybercrime,cyberwar,cryptography,north korea"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/","url":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/","name":"North Korean Nation State Threat Actor Using Play Ransomware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/11\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg","datePublished":"2024-10-31T13:53:55+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/11\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/11\/north-korean-nation-state-threat-actor-using-play-ransomware.jpg","width":800,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/north-korean-nation-state-threat-actor-using-play-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,government,malware,cybercrime,cyberwar,cryptography,north korea","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinegovernmentmalwarecybercrimecyberwarcryptographynorth-korea\/"},{"@type":"ListItem","position":3,"name":"North Korean Nation State Threat Actor Using Play Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57551"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57551\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/57552"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}