APT / THREAT GROUP

Higaisa

🇰🇷South Korea-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

Threat Analysis

Higaisa is a known-sophistication threat actor attributed to South Korea, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Higaisa — Active Operations March 2026

Higaisa is a unknown-motivation threat actor attributed to KR. The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In add...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇰🇷 South Korea
Aliases1
SourceMalpedia

Also Known As

Higaisa

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.