Home > Security > Security News

Andariel Group Used RID Hijacking in Recent Breaches, Security Researchers Confirmed

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

The Andariel hacker group has a new campaign involving RID hijacking attacks during breach operations, which leverage sophisticated methods to manipulate system account privileges and gain unauthorized access while evading detection.

The AhnLab Security Intelligence Center (ASEC) has identified a new campaign by the well-known Andariel gang, which is believed to be tied to North Korea’s intelligence office. 

RID Hijacking is an advanced attack technique where attackers modify a low-privileged account's Relative Identifier (RID) (e.g., general user or guest account) to match the RID of a highly privileged account – such as an administrator – and trick the operating system into granting the compromised account administrative-level privileges.

RID Hijacking attack process
RID Hijacking Attack Process | Source: ASEC

Recent breaches analyzed by ASEC have revealed the detailed steps deployed by the Andariel group to carry out RID Hijacking operations effectively: system privilege escalation, creating local user accounts, and modifying RID values.

Attackers must first escalate their privileges to access and modify the Security Account Manager (SAM) database to obtain SYSTEM-level access. The SAM database is the core repository for managing authentication and user account data within Windows.

Andariel attackers used tools like PsExec, a Microsoft utility, to remotely execute malicious files with SYSTEM privileges. This step is essential, as general administrator rights are insufficient for modifying SAM registry values.

RID change function in malware.
RID change function in malware | Source: ASEC

The attackers strategically utilize existing accounts or create new ones for RID hijacking. They establish accounts with concealed attributes using the "net user" command. Adding “$” to the account name creates hidden accounts that evade detection through common system commands but remain traceable in the SAM registry.

Next, the hackers add it to critical groups, such as Remote Desktop Users and Administrators, using the "net localgroup" command, and leverage Remote Desktop Protocol (RDP) access for system control.

Altering the RID values of the new or existing accounts allows for privilege escalation. By replacing the RID value of the low-privilege account with that of an administrator account, the operating system recognizes the hijacked account as having administrative rights, allowing the attackers to carry out their objectives.

The Andariel group employed custom-built malicious files and open-source tools to execute RID hijacking with precision, such as modifying SAM registry access permissions, concealing accounts, and minimizing detection. 

This technique has been previously highlighted by the Korea Internet & Security Agency (KISA), where Andariel was documented using RID Hijacking to create backdoor accounts. These hidden accounts allow attackers to maintain persistence, making them exceedingly difficult for victim organizations to detect.


Add a Comment
Related
Sophisticated LockBit Ransomware Attack Exploits Enterprise Network Vulnerabilities
New Lumma Stealer Campaign Leverages Fake CAPTCHA Verifications
PlushDaemon Exploits South Korean VPN IPany
Critical 7-Zip Vulnerability May Circumvent Windows MotW Security Measures
Fortinet (1)
Fortinet Firewalls Targeted by Hackers Exploiting Zero-Day Vulnerability
Windows 11
Microsoft Blocks Security Updates Due to Windows 11 24H2 Bug
Most Popular
The Bachelor
The Bachelor 2025 Episode 1 Recap: Who Went Home? Who got the First rose? 
NCIS: Origins
NCIS: Origins Episode 11 Explained- The 5 Biggest Moments
911 Lone Star
911 Lone Star Season 5: Episode 11 Recap and Finale Predictions
Google Drive to US DoD
Public Google Drive Link Exposed US Military Orders and PII
The Recruit
The Recruit Season 2: Everything we know About Noah Centineo’s Return to Action
PayPal Phishing
PayPal to Pay $2 Million Settlement to New York State for 2022 Customer Data Leak
The Bachelor 2025 Episode 1 Recap: Who Went Home? Who got the First rose? 
NCIS: Origins Episode 11 Explained- The 5 Biggest Moments
911 Lone Star Season 5: Episode 11 Recap and Finale Predictions
Public Google Drive Link Exposed US Military Orders and PII
The Recruit Season 2: Everything we know About Noah Centineo’s Return to Action
PayPal to Pay $2 Million Settlement to New York State for 2022 Customer Data Leak

Most Popular
The Bachelor
The Bachelor 2025 Episode 1 Recap: Who Went Home? Who got the First rose? 
NCIS: Origins
NCIS: Origins Episode 11 Explained- The 5 Biggest Moments
911 Lone Star
911 Lone Star Season 5: Episode 11 Recap and Finale Predictions
Google Drive to US DoD
Public Google Drive Link Exposed US Military Orders and PII
The Recruit
The Recruit Season 2: Everything we know About Noah Centineo’s Return to Action
PayPal Phishing
PayPal to Pay $2 Million Settlement to New York State for 2022 Customer Data Leak
The Bachelor 2025 Episode 1 Recap: Who Went Home? Who got the First rose? 
NCIS: Origins Episode 11 Explained- The 5 Biggest Moments
911 Lone Star Season 5: Episode 11 Recap and Finale Predictions
Public Google Drive Link Exposed US Military Orders and PII
The Recruit Season 2: Everything we know About Noah Centineo’s Return to Action
PayPal to Pay $2 Million Settlement to New York State for 2022 Customer Data Leak

© 2025 TechNadu, a part of Leaprove Media LLP. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: