{ "id": "fa0384b1-0011-44a6-b671-e1d055b5a9ee", "created_at": "2026-04-06T00:15:51.251969Z", "updated_at": "2026-04-10T03:38:20.421473Z", "deleted_at": null, "sha1_hash": "011876dca620a413d446d61722b0a854aa2b8503", "title": "MAR-10322463-1.v1 - AppleJeus: Celas Trade Pro | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97784, "plain_text": "MAR-10322463-1.v1 - AppleJeus: Celas Trade Pro | CISA\r\nPublished: 2021-02-17 · Archived: 2026-04-05 19:12:03 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber\r\nthreat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and\r\nprovide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus\r\nGroup—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is\r\ntargeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the\r\ndissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of\r\ncryptocurrency.\r\nThis MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by\r\nthe North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see\r\nJoint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at\r\nhttps://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 1 of 14\n\nThere have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most\r\nversions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an\r\nunsuspecting individual downloads a third-party application from a website that appears legitimate.\r\nThe U.S. Government has identified AppleJeus malware version—Celas Trade Pro—and associated IOCs used by the North\r\nKorean government in AppleJeus operations.\r\nIn August 2018, open source reporting revealed information about a Trojanized version of a legitimate cryptocurrency\r\ntrading application on a victim’s computer (Note: identity of the victim was not disclosed). The malicious program, known\r\nas Celas Trade Pro, is a modified version of the benign QT Bitcoin Trader application. This incident led to the victim\r\ncompany being infected with the malware known to the U.S. Government as FALLCHILL, a North Korean remote\r\nadministration tool (RAT). According to CISA, FALLCHILL “is a fully functional RAT with multiple commands that the\r\nactors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically\r\ninfects a system as a file dropped by other HIDDENCOBRA malware. Because of this, additional HIDDENCOBRA\r\nmalware may be present on systems compromised with FALLCHILL.\"\r\nCelas Trade Pro had been recommended to the victim company via a phishing email from a company known as Celas\r\nLimited. The email provided a link to the Celas Limited website (https://www[.]celasllc.com), where the user could\r\ndownload a Windows or MacOS version of the Celas Trade Pro software.\r\nFor a downloadable copy of IOCs, see: MAR-10322463-1.v1.stix.\r\nSubmitted Files (6)\r\n5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0 (Updater)\r\n6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69 (celastradepro_win_installer_1....)\r\na84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765 (CelasTradePro.exe)\r\nbdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb (Updater.exe)\r\nc0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70 (CelasTradePro)\r\nd404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04 (celastradepro_mac_installer_1....)\r\nDomains (1)\r\ncelasllc.com\r\nFindings\r\n6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\nTags\r\ndroppertrojan\r\nDetails\r\nName celastradepro_win_installer_1.00.00.msi\r\nSize 9827840 bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 20\r\nTime/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Numbe\r\n2C9C-4167-9296-5DD2DAF7973E}, Number of Words: 2, Subject: CelasTradePro, Author: CELAS LLC, Name of Creating Applicati\r\nInstaller 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data required to install CelasTra\r\nInstallation Database, Keywords: Installer, MSI, Database, Number of Pages: 200\r\nMD5 9e740241ca2acdc79f30ad2c3f50990a\r\nSHA1 0c5e4cec03d2eea2b1dd5356fe05de64a0278cd6\r\nSHA256 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\nSHA512 dd02c1e717c2556b64d261f04c5a8add7dcc2f3ad267507d883ba68c7e4cf827136edce517aab055dfa02d8569a5779eb1fc24fb0b7c6bb34\r\nssdeep 196608:s80YaAWH7ICcfRLdq81w920W+ZP6g2DsjW1TIZfxgNu1DZNJQfIYizTrh50:sPUWHECcfBdR1w9NWqSg2DsK1TmfxgiD\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 2 of 14\n\nEntropy 7.973409\r\nAntivirus\r\nAhnlab MSI/Installer\r\nComodo Malware\r\nMicrosoft Security Essentials Trojan:Win32/Letdater\r\nQuick Heal OLE.MSI.Agent.39994.GC\r\nSophos Troj/NukeSped-X\r\nSymantec Trojan.Dropper\r\nTrendMicro Trojan.BC27BA50\r\nTrendMicro House Call Trojan.BC27BA50\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n6ee19085ad... Downloaded_From celasllc.com\r\n6ee19085ad... Contains a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765\r\n6ee19085ad... Contains bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb\r\nDescription\r\nThis Windows program from the Celas LLC site is a Windows MSI Installer. The installer looks legitimate and previously\r\nhad a valid digital signature from Comodo (Sectigo). The signature was signed with a code signing certificate purchased by\r\nthe same user as the Secure Sockets Layer (SSL) certificate for \"celasllc.com.\" The installer asks for administrative\r\nprivileges to run and while installing \"CelasTradePro.exe\"\r\n(a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765) it also installs \"Updater.exe\" in the\r\n“C:\\Program Files (x86)\\CelasTradePro” folder. Immediately after installation, the installer launches \"Updater.exe\"\r\n(bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb) with the “CheckUpdate” parameter.\r\nScreenshots\r\nFigure 1 - Screenshot of the CelasTradePro installation.\r\ncelasllc.com\r\nTags\r\ncommand-and-control\r\nURLs\r\ncelasllc.com/checkupdate.php\r\nWhois\r\nWhois for celasllc.com had the following information in August 2018:\r\nIP Address: 185.142.236.213\r\nRegistrant Name: John Broox\r\nRegistrant Organization:\r\nRegistrant Street: 2141 S Archer Ave\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 3 of 14\n\nRegistrant City: Chicago\r\nRegistrant State/Province: Illinois\r\nRegistrant Postal Code: 60601\r\nRegistrant Country: US\r\nRegistrant Phone: +1.8133205751\r\nRegistrant Email: johnbroox200@gmail.com\r\nName server: 1a7ea920.bitcoin-dns.hosting\r\nName Server: a8332f3a.bitcoin-dns.hosting\r\nName Server: ad636824.bitcoin-dns.hosting\r\nName Server: c358ea2d.bitcoin-dns.hosting\r\nCreated: May 29, 2018\r\nExpires: May 29, 2019\r\nUpdated: Sep 9, 2018\r\nRelationships\r\ncelasllc.com Downloaded_To 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\ncelasllc.com Downloaded_To d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\nDescription\r\nThe Celas Limited website had a professional appearance, and at the time had a valid Secure Sockets Layer (SSL) certificate\r\nissued by Comodo (now Sectigo). The SSL certificate was “Domain Control Validated,\" which is a weak security\r\nverification level for a webserver. Typically, this is a fully automated verification where the certificate requester only needs\r\nto demonstrate control over the domain name (i.e. with an email like admin[@]celasllc.com). This type of certificate\r\nnecessitates no validation of the identity of the website’s owner, nor the existence of the actual business. At the time of\r\nanalysis, the domain celasllc.com resolved to IP address 185.142.236.213, which belongs to the Netherlands Amsterdam\r\nBlackhost Ltd ISP, AS174, Cogent Communications.\r\nScreenshots\r\nFigure 2 - Screenshot of the Celas LLC website.\r\na84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765\r\nTags\r\ntrojan\r\nDetails\r\nName CelasTradePro.exe\r\nSize 2517160 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 45eb8f06c5f732e8dde8e9318d8b2392\r\nSHA1 d4583cba9034a3068f8106b5013d37d7bdd46f38\r\nSHA256 a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765\r\nSHA512 6536a7b0767828bb95f6f33a4e465fec48fc474b4f919bc878e02966f82f900fbaa6e2f9d7bc1dffa28bbe35f94ee6b9a570902843dfd35a8c9\r\nssdeep 49152:TrxfUhMyK0lq3Z8SC8Q1ZZmpwi0qEdz+7WGSVOr:PxfU60lqiV1UL\r\nEntropy 6.852284\r\nAntivirus\r\nSophos Mal/BadCert-Gen\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 4 of 14\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-06-17 20:17:48-04:00\r\nImport Hash 33ef6aff05b44076249d6ed27e247e11\r\nCompany Name Celas LLC\r\nFile Description Celas Bitcoin Trader\r\nInternal Name Celas Bitcoin Trader\r\nLegal Copyright Copyright (C) 2018 CELAS LLC\r\nOriginal Filename CelasTradePro.exe\r\nProduct Name CelasTradePro\r\nProduct Version 1.0.0.0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n724cd82da1ca0a93b9d171923d149ce9 header 1024 2.738571\r\n4909abcdca48f01dd7d44d7b6035deef .text 1152000 6.244241\r\n88f7c98251537ffd1f94935b8c134b9a .rdata 1076224 6.842683\r\n0e102f466e9e6893970e2fd96c8b3fce .data 9728 4.517533\r\n87a4b3b57b1b37d19870a4f1c9577374 .rsrc 110592 3.737298\r\na6d8c9855dc4334bb35c95a1e0518a9d .reloc 162304 6.385957\r\nPackers/Compilers/Cryptors\r\nRelationships\r\na84ed8ce71... Contained_Within 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\nDescription\r\nThis file is a 32-bit Windows executable contained within the Windows MSI Installer\r\n\"celastradepro_win_installer_1.00.00.msi.\" When executed, \"CelasTradePro.exe\" asks for the user’s exchange and then\r\nloads a legitimate cryptocurrency trading platform with no signs of malicious activity.\r\nCelasTradePro is extremely similar in appearance to a version of an open source cryptocurrency trading platform available\r\naround the same timeframe known as QT Bitcoin Trader (screenshots 3 and 4). In addition to similar appearance, many\r\nstrings found in CelasTradePro have QT Bitcoin Trader references and parameters being set to “Celas Trade Pro” including\r\nbut not limited to:\r\n--Begin similarities--\r\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=Celas Trade Pro\r\nQtBitcoinTrader\r\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=Celas Trade Pro is a free Open Source project developed on pure C++\r\nQt and OpenSSL.\r\njulyighor@gmail.com (note: Ighor July is one of the developers of QT Bitcoin Trader)\r\n--End similarities--\r\nThe strings also reference the name “John Broox” as the author of CelasTradePro.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 5 of 14\n\nWhile the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader for\r\nWindows is not available for download as an MSI, but only as a Windows portable executable. This is a singular file named\r\n\"QtBitcoinTrader.exe\" and does not install or run any additional programs. The CelasTradePro MSI contains\r\n\"CelasTradePro.exe,\" the modified version of QT Bitcoin Trader, as well as the additional \"Updater.exe\"\r\n(bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb) executable not included with the original QT\r\nBitcoin Trader.\r\nScreenshots\r\nFigure 3 - Screenshot of the CelasTradePro application.\r\nFigure 4 - Screenshot of the QT Bitcoin Trader application.\r\nbdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb\r\nTags\r\ndownloaderloaderspywaretrojan\r\nDetails\r\nName Updater.exe\r\nSize 173224 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 b054a7382adf6b774b15f52d971f3799\r\nSHA1 b4d43cd2d81d17dec523915c0fc61b4b29e62c58\r\nSHA256 bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb\r\nSHA512 7c307a2ed0e6e483a0f3e7161ff0433e6bd498ab0b14b5359a938554999b076c4143a766b96c05dc0b949948cac97d81534ceb1300d02276\r\nssdeep 1536:XN9cIi98pUYi7tIP+arPg1ssvpoOJwtFT6BxdYIHs/5mBS0LiF:99clzLPPBoOJwWBxdYlxySr\r\nEntropy 4.980364\r\nAntivirus\r\nAhnlab Malware/Win32.Generic\r\nAntiy Trojan[Downloader]/Win32.Agent\r\nAvira TR/Dldr.Agent.jlhae\r\nBitDefender Trojan.GenericKD.40404380\r\nClamAV Win.Spyware.Fallchill-6663754-2\r\nComodo Malware\r\nESET Win32/TrojanDownloader.NukeSped.E trojan\r\nEmsisoft Trojan.GenericKD.40404380 (B)\r\nIkarus Trojan-Downloader.Agent\r\nK7 Riskware ( 0040eff71 )\r\nLavasoft Trojan.GenericKD.40404380\r\nMcAfee Generic trojan.d\r\nMicrosoft Security Essentials Trojan:Win32/Letdater\r\nNANOAV Trojan.Win32.Letscool.fflqoo\r\nSophos Troj/NukeSped-Y\r\nSymantec Trojan Horse\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 6 of 14\n\nSystweak trojan.agent\r\nTrendMicro Trojan.BC27BA50\r\nTrendMicro House Call Trojan.BC27BA50\r\nVirusBlokAda TrojanDownloader.Agent\r\nZillya! Downloader.Agent.Win32.365188\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2018-06-15 06:56:27-04:00\r\nImport Hash b25cd98650edb58a9a4d00af1d17453d\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n2c879beba343ce37c06647fb37be983e header 1024 2.572659\r\n4da943f482631027a2152c6f336055af .text 38912 6.556738\r\n0b7c67c806051953aa6addc2771a20eb .rdata 10240 4.875590\r\n49f73fd786fe23fbc68635fbf76b63a3 .data 4096 2.272665\r\n7a96caced6b43d719b90f6e332ad12f3 .rsrc 109568 3.715817\r\n8aacf0cff202d7d74c04f938df61e45f .reloc 4096 4.127553\r\nPackers/Compilers/Cryptors\r\nRelationships\r\nbdff852398... Contained_Within 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\nDescription\r\nThis file is a 32-bit Windows executable contained within the Windows MSI Installer\r\n\"celastradepro_win_installer_1.00.00.msi.\" \"Updater.exe\" has the same program icon as CelasTradePro. Updater.exe was\r\nlikely developed under the name “jeus” based on the build path\r\n“Z:\\jeus\\downloader\\downloader_exe_vs2010\\Release\\dloader.pdb” found in the code (partial origin of the name\r\nAppleJeus).\r\n\"Updater.exe\" collects victim host information and sends it back to the server. At launch the malware first checks for the\r\n“CheckUpdate” parameter and if not found, exits the program. This is likely to evade detection in a sandbox environment. If\r\nthe \"CheckUpdate\" parameter is found, the malware creates a unique identifier for the system following the format “%09d-\r\n%05d.\" It then collects process lists excluding the “System” processes and queries the registry at\r\n“HKLM\\SOFTWARE\\Microsoft\\Window NT\\CurrentVersion” for the following values:\r\n--Begin values--\r\nProductName (Windows OS Version)\r\nCurrentBuildNumber (Windows 10 build version)\r\nReleaseID (Windows 10 version information)\r\nUBR (Sub version of Windows 10 build)\r\nBuildBranch (Windows 10 build branch information)\r\n--End values--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 7 of 14\n\nAfter collecting this information, \"Updater.exe\" encrypts the data with the hard-coded XOR key “Moz\u0026Wie;#t/6T!2y,\"\r\nprepends the encrypted data with “GIF89a” (image header) and sends the data to \"celasllc.com/checkupdate.php.\"\r\nThe malware also uses a hard-coded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0”\r\nand multipart form data separator “jeus.\" If the malware receives a response with HTTP code 200, it will decode the base64\r\npayload, then decrypt the result using the hard-coded RC4 decryption key “W29ab@ad%Df324V$Yd.\" The raw data is then\r\nwritten to a file prepended with the “MAX_PATHjeusD” string.\r\nScreenshots\r\nFigure 5 - Screenshot of the \"CheckUpdate\" parameter verification in \"Updater.exe.\"\r\nFigure 6 - Hard-coded XOR key and XOR encryption in \"Updater.exe.\"\r\nd404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\nTags\r\ndownloaderdropperloadertrojan\r\nDetails\r\nName celastradepro_mac_installer_1.00.00.dmg\r\nSize 15020544 bytes\r\nType\r\nDOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 29336 sectors, extended\r\n(last)\r\nMD5 48ded52752de9f9b73c6bf9ae81cb429\r\nSHA1 1e8a2f1f751e5a9931bca5710b4f304798d665dc\r\nSHA256 d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\nSHA512 4c4e4445638ace360c82be741e634601bd1beaf980cdc02523484cc7f161b57015f325708ce72d9a2496f3b5bf2d05df5133aee0d1c375b76\r\nssdeep 393216:0naJ/9SL/uXRs1q5wxrCAveZZXFdklxkBSY6bzLZaM:bJ/9SLQRwqSrCAS5klxPY6bXZx\r\nEntropy 7.710370\r\nAntivirus\r\nAntiy Trojan/OSX.Lazarus\r\nAvira OSX/Lazarus.A\r\nComodo Malware\r\nESET OSX/TrojanDownloader.NukeSped.A trojan\r\nIkarus Trojan.OSX.Lazarus\r\nMcAfee OSX/Lazarus.a\r\nSymantec OSX.Dropper\r\nTrendMicro OSX_APPLEJEUS.A\r\nTrendMicro House Call OSX_APPLEJEUS.A\r\nVir.IT eXplorer OSX.Lazarus.ASM\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 8 of 14\n\nRelationships\r\nd404c0a634... Downloaded_From celasllc.com\r\nd404c0a634... Contains c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70\r\nd404c0a634... Contains 5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0\r\nDescription\r\nThis OSX program from the Celas LLC site is an Apple DMG Installer. The OSX program has very similar functionality to\r\nthe Windows program and also previously had a valid digital signature from Comodo. Again the installer appears to be\r\nlegitimate, and installs CelasTradePro as well as a program named “Updater” in the\r\n“/Applications/CelasTradePro.app/Contents/MacOS/” folder. The installer contains a postinstall script (see figure 6).\r\nA postinstall script is a sequence of instructions which runs after the successful installation of an OSX application. This\r\nscript moves the hidden “.com.celastradepro.plist” file from the installer package to the LaunchDaemons folder. This file is\r\nhidden because the leading “.” causes it to not be shown to the user if they view the folder in the Finder application. Once in\r\nthe LaunchDaemons folder, this plist file will be ran on system load as root for every user. This will launch the Updater\r\nprogram with the CheckUpdate parameter.\r\nAs the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script then launches the\r\nUpdater program with the CheckUpdate parameter and runs it in the background (\u0026). The package also has “Developed by\r\nJohn Broox. CELAS LLC” in the Info.plist properties file.\r\nScreenshots\r\nFigure 7 - Screenshot of the postinstall script included in OSX Celas installer.\r\nFigure 8 - Screenshot of the \"com.celastradepro.plist\" file.\r\nc0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70\r\nTags\r\ntrojan\r\nDetails\r\nName CelasTradePro\r\nSize 3544560 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE\u003e\r\nMD5 4eedb2df53597a15fd48b726d85517f0\r\nSHA1 a60ece7673fa415abe1fb97ac60e19ee446858b1\r\nSHA256 c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70\r\nSHA512 853c85760576919bc59aee901663057a0bfd5a286345cc7464f61e7bdfdebfeb2148401597ae037bbf052c052112cb37c34924b2876383c92\r\nssdeep 49152:bvzxIgxauUDh0Dh6jQIRfzOQo14GNoiZPw6YBoOBzRK8IA1LGqBKta9w35wwlRoJ:3xuwhRIR2LPZPwX1vbL9BgwseMzio\r\nEntropy 6.559908\r\nAntivirus\r\nAhnlab OSX/Agent.3544560\r\nAntiy Trojan/OSX.Lazarus\r\nAvira OSX/Lazarus.dplva\r\nBitDefender Trojan.MAC.Lazarus.B\r\nClamAV Osx.Malware.Agent-7408161-0\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 9 of 14\n\nESET a variant of Generik.IWGLIQC trojan\nEmsisoft Trojan.MAC.Lazarus.B (B)\nIkarus OSX.Lazarus\nLavasoft Trojan.MAC.Lazarus.B\nMcAfee OSX/Lazarus.f\nSophos OSX/Lazarus-D\nSymantec OSX.Malcol.2\nZillya! Trojan.MAC.OSX.89\nYARA Rules\nNo matches found.\nssdeep Matches\nNo matches found.\nRelationships\nc0c2239138... Contained_Within d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\nDescription\nThis OSX sample was contained within Apple DMG Installer \"celastradepro_mac_installer_1.00.00.dmg.\" When executed,\nCelasTradePro has identical functionality and appearance to the Windows version CelasTradePro.exe. It asks for the users’\nexchange and loads a legitimate cryptocurrency trading application with no signs of malicious activity. As functionality and\nappearance are the same, it follows that CelasTradePro is a modification of the OSX QT Bitcoin Trader. In addition to\nsimilar appearance, many strings found in CelasTradePro have QT Bitcoin Trader references and parameters being set to\n“Celas Trade Pro” including but not limited to:\n--Begin similarities--\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=Celas Trade Pro\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=Celas Trade Pro is a free Open Source project \ndeveloped on pure\nC++ Qt and OpenSSL.\nString_APPLICATION_TITLE=Qt Bitcoin Trader\njulyighor@gmail.com (note: Ighor July is one of the developers of QT Bitcoin Trader)\n--End similarities--\nThe strings also reference the name “John Broox” as the author of CelasTradePro.\nWhile the CelasTradePro application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader DMG\nfor OSX does not contain the postinstall script nor the plist file which creates a LaunchDaemon. When ran, only\nQTBitcoinTrader will be installed, and no additional programs will be created, installed, or launched.\nThe CelasTradePro DMG contains the CelasTradePro OSX executable (the modified version of QT Bitcoin Trader) as well\nas the additional Updater OSX executable not included with the original QT Bitcoin Trader.\nScreenshots\nFigure 9 - Screenshot of the legitimate QTBitcoinTrader DMG contents.\n5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0\nTags\nbackdoordownloaderloadertrojan\nDetails\nName Updater\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\nPage 10 of 14\n\nSize 50320 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE\u003e\r\nMD5 aeee54a81032a6321a39566f96c822f5\r\nSHA1 53aa0971eb5d53ed242764ebfc89ad591a5211b2\r\nSHA256 5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0\r\nSHA512 9e9abc2c824df20249df9161ad830af2a3d01867089eed23d5985445e34120238881ac3cfd9529bf27588c36f2a17533a4bda8fce8c919493\r\nssdeep 768:A4yOeE/pwi8Aea02PG2mG1oAK+g7mj78yfgum0+mifm:GOeE/pwFs02pvg7mj7bfgum0hi\r\nEntropy 5.010104\r\nAntivirus\r\nAhnlab OSX/Agent.50320\r\nAntiy Trojan/OSX.Lazarus\r\nAvira VBS/Dldr.Formac.npwdq\r\nBitDefender Trojan.MAC.Lazarus\r\nClamAV Osx.Malware.Agent-9667647-0\r\nComodo Malware\r\nESET a variant of OSX/TrojanDownloader.NukeSped.A trojan\r\nEmsisoft Trojan.MAC.Lazarus (B)\r\nIkarus Trojan.MAC.Lazarus\r\nLavasoft Trojan.MAC.Lazarus\r\nMicrosoft Security Essentials Backdoor:MacOS/AppleJeus.A\r\nNANOAV Trojan.Mac.Mlw.fhnynm\r\nSophos OSX/Lazarus-D\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro OSX_LAZARUS.A\r\nTrendMicro House Call OSX_LAZARUS.A\r\nZillya! Downloader.NukeSped.OSX.1\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n5e54bccbd4... Contained_Within d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\nDescription\r\nThis OSX sample was contained within Apple DMG Installer \"celastradepro_mac_installer_1.00.00.dmg.\" Updater\r\nfunctions very similarly to the Windows Updater.exe, and collects victim host information to send back to the server. Upon\r\nlaunch, the malware checks for the “CheckUpdate” parameter, and just as the Windows sample, will exit if the parameter is\r\nnot found. This is likely to avoid sandbox analysis. If the “CheckUpdate” parameter is found, the malware then creates a\r\nunique identifier for the system following the format “%09d-%06d.\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 11 of 14\n\nUpdater then uses dedicated QT classes to get system information including host name, OS type and version, system\r\narchitecture, and OS kernel type and version. The QT Framework is a cross-platform toolkit designed for creating multi-platform applications with native Graphical User Interfaces (GUI) for each platform.\r\nAfter collecting this data, Updater follows the same process as the Windows \"Updater.exe\" to encrypt and send the data. All\r\ndata is XOR encrypted with the hard-coded key “Moz\u0026Wie;#t/6T!2y”, prepended with “GIF89a” (image header), and sent\r\nto www[.]celasllc.com/checkupdate.php. The malware uses the same multipart form data separator “jeus” but has a different\r\nhard-coded user-agent string of “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/66.0.3359.139 Safari/537.36.\"\r\nIf Updater receives a response with the HTTP code 200, it will decode the base64 payload, and decrypt it using the same\r\nhard-coded RC4 key “W29ab@ad%Df324V$Yd” as the Windows malware. The decrypted data is then saved to the hard-coded “/var/zdiffsec” file location, file permissions are changed to executable for all users, and the file is started with the\r\nhard-coded command line argument “bf6a0c760cc642.\"\r\nScreenshots\r\nFigure 10 - Screenshot of the \"CheckUpdate\" parameter verification in \"Updater.\"\r\nFigure 11 - Screenshot of various hard-coded values in \"Updater.\"\r\nRelationship Summary\r\n6ee19085ad... Downloaded_From celasllc.com\r\n6ee19085ad... Contains a84ed8ce714dff76b48b26414de9f045de561146d7eaa09019cbfbb2586c9765\r\n6ee19085ad... Contains bdff852398f174e9eef1db1c2d3fefdda25fe0ea90a40a2e06e51b5c0ebd69eb\r\ncelasllc.com Downloaded_To 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\ncelasllc.com Downloaded_To d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\na84ed8ce71... Contained_Within 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\nbdff852398... Contained_Within 6ee19085ad5c17f989616d17ef68041910b3d0cbcf7e08cc7d7c1a1cb09e6b69\r\nd404c0a634... Downloaded_From celasllc.com\r\nd404c0a634... Contains c0c2239138b9bc659b5bddd8f49fa3f3074b65df8f3a2f639f7c632d2306af70\r\nd404c0a634... Contains 5e54bccbd4d93447e79cda0558b0b308a186c2be571c739e5460a3cb6ef665c0\r\nc0c2239138... Contained_Within d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\n5e54bccbd4... Contained_Within d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04\r\nConclusion\r\nAfter a cyber-security organization published a report detailing the above programs and their malicious extras, the Celas\r\nLLC site was no longer accessible. As this site was the command and control server (C2), the payload cannot be confirmed.\r\nThe cyber security organization who published the AppleJeus report states the payload was an encrypted and obfuscated\r\nbinary which eventually drops FALLCHILL onto the machine and installs it as a service.\r\nThe FALLCHILL sample found by the cyber security organization had two default C2 server addresses:\r\n196.38.48.121 – South Africa Internet Solutions, AS3741\r\n185.142.236.226 – Netherlands Amsterdam Blackhost Ltd ISP, AS174 Cogent Communications\r\nThe C2 185.142.236.226 resides in the same Autonomous System Number (ASN) and ISP as the celasllc.com domain.\r\nFurthermore, these IP addresses have been used in three earlier versions of FALLCHILL for C2 according to open source\r\nreporting:\r\n--Begin MD5 and timestamp--\r\n94dfcabd8ba5ca94828cd5a88d6ed488     2016-10-24 02:31:18\r\n14b6d24873f19332701177208f85e776     2017-06-07 06:41:27\r\nabec84286df80704b823e698199d89f7     2017-01-18 04:29:29\r\n--End MD5 and timestamp--\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 12 of 14\n\nFile Properties for this sample of FALLCHILL after decryption:\r\nMD5: d7089e6bc8bd137a7241a7ad297f975d\r\nSHA-1: 15062b26d9dd1cf7b0cdf167f4b37cb632ddbd41\r\nSHA-256: 08012e68f4f84bba8b74690c379cb0b1431cdcadc9ed076ff068de289e0f6774\r\nFALLCHILL malware uses a RC4 encryption algorithm with a 16-byte key to protect its communications. According to\r\nreporting from the cyber-security organization that published the original AppleJeus report, the key extracted from the\r\nFALLCHILL variant used in the Celas Trade Pro application is “DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.\"\r\nThis RC4 key has also been used in a previous version of FALLCHILL used by DPRK actors, as further documented in the\r\nUS-CERT Malware Analysis Report AR18-165A released on June 14, 2018. This report was a joint effort by the FBI and\r\nDHS, while working with other U.S. Government partners, to analyze and attribute computer intrusion activity from the\r\nDPRK.\r\nNote: The version numbers for AppleJeus correspond to the order the campaigns were identified open source or through\r\ninvestigative means. These versions may or may not be in the correct order for development or deployment of the AppleJeus\r\ncampaigns.\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 13 of 14\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a\r\nPage 14 of 14\n\n https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a \nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a \n Page 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a" ], "report_names": [ "ar21-048a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434551, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/011876dca620a413d446d61722b0a854aa2b8503.pdf", "text": "https://archive.orkl.eu/011876dca620a413d446d61722b0a854aa2b8503.txt", "img": "https://archive.orkl.eu/011876dca620a413d446d61722b0a854aa2b8503.jpg" } }