{ "id": "854265bd-1a39-4da2-8362-e5b7eed3ae61", "created_at": "2026-04-06T00:08:40.311068Z", "updated_at": "2026-04-10T13:12:11.907412Z", "deleted_at": null, "sha1_hash": "0b0ba37c7139735b5df0bcb12981b3a10cfc02c2", "title": "Following the Lazarus group by tracking DeathNote campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1736248, "plain_text": "Following the Lazarus group by tracking DeathNote campaign\r\nBy Seongsu Park\r\nPublished: 2023-04-12 · Archived: 2026-04-05 14:14:14 UTC\r\nThe Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have\r\npreviously published information about the connections of each cluster of this group. In this blog, we’ll focus on\r\nan active cluster that we dubbed DeathNote because the malware responsible for downloading additional payloads\r\nis named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped. Over the past few\r\nyears, we have closely monitored the DeathNote cluster, observing a shift in their targets as well as the\r\ndevelopment and refinement of their tools, techniques, and procedures.\r\nTimeline of DeathNote cluster\r\nIn this blog, we will provide an overview of the significant modifications that have taken place within this cluster,\r\nboth in terms of its technical and strategic aspects.\r\nBeginning of tracking DeathNote\r\nThe notorious threat actor Lazarus has persistently targeted cryptocurrency-related businesses for a long time.\r\nWhile monitoring the actor’s activities, we noticed that in one particular case they were using a significantly\r\nmodified piece of malware. In mid-October 2019, we came across a suspicious document uploaded to VirusTotal.\r\nUpon further investigation, we discovered that the actor behind this weaponized document had been using similar\r\nmalicious Word documents since October 2018. The malware author used decoy documents that were related to\r\nthe cryptocurrency business such as a questionnaire about buying specific cryptocurrency, an introduction to a\r\nspecific cryptocurrency, and an introduction to a bitcoin mining company.\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 1 of 11\n\nDecoy documents\r\nOnce the victim opens the document and enables the macro, the malicious Visual Basic Script extracts the\r\nembedded downloader malware and loads it with specific parameters. In this initial discovery, the actor used two\r\ntypes of second-stage payload. The first is a manipulated piece of software that contains a malicious backdoor,\r\nwhile the second is a typical backdoor with a multi-stage binary infection process.\r\nInfection procedure\r\nThe Trojanized application utilized in the second stage is masquerading as a genuine UltraVNC viewer. If\r\nexecuted without any command line parameters, it will display a legitimate UltraVNC viewer window. However,\r\nit carries out a malicious routine when it is spawned with “-s {F9BK1K0A-KQ9B-2PVH-5YKV-IY2JLT37QQCJ}” parameters. The other infection method executes the installer, which creates and registers an\r\ninjector and backdoor in a Windows service. Finally, the backdoor is injected into a legitimate process\r\n(svchost.exe) and initiates a command-and-control (C2) operation. In this infection, the final payload injected into\r\nthe legitimate process was Manuscrypt. Until this discovery, the Lazarus group had primarily targeted the\r\ncryptocurrency business. Our investigation has identified potential compromises of individuals or companies\r\ninvolved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.\r\nShifting focus to the defense industry\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 2 of 11\n\nWhile tracking this campaign, we uncovered a significant shift in the attack’s target along with updated infection\r\nvectors in April 2020. Our research showed that the DeathNote cluster was used to target the automotive and\r\nacademic sectors in Eastern Europe, both of which are connected to the defense industry. At this point, the actor\r\nswitched all the decoy documents to job descriptions related to defense contractors and diplomatic services.\r\nDecoy documents\r\nIn addition, the actor refined its infection chain, using the remote template injection technique in their weaponized\r\ndocuments, as well as utilizing Trojanized open-source PDF viewer software. Both of these infection methods\r\nresult in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information\r\nand retrieving the next-stage payload at the C2’s discretion. Finally, a COPPERHEDGE variant is executed in\r\nmemory.\r\nInfection chain\r\nNotably, a Trojanized PDF reader, based on the open source software, used an interesting technique to initiate its\r\nmalicious routine. It first retrieves the MD5 hash of the opened PDF file and performs an XOR operation on 65\r\nbytes of embedded data using the retrieved MD5 value. Next, it verifies that the first WORD value of the XORed\r\ndata is 0x4682, and checks that the MD5 hash value matches the last 16 bytes of the XORed data. If both\r\nconditions are met, the remaining 47-bytes value is used as the decryption key for the next stage of infection.\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 3 of 11\n\nVerification process of Trojanized PDF reader\r\nFinally, this Trojanized PDF viewer overwrites the original opened file with a decoy PDF file and opens it to\r\ndeceive the victim while implementing the malware payload. The payload is executed with command line\r\nparameters, and a shortcut file is created in the Startup folder to ensure persistence. This infection mechanism\r\ndemonstrates the care and precision with which the actor delivers the payload.\r\nExpanded target and adoption of new infection vector\r\nIn May 2021, we observed that an IT company in Europe that provides solutions for monitoring network devices\r\nand servers was compromised by the same cluster. It’s believed that the Lazarus group had an interest in this\r\ncompany’s widely used software or its supply chain.\r\nIn addition, in early June 2021, the Lazarus group began utilizing a new infection mechanism against targets in\r\nSouth Korea. One thing that caught our attention was that the initial stage of the malware was executed by\r\nlegitimate security software that is widely used in South Korea. It’s thought that the malware was spread through a\r\nvulnerability in this widely used software in South Korea.\r\nInfection chain\r\nSimilar to the previous case, the initial infection vector created the downloader malware. Once connected to the\r\nC2 server, the downloader retrieved an additional payload based on the operator’s commands and executed it in\r\nmemory. During this time, the BLINDINGCAN malware was used as a memory-resident backdoor. While the\r\nBLINDINGCAN malware has sufficient capabilities to control the victim, the actor manually implanted additional\r\nmalware. It’s believed that the group aims to create an auxiliary method to control the victim. The retrieved\r\nloader’s export function (CMS_ContentInfo) was launched with command line parameters, which is crucial for\r\ndecrypting the embedded next-stage payload and configuration. This process only proceeds if the length of the\r\nparameter is 38. Finally, the COPPERHEDGE malware, previously used by this cluster, was executed on the\r\nvictim.\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 4 of 11\n\nAlmost one year later, in March 2022, we discovered that the same security program had been exploited to\r\npropagate similar downloader malware to several victims in South Korea. However, a different payload was\r\ndelivered in this case. The C2 operator manually implanted a backdoor twice, and although we were unable to\r\nacquire the initially implanted backdoor, we assume it is the same as the backdoor in the following stage. The\r\nnewly implanted backdoor is capable of executing a retrieved payload with named-pipe communication. In\r\naddition, the actor utilized side-loading to execute Mimikatz and used stealer malware to collect keystroke and\r\nclipboard data from users.\r\nInfection chain\r\nAround the same time, we uncovered evidence that one defense contractor in Latin America was compromised by\r\nthe same backdoor. The initial infection vector was similar to what we’ve seen with other defense industry targets,\r\ninvolving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor\r\nadopted a side-loading technique to execute the final payload. When the malicious PDF file is opened with the\r\nTrojanized PDF reader, the victim is presented with the same malware mentioned above, which is responsible for\r\ncollecting and reporting the victim’s information, retrieving commands and executing them using pipe\r\ncommunication mechanisms. The actor used this malware to implant additional payloads, including legitimate\r\nfiles for side-loading purposes.\r\nLegitimate file: %APPDATA%\\USOShared\\CameraSettingsUIHost.exe\r\nMalicious file: %APPDATA%\\USOShared\\dui70.dll\r\nConfig file: %APPDATA%\\USOShared\\4800-84dc-063a6a41c5c\r\nCommand line: %APPDATA%\\USOShared\\CameraSettingsUIHost.exe uTYNkfKxHiZrx3KJ\r\nAn ongoing attack targeting a defense contractor with updated infection tactics\r\nIn July 2022, we observed that the Lazarus group had successfully breached a defense contractor in Africa. The\r\ninitial infection was a suspicious PDF application, which had been sent via the Skype messenger. After executing\r\nthe PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 5 of 11\n\nsame directory. This attack heavily relied on the same DLL side-loading technique that we observed in the\r\nprevious case. The payload that was initially implanted and executed by the PDF reader was responsible for\r\ncollecting and reporting the victim’s information, as well as retrieving an additional payload from the remote\r\nserver named LPEClient. The Lazarus group used this malware several times in various campaigns. They have\r\nalso utilized the same DLL side-loading technique to implant additional malware that is capable of backdoor\r\noperation. In order to move laterally across systems, the actor used an interesting technique called ServiceMove.\r\nThis technique leverages the Windows Perception Simulation Service to load arbitrary DLL files. According to the\r\nauthor’s explanation, ‘a non-existing DLL file will be loaded every time when the Windows Perception\r\nSimulation Service is started’. By creating an arbitrary DLL in C:\\Windows\\System32\\PerceptionSimulation\\ and\r\nstarting the service remotely, the actors were able to achieve code execution as NT AUTHORITY\\SYSTEM on a\r\nremote system. The actor created a devobj.dll file in the PerceptionSimulation folder and remotely executed the\r\nPerceptionSimulation service. Upon launching the devobj.dll file, it decrypted an encrypted backdoor file,\r\nPercepXml.dat, from the same folder and executed it in memory.\r\nInfection chain\r\nPost-exploitation\r\nDuring our investigation of this campaign, we have gained extensive insight into the Lazarus group’s post-exploitation strategy. After initial infection, the operator executed numerous Windows commands to gather basic\r\nsystem information and attempt to find valuable hosts, such as an Active Directory server. Before moving\r\nlaterally, the Lazarus group acquired Windows credentials using well-known methods, and employed public\r\ntechniques, such as ServiceMove. When the group completed its mission and began exfiltrating data, they mostly\r\nutilized the WinRAR utility to compress files and transmit them via C2 communication channels.\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 6 of 11\n\nPhase Examples\r\nBasic\r\nreconnaissance\r\nGenerally used Windows commands. For example:\r\ncmd.exe /c netstat -ano | find TCP\r\nsysteminfo\r\nIn one case, they accessed the default domain controllers policy directly.\r\ncmd.exe /c “Type “\\\\[redacted]\\SYSVOL\\[redacted]\\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\MACHINE\\Microsoft\\Windows\r\nNT\\SecEdit\\GptTmpl.inf”\r\nFinding high-value hosts\r\nTo find a connected Remote Desktop host it utilized Windows commands or queried the\r\nsaved server list from the registry.\r\ncmd.exe /c netstat -ano | findstr 3389\r\ncmd.exe /c reg query HKEY_USERS\\S-1-5-\r\n[redacted]-1001\\Software\\Microsoft\\Terminal Server Client\\Servers\r\nUtilizing ADFind tool to acquire Active directory information.\r\ncmd.exe /c “%appdata%\\[redacted].xic -b dc=[redacted],dc=[redacted] -f\r\n“sAMAccountName=[redacted]” \u003e\u003e %temp%\\dm3349.tmp 2\u003e\u00261″\r\nAcquiring login\r\ncredentials\r\nUtilizing crafted Mimikatz to dump login credentials or Responder tool to capture\r\ncredentials.\r\nLateral movement\r\nOne common approach for launching commands on remote hosts is to use methods like\r\nSMB connection or the ServiceMove technique.\r\nExfiltration\r\nUsing WinRAR to archive files before sending the stolen file via C2 channel.\r\nadobearm.exe a -hp1q2w3e4 -m5 -v2000000k “%Local\r\nAppData%\\Adobe\\SYSVOL800.CHK” “\\\\[redacted]FILE02.[redacted]\\Projects\\\r\n[redacted] Concept Demonstrator”\r\n%appdata%\\USOShared\\USOShared.LOG1 a -\r\nhpb61de03de6e0451e834db6f185522bff -m5\r\n“%appdata%\\USOShared\\USOShared.LOG2” “%appdata%\\ntuser.001.dat”\r\nAttribution\r\nAfter tracking the DeathNote cluster and its origin, we have determined that the Lazarus group is responsible for\r\nthis malware strain. Our conclusion is supported by many security vendors who also believe that the Lazarus\r\ngroup is linked to this malware. Furthermore, we have analyzed the delivery of Windows commands to the victim\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 7 of 11\n\nthrough the DeathNote malware, and discovered that a significant number of commands were executed between\r\nGMT 00:00 and 07:00. Based on our knowledge of normal working hours, we can infer that the actor is located in\r\neither the GMT+08 or GMT+09 time zone.\r\nTimeline of Windows commands\r\nMoreover, the actor left a Korean comment ‘정상호출’, which translates to ‘normal call’ in the C2 script. This\r\nfurther supports the hypothesis that Lazarus is a Korean-speaking actor.\r\nKorean comment in the C2 script\r\nIn conclusion, the Lazarus group is a notorious and highly skilled threat actor. Our analysis of the DeathNote\r\ncluster reveals a rapid evolution in its tactics, techniques and procedures over the years. As the Lazarus group\r\ncontinues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures\r\nto defend against its malicious activities. By staying informed and implementing strong security measures,\r\norganizations can reduce the risk of falling victim to this dangerous adversary.\r\nIndicators of Compromise\r\nBeginning of tracking DeathNote\r\nMalicious documents\r\n265f407a157ab0ed017dd18cae0352ae\r\n7a73a2261e20bdb8d24a4fb252801db7\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 8 of 11\n\n7a307c57ec33a23ce9b5c84659f133cc\r\nced38b728470c63abcf4db013b09cff7\r\n9121f1c13955506e33894ffd780940cd\r\n50b2154de64724a2a930904354b5d77d\r\n8a05f6b3f1eb25bcbceb717aa49999cd\r\nee73a772b72a5f3393d4bf577fc48efe\r\nDownloader\r\nd1c652b4192857cb08907f0ba1790976\r\n25b37c971fd7e9e50e45691aa86e5f0a\r\n0493f40628995ae1b7e3ffacd675ba5f\r\n8840f6d2175683c7ed8ac2333c78451a\r\nc278d6468896af3699e058786a8c3d62\r\n9fd35bad075c2c70678c65c788b91bc3\r\n59cb8474930ae7ea45b626443e01b66d\r\n7af59d16cfd0802144795ca496e8111c\r\ncd5357d1045948ba62710ad8128ae282\r\n77194024294f4fd7a4011737861cce3c\r\ne9d89d1364bd73327e266d673d6c8acf\r\n0d4bdfec1e657d6c6260c42ffdbb8cab\r\n5da86adeec6ce4556f477d9795e73e90\r\n706e55af384e1d8483d2748107cbd57c\r\nManipulated Installer\r\ndd185e2bb02b21e59fb958a4e12689a7\r\nInstaller\r\n4088946632e75498d9c478da782aa880 C:\\Windows\\igfxmon.exe\r\nInjector\r\ndc9244206e72a04d30eeadef23713778 C:\\Windows\\system32\\[random 2 bytes]proc.exe\r\nBackdoor\r\n735afcd0f6821cbd3a2db510ea8feb22 C:\\Windows\\system32\\[random 2 bytes]svc.dll\r\nShifting focus to the defense industry\r\nMalicious documents\r\n4c239a926676087e31d82e79e838ced1 pubmaterial.docx\r\n183ad96b931733ad37bb627a958837db Boeing_PMS.docx\r\n9ea365c1714eb500e5f4a749a3ed0fe7 Boeing_DSS_SE.docx\r\n2449f61195e39f6264d4244dfa1d1613 Senior_Design_Engineer.docx\r\n880b263b4fd5de0ae6224189ea611023 LM_IFG_536R.docx.docx\r\ne7aa0237fc3db67a96ebd877806a2c88 Boeing_AERO_GS.docx\r\n56470e113479eacda081c2eeead153bf boeing_spectrolab.docx\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 9 of 11\n\nFetched template\r\n2efbe6901fc3f479bc32aaf13ce8cf12 pubmaterial.dotm\r\n65df11dea0c1d0f0304b376787e65ccb 43.dotm\r\n0071b20d27a24ae1e474145b8efc9718 17.dotm\r\n1f254dd0b85edd7e11339681979e3ad6 61.dotm\r\nDeathNote downloader\r\nf4b55da7870e9ecd5f3f565f40490996 onenote.db, thumbnail.db\r\n2b02465b65024336a9e15d7f34c1f5d9 wsuser.db\r\n11fdc0be9d85b4ff1faf5ca33cc272ed onenote.db\r\nf6d6f3580160cd29b285edf7d0c647ce\r\n78d42cedb0c012c62ef5be620c200d43 wsuser.db\r\n92657b98c2b4ee4e8fa1b83921003c74\r\n075fba0c098d86d9f22b8ea8c3033207 wsdts.db\r\n8fc7b0764541225e5505fa93a7376df4\r\n7d204793e75bb49d857bf4dbc60792d3 2.dll\r\neb2dc282ad3ab29c1853d4f6d09bec4f\r\nca6658852480c70118feba12eb1be880 thumbnail.db\r\nc0a8483b836efdbae190cc069129d5c3 wsdts.db\r\n14d79cd918b4f610c1a6d43cadeeff7b wsuser.db\r\n1bd0ca304cdecfa3bd4342b261285a72\r\nTrojanized PDF viewer\r\ncbc559ea38d940bf0b8307761ee4d67b SumatraPDF.exe\r\nda1dc5d41de5f241cabd7f79fbc407f5 internal pdf viewer.exe\r\nExpanded target and adoption of new infection vector\r\nRacket Downloader\r\nb3a8c88297daecdb9b0ac54a3c107797 SCSKAppLink.dll\r\nBLIDINGCAN\r\nb23b0de308e55cbf14179d59adee5fcb\r\n64e5acf43613cd10e96174f36cb1d680\r\nCOPPERHEDGE Loader\r\na43bdc197d6a273102e90cdc0983b0b9\r\nCOPPERHEDGE\r\n97336f5ce811d76b28e23280fa7320b5\r\nDownloader Loader\r\nf821ca4672851f02bead3c4bd23bed84 c:\\officecache\\officecert.ocx\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 10 of 11\n\nRacket Downloader\r\nb974bc9e6f375f301ae2f75d1e8b6783 %public%\\Libraries\\SCSKAppLink.dll\r\neb061dfacb3667cf65d250911179235d\r\nStealer\r\nfe549a0185813e4e624104d857f9277b %ProgramData%\\GenICam\\GenICamKDR.gic\r\nBackdoor Loader\r\n7b8960e2a22c8321789f107a7b83aa59 %ProgramData%\\xilinx\\xilinx.pkg\r\n0ac90c7ad1be57f705e3c42380cbcccd %ProgramData%\\USOShared\\USOShare.cpl\r\nMimikatz Loader\r\nadf0d4bbefccf342493e02538155e611 %ProgramData%\\USOShared\\log.dll\r\nd4d654c1b27ab90d2af8585052c77f33\r\nAn ongoing attack targeting a defense contractor with updated infection tactics\r\nLoader\r\n2bcf464a333d67afeb80360da4dfd5bb C:\\Windows\\system32\\perceptionsimulation\\devobj.dll\r\n83dd9b600ed33682aa21f038380a6eab C:\\Windows\\system32\\perceptionsimulation\\devobj.dll\r\nForestTiger(Backdoor)\r\n97524091ac21c327bc783fa5ffe9cd66 ProgramData\\adobe\\arm\\lockhostingframework.dll\r\n9b09ebf52660a9d6deca21965ce52ca1 %appdata%\\adobe\\arm\\DUI70.dll\r\n26c0f0ce33f5088754d88a1db1e6c4a9\r\nTrojanized PDF reader\r\n84cd4d896748e2d52e2e22d1a4b9ee46 SecurePDF.exe\r\nSource: https://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nhttps://securelist.com/the-lazarus-group-deathnote-campaign/109490/\r\nPage 11 of 11\n\nmalicious routine. bytes of embedded It first retrieves data using the MD5 the retrieved hash of the opened MD5 value. Next, PDF file it verifies and performs an that the first WORD XOR operation value of on 65 the XORed\ndata is 0x4682, and checks that the MD5 hash value matches the last 16 bytes of the XORed data. If both\nconditions are met, the remaining 47-bytes value is used as the decryption key for the next stage of infection.\n Page 3 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" ], "report_names": [ "109490" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434120, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b0ba37c7139735b5df0bcb12981b3a10cfc02c2.pdf", "text": "https://archive.orkl.eu/0b0ba37c7139735b5df0bcb12981b3a10cfc02c2.txt", "img": "https://archive.orkl.eu/0b0ba37c7139735b5df0bcb12981b3a10cfc02c2.jpg" } }