{ "id": "594d7523-ea0c-496a-a3b9-6987b8cb2180", "created_at": "2026-04-06T00:15:55.108436Z", "updated_at": "2026-04-10T03:36:13.979715Z", "deleted_at": null, "sha1_hash": "0ff42bc6aa89c1ffb57c35516481abc32aac2711", "title": "(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 396976, "plain_text": "(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus\r\nbackdoor\r\nBy Filip Jurčacko\r\nArchived: 2026-04-05 21:16:04 UTC\r\nESET researchers have discovered a previously undocumented Lazarus backdoor, which they have dubbed Vyveva,\r\nbeing used to attack a freight logistics company in South Africa. The backdoor consists of multiple components and\r\ncommunicates with its C\u0026C server via the Tor network. So far, we have been able to find its installer, loader and\r\nmain payload – a backdoor with a TorSocket DLL. The previously unknown attack was discovered in June 2020.\r\nAlthough Vyveva has been used since at least December 2018, its initial compromise vector is still unknown. Our\r\ntelemetry data suggests targeted deployment as we found only two victim machines, both of which are servers owned\r\nby a freight logistics company located in South Africa. The backdoor features capabilities for file exfiltration,\r\ntimestomping, gathering information about the victim computer and its drives, and other common backdoor\r\nfunctionality such as running arbitrary code specified by the malware’s operators. This indicates that the intent of the\r\noperation is most likely espionage.\r\nThis blogpost provides the first public, technical analysis of Vyveva’s components.\r\nAttribution to Lazarus\r\nVyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the\r\nNukeSped malware family. However, the similarities do not end there: the use of fake TLS in network\r\ncommunication, command line execution chains, and the way of using encryption and Tor services all point towards\r\nLazarus; hence we can attribute Vyveva to this APT group with high confidence.\r\nAn example of the numerous code similarities can be seen in Figure 1 – resolving uniquely named Tor library\r\nexports.\r\n92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Vyveva backdoor\r\nBF98EA1326E5F8C351E68C79B5D1E0164C7BE728 taskhosts.exe Win32/NukeSped.HV trojan\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 1 of 10\n\nFigure 1. Hex-Rays decompilation showing similarity between Vyveva (left) and NukeSped sample (right)\r\nTechnical analysis\r\nUp until now, we have managed to find three of the multiple components comprising Vyveva – its installer, loader\r\nand backdoor. The installer is the earliest chronological stage found and since it expects other components to be\r\nalready present on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves\r\nto decrypt the backdoor using a simple XOR decryption algorithm.\r\nFigure 2 provides a closer look at the functionality of the installer, the backdoor, and the Tor library.\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 2 of 10\n\nFigure 2. Overview of Vyveva components\r\nInstaller\r\nThe main purposes of the installer are twofold: it creates a service that ensures persistence of the backdoor loader,\r\nand it stores the embedded, default backdoor configuration in the registry.\r\nTo create a legitimate-looking service, its attributes, such as service name and display name, are formed using a\r\ncombination of words from the attributes of existing services, which are randomly selected. It is also possible to\r\nspecify these attributes to the installer via command line parameters -‍dll, -svc, -disp, -desc, and -group. We observed\r\nthe following in the wild, with these parameters:\r\n\u003cSYSDIR\u003e\\powerctl.exe -svc powerctl -dll powerctl.dll\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 3 of 10\n\nAs for the latter task, the installer first sets the configuration infection ID, which uniquely identifies each victim, to a\r\nrandomly generated value, and then stores it in the registry, as shown in Figure 3.\r\n[HKLM\\SOFTWARE\\Microsoft\\DirectX]\r\n    UsageMask = \u003cCONFIG_DATA\u003e\r\nFigure 3. Configuration registry value\r\nOne of the entries in the configuration is a list of encrypted C\u0026C servers: for example, the installer sample we\r\nanalyzed is configured with the following C\u0026Cs:\r\n4bjt2rceijktwedi[.]onion:80\r\ncwwpxpxuswo7b6tr[.]onion:80\r\nBackdoor functionality\r\nThe backdoor, Vyveva’s main component, connects to C\u0026C servers and executes commands issued by the threat\r\nactors. It features 23 commands, some of which are asynchronous and executed in their own threads. Most of them\r\nare ordinary commands for file and process operations or information gathering, but there is also a less common\r\ncommand for file timestomping. It can copy creation/write/access time metadata from a “donor” file to a destination\r\nfile or use a random date in the years 2000—2004.\r\nOther noteworthy commands are Vyveva’s file upload command, and command 0x26. The file upload command is\r\ncapable of exfiltrating directories recursively and supports file extension filtering – for example, Office documents\r\nonly. As for command 0x26, it indicates the existence of another, unknown component that we have not yet observed\r\nat the time of writing.\r\nThe full list of commands is shown in Table 1.\r\nTable 1. Vyveva backdoor commands\r\nID Description\r\n0x03 Reply to “ping” from server\r\n0x10\r\nGet information about computer – username, computer name, IP, code page, OS version, OS\r\narchitecture, tick count, time zone, current directory\r\n0x11 Get information about drives – type, size, name, serial number, filesystem type\r\n0x12 Write data to specified file, optionally timestomp.\r\n0x13\r\nUpload specified file or directory\r\n \r\nFile – size, last write time, content\r\nDirectory stats – total files size, file count, directory count\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 4 of 10\n\nID Description\r\n  - For each entry – name, attributes\r\n  - Directories – recurse into directories\r\n  - Files – size, last write time, content\r\nOptions\r\n \r\nUse compression for file content (zlib 1.2.5)\r\nFile extension filter (whitelist/blacklist)\r\nRecursion flag\r\n0x14\r\nGet listing of specified directory\r\n \r\nname, attributes, write time\r\nDirectories – is nonempty\r\nFiles – size\r\n0x15 Set current directory to specified directory\r\n0x16 Create specified process\r\n0x17 Get information about running processes – PID, PPID, executable file path\r\n0x18 Terminate process(es) by PID or executable file path\r\n0x19\r\nCreate process with redirected output and upload the output\r\nThe command uses a format string which hints at execution through cmd.exe\r\n \r\n\"%param0% /c \"%param1% \u003e %tmp_fpath%\" 2\u003e\u00261\"\r\nIf the output is empty, unique string \"\u003cNO RESULT!\u003e\\r\\n\" is uploaded instead\r\n0x1A\r\nDelete specified path. File deletion methods:\r\n \r\ndelete only\r\noverwrite \u0026 move \u0026 delete\r\n0x1B\r\nCopy creation/write/access time metadata from source file or directory to destination file or directory.\r\nIf the source doesn’t exist, random time in year 2000-2004 is used for creation \u0026 last write time, access\r\ntime is unchanged.\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 5 of 10\n\nID Description\r\n0x1C\r\nGet info about specified path:\r\n \r\nFile – attributes, creation/write/access time, type, size\r\nDirectory / Drive – total files size, file count, directory count (with optional extension filtering\r\nand recursion)\r\n0x1D Set current configuration blob, save to registry\r\n0x1E Get current configuration blob\r\n0x1F Enable/disable drive watchdog (configuration field enable_drive_watchdog)\r\n0x20 Enable/disable session watchdog (configuration field enable_session_watchdog)\r\n0x21 Set configuration value related to delay of backdoor execution (configuration field delay_until_time)\r\n0x23 Store data used by asynchronous command (related to commands 0x12, 0x13)\r\n0x24 Stop executing asynchronous command (related to commands 0x12, 0x13)\r\n0x25\r\nSet configuration value related to delay between failed C\u0026C connection attempts (configuration field\r\nwait_minutes)\r\n0x26\r\nIf \u003cSYSDIR\u003e\\wsdchngr.drx exists\r\n \r\nDelete configuration registry value\r\nDelete backdoor file (self delete)\r\nDelete loader file\r\nRead, decrypt, PE-load wsdchngr.drx and call SamIPromote export in a new thread\r\nExit current thread\r\nOf particular interest are the backdoor’s watchdogs, which can be optionally enabled or disabled. There is a drive\r\nwatchdog used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number\r\nof active sessions (i.e. logged-on users). These components can trigger a connection to the C\u0026C server outside the\r\nregular, preconfigured three-minute interval, and on new drive and session events.\r\nConfiguration\r\nThe configuration of the backdoor, which is initially set by the installer, is read from the registry value (shown in\r\nFigure 3). When the configuration is modified by a C\u0026C command, the value stored in the registry is updated.\r\nAn example configuration and its structure are shown in Figure 4.\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 6 of 10\n\nFigure 4. Configuration structure and annotated example\r\nThe wait_minutes field specifies the time to wait before next connection to the C\u0026C after a failed connection\r\nattempt. If the execution of the backdoor needs to be delayed until a particular time and date, it can be specified in\r\nthe delay_until_time field. The encrypted_cncs field is an encrypted string, which contains semicolon-separated\r\nC\u0026Cs.\r\nTor library\r\nVyveva uses the Tor library, which is based on the official Tor source code, to communicate with a C\u0026C server\r\nselected at random from the configuration.  It contacts the C\u0026C at three-minute intervals, sending information about\r\nthe victim computer and its drives before receiving commands. The backdoor’s export directory contains the\r\nTorSocket.dll with self-explanatory exports close_ch, connect_ch, open_ch, read_ch, write_ch.\r\nConclusion\r\nVyveva constitutes yet another addition to Lazarus’s extensive malware arsenal. Attacking a company in South Africa\r\nalso illustrates the broad geographical targeting of this APT group.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nSamples\r\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\nDAD50AD3682A3F20B2F35BE2A94B89E2B1A73067 powerctl.exe Win32/NukeSped.HX Installer\r\n69529EED679B0C7F1ACC1FD782A4B443CEC0CF83 powerctl.dll Win32/NukeSped.HX\r\nLoader\r\n(x86)\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 7 of 10\n\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\n043ADDFB93A10D187DDE4999D78096077F26E9FD wwanauth.dll Win64/NukeSped.EQ\r\nLoader\r\n(x64)\r\n1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59 wwansec.dll Win32/NukeSped.HX\r\nLoader\r\n(x86)\r\n4D7ADD8145CB096359EBC3E4D44E19C2735E0377 msobjs.drx -\r\nBackdoor\r\n(encrypted)\r\n92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Win32/NukeSped.HX\r\nBackdoor\r\n(decrypted\r\nwith fixed\r\nMZ header)\r\nA5CE1DF767C89BF29D40DC4FA6EAECC9C8979552 JET76C5.tmp -\r\nBackdoor\r\nTor library\r\n(encrypted)\r\n66D17344A7CE55D05A324E1C6BE2ECD817E72680 JET76C5.tmp Win32/NukeSped.HY\r\nBackdoor\r\nTor library\r\n(decrypted\r\nwith fixed\r\nMZ\r\nheader) \r\nFilenames\r\n%WINDIR%\\System32\\powerctl.exe\r\n%WINDIR%\\SysWOW64\\powerctl.exe\r\n%WINDIR%\\System32\\power.dat\r\n%WINDIR%\\SysWOW64\\power.dat\r\n%WINDIR%\\System32\\wwanauth.dll\r\n%WINDIR%\\SysWOW64\\wwanauth.dll\r\n%WINDIR%\\System32\\wwansec.dll\r\n%WINDIR%\\SysWOW64\\wwansec.dll\r\n%WINDIR%\\System32\\powerctl.dll\r\n%WINDIR%\\SysWOW64\\powerctl.dll\r\n%WINDIR%\\System32\\JET76C5.tmp\r\n%WINDIR%\\SysWOW64\\JET76C5.tmp\r\n%WINDIR%\\System32\\msobjs.drx\r\n%WINDIR%\\SysWOW64\\msobjs.drx\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 8 of 10\n\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic   ID   Name   Description  \r\nExecution \r\nT1569.002\r\nSystem Services: Service\r\nExecution \r\nVyveva loader executes via a service.\r\nT1106 Native API \r\nVyveva backdoor uses the CreateProcessA\r\nAPI to execute files.\r\nPersistence  T1543.003\r\nCreate or Modify System\r\nProcess: Windows Service \r\nVyveva installer creates a new service to\r\nestablish persistence for its loader.\r\nDefense\r\nEvasion \r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation \r\nVyveva decrypts strings and components\r\n(backdoor, Tor library).\r\nT1070.006\r\nIndicator Removal on Host:\r\nTimestomp \r\nVyveva backdoor can timestomp files.\r\nT1036.004\r\nMasquerading: Masquerade\r\nTask or Service \r\nVyveva installer can create a service with\r\nattributes mimicking existing services.\r\nT1112 Modify Registry \r\nVyveva stores its configuration in the\r\nregistry. \r\nT1027\r\nObfuscated Files or\r\nInformation \r\nVyveva has encrypted strings and\r\ncomponents.\r\nDiscovery \r\nT1083 File and Directory Discovery \r\nVyveva backdoor can obtain file and directory\r\nlistings.\r\nT1057 Process Discovery  Vyveva backdoor can list running processes.\r\nT1082\r\nSystem Information\r\nDiscovery \r\nVyveva backdoor can obtain system\r\ninformation, including computer name, ANSI\r\ncode page, OS version and architecture.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery \r\nVyveva backdoor can obtain the local IP\r\naddress of the victim computer.\r\nT1033\r\nSystem Owner/User\r\nDiscovery \r\nVyveva backdoor can obtain victim's\r\nusername.\r\nT1124 System Time Discovery \r\nVyveva backdoor can obtain system time and\r\ntime zone.\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 9 of 10\n\nTactic   ID   Name   Description  \r\nCollection \r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library \r\nVyveva backdoor can compress files with zlib\r\nbefore sending to C\u0026C.\r\nT1005 Data from Local System \r\nVyveva backdoor can collect files from\r\ncomputer.\r\nT1025 Data from Removable Media \r\nVyveva backdoor can notify C\u0026C about\r\nnewly inserted removable media and collect\r\nfiles from them.\r\nCommand and\r\nControl \r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography \r\nVyveva backdoor encrypts C\u0026C traffic using\r\nXOR.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography \r\nVyveva backdoor communicates with C\u0026C\r\nvia Tor.\r\nExfiltration  T1041\r\nExfiltration Over C2\r\nChannel \r\nVyveva exfiltrates data to C\u0026C server.\r\nSource: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nhttps://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/" ], "report_names": [ "are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434555, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0ff42bc6aa89c1ffb57c35516481abc32aac2711.pdf", "text": "https://archive.orkl.eu/0ff42bc6aa89c1ffb57c35516481abc32aac2711.txt", "img": "https://archive.orkl.eu/0ff42bc6aa89c1ffb57c35516481abc32aac2711.jpg" } }