{ "id": "335d80f6-ac38-4e22-a3a7-21f81c37dfda", "created_at": "2026-04-06T00:09:44.382339Z", "updated_at": "2026-04-10T03:38:19.666111Z", "deleted_at": null, "sha1_hash": "13b686f1453afa9a09c81cc8762396f3d42c45c9", "title": "36gate: supply chain attack | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 138231, "plain_text": "Ivan Pisarev\r\nTechnical Head, META\r\nVictor Belov\r\nSenior Malware Analyst\r\n36gate: supply chain attack\r\nWhat is known about the 3CX supply chain incident and how to defend against it?\r\nMarch 31, 2023 · min to read · Threat Landscape Overview\r\n← Blog\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 1 of 18\n\n3CX Malware analysis Managed XDR Threat Intelligence\r\nWhat is known so far?\r\nOn the 29th of March, 2023 SentinelOne, Crowdstrike, and IBM Sophos reported malicious activity\r\nof a trojanized version of the 3CX Desktop App, a client used to make VoIP calls.\r\nOne day later, on March 30th, it was found that the malicious application was not specially crafted,\r\nbut was in fact legitimate software published and signed by a certificate belonging to 3CX, a phone\r\nsystem software provider, whose customers include Wilson, Mercedes-Benz, Coca Cola, and many\r\nother large enterprises, according to the company’s website. The full consequences of this supply\r\nchain incident are yet to be seen.\r\nThat same day, the company’s CEO issued an advisory and recommended using 3CX’s PAW client\r\nuntil a new build is released:\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 2 of 18\n\nAs part of the attack, the malicious installer deploys legitimate software with malicious libraries. Once\r\nthe application is launched, a malicious code sleeps and then attempts to download and execute a\r\npayload. The payload is unknown at the moment.\r\nAccording to the 3CX statement, the malicious code was injected via a library: “The issue appears to\r\nbe one of the bundled libraries that we compiled into the Windows Electron App via GIT”.\r\nIf you are using 3CX VoIP in your organisation, it is recommended to check your infrastructure\r\nimmediately for the signs of intrusion and take the appropriate mitigation measures described in this\r\nblog post.\r\nTechnical analysis\r\nAccording to the most recent 3CX statement, versions 18.12.407 \u0026 18.12.416 of its Electron Windows\r\nApp and versions 18.11.1213, 18.12.402, 18.12.407 \u0026 18.12.416 of the Electron Mac App have been\r\ninfected.\r\nThe following samples, obtained via VirusTotal, were analyzed by Group-IB Threat Intelligence team:\r\n3CXDesktopApp-18.12.416.dmg\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 3 of 18\n\nAs it has been discovered, the Windows installer deploys ffmpeg.dll signed by 3CX Ltd with a valid\r\ndigital signature:\r\nThe DllEntryPoint leads to the main malicious function, which is responsible for reading the\r\nd3dcompiler_47.dll file that has to be located in the same directory as the executable file. This file\r\ncontains an encrypted shellcode responsible for unpacking and executing the next stage, which is\r\na downloader. It is important to note, that before extracting the shellcode the infected DLL creates\r\nan event with the name AVMonitorRefreshEvent. The shellcode itself is located in the second DLL\r\nafter FEEDFACE bytes:\r\nThe code that searches for the start of\r\nthe shellcode\r\n3CXDesktopApp-18.12.416.msi\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 4 of 18\n\nThe encrypted version of the shellcode in d3dcompiler_47.dll\r\nIt is worth noting that d3dcompiler_47.dll also has a digital signature, but it is non-valid in this case:\r\nThe shellcode decryption key is 3jB(2bsG#@c7. The goal of the shellcode is to load an embedded\r\npayload, which is a downloader. The first stage, ffmpeg.dll, also passes the following arguments to\r\nthe next stage:\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 5 of 18\n\n1200 2400 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko\r\nThe downloader is also a DLL file with one export function: DllGetClassObject — it contains all\r\nmalicious functionality (DllEntryPoint does not perform any activity). First of all, the downloader\r\nattempts to open the manifest file which contains 4 bytes representing the time in seconds when\r\nthe application should launch. This time is generated using the following method:\r\nsleep_time = rand() % 1800000 + first_running_time + 604800;\r\nIt is important to note that the range of the rand() function in this case is [0;32767], so the\r\napplication maximum sleep time is 7.4 days. The file will be created during the first run of the\r\napplication.\r\nThe C2 list is located in .ico-files that are available at:\r\nhxxps://raw.githubusercontent[.]com/IconStorages/images/main/icon[1;15].ico. At the time of\r\nwriting, this GitHub repository was unavailable, however, we managed to find a VirusTotal archive\r\nand found this repository in the Wayback machine:\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 6 of 18\n\nBecause of the logic implemented in the downloader, the icon0.ico will never be used. It is possible\r\nthat the threat actor used this .ico-file during the testing:\r\nfor ( i = rand() % 15 + 1; ; i = 0 )\r\nThe archive itself contains the following images:\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 7 of 18\n\nEach image contains C2, encoded in base64 and encrypted:\r\nThe encoded data is preceded by the $ Symbol. The Group-IB Threat Intelligence team managed to\r\ndecrypt the .ico-files:\r\nIcon\r\nname\r\nSHA1 C2\r\nicon1.ico 96910a3dbc194a7bf9a452afe8a35eceb904b6e4 hxxps://msstorageazure[.]com/wind\r\nicon2.ico ffccc3a29d1582989430e9b6c6d2bff1e3a3bb14 hxxps://officestoragebox[.]com/api/\r\nicon3.ico 89827af650640c7042077be64dc643230d1f7482 hxxps://visualstudiofactory[.]com/w\r\nicon4.ico b5de30a83084d6f27d902b96dd12e15c77d1f90b hxxps://azuredeploystore[.]com/clou\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 8 of 18\n\nicon5.ico 3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8 hxxps://msstorageboxes[.]com/offic\r\nicon6.ico caa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352 hxxps://officeaddons[.]com/techno\r\nicon7.ico 57a9f3d5d1592a0769886493f566930d8f32a0fc hxxps://sourceslabs[.]com/downloa\r\n8 33 0 8 3 6 39303 3 69 20 // [ ] /\r\nAlso the repository contained a file named web.pack, but its purpose is unknown. We suppose that\r\nthis file is encrypted and could be used in a kill chain.\r\nThe sequence of bytes highlighted above appears frequently in the file, but it hasn’t been\r\nencrypted at the time of writing.\r\nOne of the notable features of the downloader is how it fills a header of the request:\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\naccept-encoding: gzip, deflate, br\r\ncontent-type: text/plain\r\nAnd it can also optionally add the cookie field:\r\ncookie: %data%=%data%\r\nA payload will be executed in the context of the infected process.\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 9 of 18\n\nMalicious 3CX app for MacOS\r\nCompared to the Windows version of the 3CX app, its Mac OS version has a slightly different logic.\r\nThe application contains libffmpeg.dylib with two sublibs inside: for arm64 and x86_64 code. The\r\nmalicious code is implemented under _run_avcodec() which can be found only in x86_64 sublib.\r\nARM64 version doesn’t contain the malicious code. URLs of the next stage are hardcoded into the\r\nlibrary XORed with 0x7A.\r\nThe following headers are used when sending requests to C2:\r\nz3cx_auth_id=%s;3cx_auth_token_content=%s;__tutma=true\r\nC2s of the MacOS version:\r\nDomain Registrar Date\r\nmsstorageazure[.]com NAMECHEAP 2022-11-17\r\nofficestoragebox[.]com NAMECHEAP 2022-11-17\r\nvisualstudiofactory[.]com NAMECHEAP 2022-11-17\r\nmsstorageazure[.]com/analysis\r\nofficestoragebox[.]com/api/biosync\r\nvisualstudiofactory[.]com/groupcore\r\nazuredeploystore[.]com/cloud/images\r\nmsstorageboxes[.]com/xbox\r\nofficeaddons[.]com/quality\r\nsourceslabs[.]com/status\r\nzacharryblogs[.]com/xmlquery\r\npbxcloudeservices[.]com/network\r\npbxphonenetwork[.]com/phone\r\nakamaitechcloudservices[.]com/v2/fileapi\r\nmsedgepackageinfo[.]com/ms-webview\r\nglcloudservice[.]com/v1/status\r\npbxsources[.]com/queue\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 10 of 18\n\nazuredeploystore[.]com NameSilo 2022-12-07\r\nmsstorageboxes[.]com NAMECHEAP 2022-12-09\r\nofficeaddons[.]com PublicDomainRegistry.com 2022-12-09\r\nsourceslabs[.]com ENOM 2022-12-09\r\nzacharryblogs[.]com NAMECHEAP 2022-12-13\r\nCrowdstrike and other cybersecurity companies reported additional domain names, but we cannot\r\nconfirm their usage.\r\nAt the moment of writing, Group-IB didn’t find or retrieve the payload.\r\nAm I in danger? The to do list\r\nAccording to the 3CX security alert Electron Windows App versions numbers 18.12.407 \u0026 18.12.416\r\nand Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 \u0026 18.12.416 are malicious.\r\nMITRE has assigned the CVE-2023-29059 identifier to the supply chain attack and linked it to the\r\nCWE-506 weakness described as ‘Embedded Malicious Code.’\r\nRecommendations for 3CX customers:\r\nIf your employees have used the desktop app, the best option is to uninstall the software (the\r\ndetailed guide can be found here). Incident response should be conducted in order to identify\r\nmalicious activities and proper remediation should be carried out.\r\nYou can follow these simple steps to understand if a compromised version of the 3CX application\r\nis/was present in your infrastructure to identify malicious activity:\r\n1. Identify any employees using affected versions of the 3CX app\r\nEnsure you have the latest update installed. The updated version 18.12.422 of the Windows\r\ndesktop app and the Mac desktop app has been released by 3CX.\r\n2.\r\n1. Check for the presence of files that match the hashes provided in the IoC section.\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 11 of 18\n\nfor f in $(find /Users -type d -maxdepth 1 -mindepth 1); \\\r\ndo \\\r\n test -d $f/Library/Application\\ Support/3CX\\ Desktop\\ App \u0026\u0026 echo \"$f: found 3CX app use\r\n test -f $f/Library/Application\\ Support/3CX\\ Desktop\\ App/UpdateAgent \u0026\u0026 echo \"$f: found\r\n test -f $f/Library/Application\\ Support/3CX\\ Desktop\\ App/.main_storage \u0026\u0026 echo \"$f: fou\r\n test -f $f/Library/Application\\ Support/3CX\\ Desktop\\ App/.session-locks \u0026\u0026 echo \"$f: fo\r\ndone\r\n4. You can use YARA rules by Florian Roth to search for malicious signs.\r\n5. In order to perform threat hunting if you don’t have automated detections implemented, you can\r\nutilize your EDR telemetry to search for the following traces:\r\nAttribution\r\nIf you have an [EMX]DR solution, search for connections to the identified URLs and domain\r\nnames.\r\nSigma and YARA rules also can be used for DNS event searching.\r\n2.\r\nOn MacOS check for .session-lock , .main-storage and UpdateAgent files. Presence of such files\r\nin the 3CX application directory with high probability indicates that the second stage of malware\r\nwas executed. You can use simple bash script suggested by anschluss.\r\n3.\r\nlook for DLL loading events by 3CXDesktopApp (ffmpeg.dll and d3dcompiler_47.dll are known to\r\nbe trojanized, but other yet unknown DLL names may be considered); test found files against\r\nVirustotal or aforementioned yara rules;\r\nlook for DNS events produced by 3CXDesktopApp; it is currently known that the payload\r\nconnects to github.com, but any other cloud-based service should be considered as being\r\nabused by the threat actor for the same goal;\r\nmonitor for hands-on attacker’s activity; expect basic reconnaissance commands executed by\r\n3CXDesktopApp seen in process creation telemetry and files created by 3CXDesktopApp in file\r\ncreation telemetry;\r\nmonitor for hands-on attacker’s activity; expect basic reconnaissance commands executed by\r\n3CXDesktopApp seen in process creation telemetry and files created by 3CXDesktopApp in file\r\ncreation telemetry.\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 12 of 18\n\nHTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7,\r\n2023 campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH\r\nCHOLLIMA (aka Lazarus) — CrowdStrike reports.\r\nAccording to Sophos researchers, they “cannot verify this attribution with a high degree of\r\ncertainty.” Volexity has described the second stage of the payload. However they mentioned that\r\nthey cannot currently map the disclosed activity to any threat actor, so it will be tracked under\r\nUTA0040.\r\nThe Twitter thread also reveals some similarities with the activity of North Korean threat actors,\r\nhowever the pieces of evidence are still not strong enough to confirm the link.\r\nGroup-IB researchers also do not yet see obvious links with existing threat clusters. We will provide\r\nan update if more information becomes available.\r\nHow Group-IB technologies can help\r\nGroup-IB Managed Extended Detection and Response (MXDR) detects and automatically blocks\r\nmalicious 3CX executables as of March 30, 2023. Below you can find how Group-IB’s Malware\r\nDetonation Platform (part of MXDR) detects this threat:\r\nGroup-IB EDR solution is capable of providing comprehensive telemetry data that can be used to\r\nsearch for trojanized DLL files:\r\n1. The alerts triggered during an analysis in Group-IB Malware Detonation Platform\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 13 of 18\n\nFor organisations that have a mature cybersecurity program, we suggest taking a closer look at our\r\nThreat Intelligence solution.\r\nThreat description available to the users of Group-IB Threat Intelligence platform\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 14 of 18\n\nIndicators of compromise\r\nBelow you can find a list of Indicators of compromise linked to the 3CX supply chain incident,\r\ncollected by Group-IB Threat Intelligence unit and other industry researchers. This section will be\r\nconstantly updated as new data becomes available.\r\nFS objects\r\nevent “AVMonitorRefreshEvent”\r\n~/Library/Application Support/3CX Desktop App/UpdateAgent\r\n~/Library/Application Support/3CX Desktop App/.main_storage\r\n~/Library/Application Support/3CX Desktop App/.session-locks\r\nMD5 SHA1 S\r\nca8c0385ce2b8bdd19423c8b98a5924b f3487a1324f4c11b35504751a5527bc60eb95382 b\r\n27b134af30f4a86f177db2f2555fe01d 188754814b37927badc988b45b7c7f7d6b4c8dd3 c\r\n5729fb29e3a7a90d2528e3357bd15a4b 19f4036f5cd91c5fc411afc4359e32f90caddaac 5\r\nd5101c3b86d973a848ab7ed79cd11e5a 3dc840d32ce86cebf657b17cef62814646ba8e98 e\r\n0eeb1c0133eb4d571178b2d9d14ce3e9 bfecb8ce89a312d2ef4afc64a63847ae11c6f69e 5\r\n3703770e32820397c6e7e1e1221e6d0d 5d833bcc679db38a45111269e727ec58b75c8d31 9\r\n2fdf61fdfd649f8bbf5730307a0ab5d1 b2a89eebb5be61939f5458a024c929b169b4dc85 f\r\nbb915073385dd16a846dfa318afa3c19 6285ffb5f98d35cd98e78d48b63a05af6e4e4dea d\r\n9833a4779b69b38e3e51f04e395674c6 8433a94aedb6380ac8d4610af643fb0e5220c5cb f\r\nBold hashes indicate that they were observed in our analysis, other files were taken from reports\r\nVolexity, SentinelOne and @dodo_sec.\r\nNetwork indicators\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 15 of 18\n\nBold domains indicate that they were observed in our analysis, other files were taken from reports\r\nVolexity, SentinelOne and CrowdStrike.\r\nmsstorageazure[.]com/window\r\nofficestoragebox[.]com/api/session\r\nvisualstudiofactory[.]com/workload\r\nazuredeploystore[.]com/cloud/services\r\nmsstorageboxes[.]com/office\r\nofficeaddons[.]com/technologies\r\nsourceslabs[.]com/downloads\r\nzacharryblogs[.]com/feed\r\npbxcloudeservices[.]com/phonesystem\r\nakamaitechcloudservices[.]com/v2/storage\r\nazureonlinestorage[.]com/azure/storage\r\nmsedgepackageinfo[.]com/microsoft-edge\r\nglcloudservice[.]com/v1/console\r\npbxsources[.]com/exchange\r\nofficestoragebox[.]com/api/biosync\r\nvisualstudiofactory[.]com/groupcore\r\nazuredeploystore[.]com/cloud/images\r\nmsstorageboxes[.]com/xbox\r\nofficeaddons[.]com/quality\r\nsourceslabs[.]com/status\r\nzacharryblogs[.]com/xmlquery\r\npbxcloudeservices[.]com/network\r\npbxphonenetwork[.]com/phone\r\nakamaitechcloudservices[.]com/v2/fileapi\r\nazureonlinestorage[.]com/google/storage\r\nmsedgepackageinfo[.]com/ms-webview\r\nglcloudservice[.]com/v1/status\r\npbxsources[.]com/queue\r\nsbmsa[.]wiki/blog/_insert\r\nwww.journalide[.]org\r\ndunamistrd[.]com\r\nazureonlinecloud[.]com\r\nakamaicontainer[.]com\r\nqwepoi123098[.]com\r\nShare this article\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 16 of 18\n\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 17 of 18\n\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social" ], "report_names": [ "?utm_source=twitter\u0026utm_campaign=3cx-blog\u0026utm_medium=social" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434184, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13b686f1453afa9a09c81cc8762396f3d42c45c9.pdf", "text": "https://archive.orkl.eu/13b686f1453afa9a09c81cc8762396f3d42c45c9.txt", "img": "https://archive.orkl.eu/13b686f1453afa9a09c81cc8762396f3d42c45c9.jpg" } }