{ "id": "aae3eaff-cd6a-4e46-a99e-11945fbc0c75", "created_at": "2026-04-06T00:11:13.647023Z", "updated_at": "2026-04-10T13:11:28.480426Z", "deleted_at": null, "sha1_hash": "16c40c38294e6214024cb00abbc841af3c7bf539", "title": "APT group planted backdoors targeting high profile networks in Central Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1819147, "plain_text": "APT group planted backdoors targeting high profile networks in\r\nCentral Asia\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 16:05:13 UTC\r\nLast fall, APT malware intrusions targeting high-profile companies in Central Asia caught our attention. A few\r\nmonths later, we began working together with fellow malware analysts from ESET to analyze samples used by the\r\ngroup to spy on a telecommunications company, a gas company, and a governmental institution in Central Asia.\r\nAn APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to\r\ncorporate networks. Based on our analysis, we suspect the group was also behind attacks active in Mongolia,\r\nRussia, and Belarus.\r\nThe group behind the attack frequently recompiled their custom tools to avoid AV detection, which, in addition to\r\nthe backdoors, included Mimikatz and Gh0st RAT. This has led to a large number of samples, with binaries often\r\nprotected by VMProtect, making analysis more difficult.\r\nThe backdoors gave the actors the ability to manipulate and delete files, take screenshots, manipulate processes,\r\nand services, as well as execute console commands, remove itself, and more. Further, some commands may have\r\ninstructed the backdoors to exfiltrate data to a C\u0026C server. Infected devices could also be commanded by a C\u0026C\r\nserver to act as a proxy or listen on a specific port on every network interface. The group also used tools such as\r\nGh0st RAT and Management Instrumentation to move laterally within infiltrated networks.\r\nTimeline\r\nFigure 1: Timeline of events related to the tracking of Microcin, and Avast notifying the targeted company\r\nAvast’s and Eset’s antivirus engines blocked the samples used by the APT group prior to it attracting our attention,\r\nas our antivirus engines’ detections are automated.\r\nAttribution \u0026 Clusterization\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 1 of 7\n\nThe samples we analyzed contain links to malware samples and campaigns, such as Microcin, BYEBY, and\r\nVicious Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. The\r\nbackdoors we found are custom tools that have not previously been analyzed, as far as we know. The majority of\r\nthe C\u0026C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the\r\npast. A GoDaddy registrar was also seen early in the campaign, these servers were removed early on.\r\nWe suspect the APT group behind these attacks is from China. Gh0st RAT, one of the tools used, has been known\r\nto be used by Chinese APT groups in the past. Similarities in the code used in the Vicious Panda campaign,\r\n(TTPS, especially the use of the RTF Weaponizer in the infection vector), which is also thought to have come\r\nfrom China, and the code we analyzed, also lead us to believe the group might be from China. The targeted\r\ncompanies and institutions, as well as the professional coding point to an APT group.  \r\nBackdoors\r\nThroughout our analysis, we stumbled upon the following backdoors. Details on these backdoors are provided\r\nbelow the complete list of backdoors.\r\nsqllauncher.dll (VMProtected backdoor)\r\nbbc5a9a49757abdbfcaca22f3b2a8b7e79f61c30d31812a0ccc316536eb58ca3\r\nC\u0026C server 45.76.132[.]207\r\nlogon.dll (VMProtected backdoor)\r\n61e4c91803d0d495681400fb9053b434f4852fdad1a305bbcec45ee0b2926d6a\r\nC\u0026C server 45.76.132[.]207\r\nlogsupport.dll (VMProtected backdoor)\r\n d5c1e947d84791ac8e6218652372905ddb7d3bc84ff04e709d635f60e7224688\r\nC\u0026C server  104.194.215[.]194\r\npcaudit.bat\r\n1395B863AE5697EA5096F4E2EBEF54FC20D5380B6921F8835D1F030F2BA16A40\r\nTechnical details (pcaudit.bat)\r\npcaudit.bat is a batch file that is used to invoke the svchost.exe in order to load the DLL file for a given service\r\nspecified in the registry. This batch file is responsible for the backdoor’s persistence. The contents of the\r\npcaudit.bat script can be found below:\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 2 of 7\n\nFigure 2: The batch file that is responsible for the backdoor’s persistence\r\nTechnical details (sqllauncher.dll, logon.dll) \r\nBoth DLLs, sqllauncher.dll and logon.dll, are primarily used as backdoors. These are installed as services by the\r\naforementioned batch file. They both create a log file under the path:\r\n%COMMON_DOCUMENT%\\WZ9JuN00.tmp aggregating errors during the backdoor’s runtime. Each entry\r\ncontains an error code, an error message, and a timestamp formatted as “[yyyy-mm-dd hh-mm-ss] %error code%\r\n%message%”.\r\nIf the infected device can’t connect to the C\u0026C server, the malware attempts to determine whether the traffic is\r\nrouted through a proxy. This information may be retrieved either from %WINDOWS%\\debug\\netlogon.cfg or from\r\nthe TCP table. After successfully connecting to the C\u0026C server, a secure communication channel (Schannel) is\r\nestablished and telemetry (OS version, username) is sent to the C\u0026C server. The following commands are issued\r\nby the C\u0026C server:\r\nTechnical details (logsupport.dll)\r\nSimilarly to the previous DLLs, the logsupport.dll is primarily used as a backdoor, but uses a different C\u0026C\r\nserver than the other backdoors. Its corresponding log file is located at %TEMP%\\rar%[A-Z0-9]{4}%.tmp. The\r\nstructure of the log file is also the same. The main difference is that the log file is encrypted by a XOR cipher with\r\na hardcoded key.\r\nFigure 3: Log file is decrypted by a XOR cipher with a hardcoded key\r\nThis backdoor checks whether the malware is running in a virtualized environment. Additionally, the DLL\r\nfingerprints the infected device (NETBIOS name, IP address, username, OS version, MAC address and RAM\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 3 of 7\n\nusage, OEM code page, token information, number of CPU cores, is64bit), and sends this information to the C\u0026C\r\nserver.\r\nThe communication with the C\u0026C server is encrypted by a simple stream cipher. If the malware fails to establish\r\nan encrypted channel, it checks whether a proxy is being used, using different methods than the previous two\r\nDLLs. It tries to connect to http://www.google.com/index.asp and retrieve information about a possible proxy from\r\nthe connection, and it also checks the value of ProxyServer in the Windows registry key:\r\nHKLM\\Software\\Microsft\\Windows\\CurrentVersion\\Internet Settings.\r\nBased on what we saw in the code, the backdoor is also capable of accepting various commands from the C\u0026C\r\nserver. These commands allow the backdoor to manipulate files (move, read, delete, check existence), manipulate\r\nprocesses (create, terminate, retrieve parent, and process ID) and Windows services (start, stop, check), execute\r\nconsole commands, remove itself, and more. Some of these commands (read/check file, check services, check\r\nprocesses) also send data back to C\u0026C. The infected device can also be commanded by C\u0026C to act as a proxy or\r\nlisten on a specific port on every network interface.\r\nInterestingly, the backdoor has a set of commands specifically targeting files with .tu and .tut file extension. These\r\ncommands may similarly check for their existence, send their content back to the C\u0026C, and modify their content\r\n(append or rewrite by data given by the C\u0026C server).\r\nLateral Movement via Mimikatz\r\n \r\nfc66353fb26fd82227700beb47c4fa90118cea151eb1689fd8bf48e93fda71d0\r\nMimikatz is an open source project by a French security researcher named Benjamin Delpy which started in 2007.\r\nIt is a robust tool that exploits various Windows authentication schemes and dumps credential-related data from a\r\nWindows Local Security Account database. For these reasons it is often misused by a wide spectrum of APT\r\nactors such as the Lazarus Group or Telebots.\r\nThe Mimikatz version used in this campaign has a two-stage installation mechanism (installer.exe installing\r\nYokel64.exe and mktz64.dll), and contains a PDB string “E:\\2018_\\MimHash\\mimikatz\\Bin\\mktzx64.pdb”. Calling\r\na mktz64.dll exported function MktzDumpbyInjection inside our testing virtual machine yields the following\r\noutput:\r\nLateral Movement via WMI\r\n2615e5585a5db77b973c74e0a87551978a9322c820362a148a995e571923b59c\r\nThe lateral movement via WMI is done with a file that parses its own filename, which we suspect uses the\r\nfollowing format: “@@\u003cComputerName\u003e,\u003cUserName\u003e,\u003cPassword\u003e,.exe”. Afterwards, the data described in\r\nthe filename is extracted and used to establish a remote console to a computer identified by the retrieved name.\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 4 of 7\n\nAfterwards, Windows Management Instrumentation (WMI) is leveraged to set a strict proxy security, leading to\r\nthe encryption of arguments of each remote procedure call, and allowing the server to access local resources. Then\r\nWMI is used again to retrieve the Win32_Process class which in turn is used to create a process with given\r\nparameters. At the end, it terminates itself.\r\nGh0st RAT\r\n3a3b05a08180013a37fbdbe65e3fe017440c1cb34289647ef1f60316964ef6a9\r\nGh0st RAT is an old well-known backdoor, predominantly associated with East-Asian attackers. It is commonly\r\nassumed that its source code is widely available. Its presence is often indicated by a file named rastls.dll, using an\r\nexport DLL name svchost.dll and containing a string Gh0st. A string uwqixgze} is used as a placeholder for the\r\nC\u0026C domain.\r\nThe version we’ve seen in this campaign tries to connect to https://yuemt.zzux[.]com.\r\nFigure 4: Gh0st RAT malware\r\nCode Similarities\r\nWhile analyzing one of the files, we noticed that it has several correlations to the Microcin sample from 2017, the\r\nBYEBY sample from 2017, and Vicious Panda: The COVID campaign from 2020. Figure 5 below provides a\r\ncomparison of the decryption loop used to decrypt the main configuration data of the first backdoor.\r\nFigure 5: Part of code used to decipher the main configuration data\r\nConclusion\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 5 of 7\n\nAvast reported its findings to the local CERT team and reached out to the telecommunications company. We have\r\nnot heard back from either organization.\r\nAvast has recently protected users in Central Asia from further attacks using the samples we analyzed. This, along\r\nwith tying elements of the samples we discovered back to attacks carried out on other countries, makes me assume\r\nthe group is still active. \r\nI would like to thank Peter Kalnai from ESET for working with me on the analysis, Lukáš Obrdlík, and Adolf\r\nStředa from Avast for helping me with this research, as well as Alexey Shulmin from Kaspersky for his support.\r\nIndicators of Compromise (IoC)\r\n Repository: https://github.com/avast/ioc/tree/master/Microcin\r\nList of SHA-256: https://github.com/avast/ioc/blob/master/Microcin/samples.sha256\r\nA group of elite researchers who like to stay under the radar.\r\nSources\r\nVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin: “Microcin malware”, Kaspersky Labs 2017-9-25\r\nhttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf\r\nJosh Grunzweig, Robert Falcone: “Threat Actors Target Government of Belarus Using CMSTAR Trojan”, Palo\r\nAlto Networks, September 2017, https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan/\r\nCheckpoint Research: “Vicious Panda: The COVID Campaign”, 2020-03-12\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/\r\nAvast Threat Intelligence https://github.com/avast/ioc\r\nESET Threat Intelligence https://github.com/eset/malware-ioc\r\nDhia Mahjoub, Jeremiah O’Connor, Thibault Reuille, Thomas Mathew: “Phishing, Spiking, and Bad Hosting”,\r\nCisco Umbrella Blog, 2015-09-14\r\nhttps://umbrella.cisco.com/blog/2015/09/14/phishing-spiking-and-bad-hosting/\r\nhttps://github.com/gentilkiwi/mimikatz\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 6 of 7\n\nSource: https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nhttps://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/" ], "report_names": [ "apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434273, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16c40c38294e6214024cb00abbc841af3c7bf539.pdf", "text": "https://archive.orkl.eu/16c40c38294e6214024cb00abbc841af3c7bf539.txt", "img": "https://archive.orkl.eu/16c40c38294e6214024cb00abbc841af3c7bf539.jpg" } }