{ "id": "f760140a-1dea-474b-acdd-5796871cd1d8", "created_at": "2026-04-06T00:10:24.273544Z", "updated_at": "2026-04-10T03:38:19.104389Z", "deleted_at": null, "sha1_hash": "1f937db0e5505ee76978394e69b5f287352fd8ab", "title": "Commonly Known Tools Used by Lazarus - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 440526, "plain_text": "Commonly Known Tools Used by Lazarus - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2021-01-19 · Archived: 2026-04-05 17:37:56 UTC\r\nLazarus\r\nIt is widely known that attackers use Windows commands and tools that are commonly known and used after\r\nintruding their target network. Lazarus attack group, a.k.a. Hidden Cobra, also uses such tools to collect\r\ninformation and spread the infection. This blog post describes the tools they use.\r\nLateral movement\r\nThese three tools are used for lateral movement. AdFind collects the information of clients and users from Active\r\nDirectory. It has been observed that other attack groups also used the tool [1]. SMBMap is used to have their\r\nmalware infect other hosts. (Also check out our previous blog post on Lazarus.) It has also been observed that\r\nResponder-Windows was used to collect information in the network.\r\nName Description Reference\r\nAdFind\r\nCommand line tool to collect\r\ninformation from Active Directory\r\nhttp://www.joeware.net/freetools/tools/adfind/\r\nSMBMap\r\nTool to list accessible shared SMB\r\nresources and access those files\r\nhttps://github.com/ShawnDEvans/smbmap\r\nResponder-WindowsTool to lead clients with spoof\r\nLLMNR, NBT-NS, and WPAD\r\nhttps://github.com/lgandx/Responder-Windows\r\nStealing sensitive data\r\nThese three tools are used for information theft. Tools for such a purpose are used only in certain cases because\r\nmalware itself usually has similar functions. Tools for collecting account information from browsers and email\r\nclients are particularly used. Attackers often archives collected files in RAR before exfiltration, and so does\r\nLazarus attack group using WinRAR. As we mentioned in our previous blog post, the malware can archive files in\r\nzlib and send them. It means that files are not always sent in RAR.\r\nName Description Reference\r\nXenArmor Email\r\nPassword Recovery Pro\r\nTool to extract credentials from\r\nemail clients and services\r\nhttps://xenarmor.com/email-password-recovery-pro-software/\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nPage 1 of 6\n\nXenArmor Browser\r\nPassword Recovery Pro\r\nTool to extract credentials from\r\nweb browsers\r\nhttps://xenarmor.com/browser-password-recovery-pro-software/\r\nWinRAR RAR archiver https://www.rarlab.com/\r\nOther tools\r\nThese following tools are used for other purposes. Attackers sometimes create backdoors in the infected network\r\nusing RDP, TeamViewer, VNC, and other applications. It is confirmed that Lazarus has used VNC and a common\r\nMicrosoft tool ProcDump before. ProcDump is sometimes used when attackers attempt to extract user credentials\r\nfrom the LSASS process dump. Windows' counterpart of common Linux tools such as tcpdump and wget are also\r\nused.\r\nName Description Reference\r\nTightVNC\r\nViewer\r\nVNC client https://www.tightvnc.com/download.php\r\nProcDump\r\nCommon Microsoft's tool to get\r\nprocess memory dump\r\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\ntcpdump Packet capturing tool https://www.tcpdump.org/\r\nwget Downloader\r\nIn closing\r\nThis blog post described tools used by Lazarus group. Although their malware contains many functions as we\r\nalready covered in other blog posts, they still supplement it with tools which are widely available and commonly\r\nknown. It should be noted that anti-virus software may not detect such tools.\r\nThe hash values of the tools covered in this blog post are listed in Appendix A.\r\nShusei Tomonaga\r\n(Translated by Takumi Nakano)\r\nReference\r\n[1] Cybereason: Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\nAppendix A: Hash value\r\nBe careful when using these hash values as IoC. The list contains tools that are commonly used for non-malicious\r\npurposes.\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nPage 2 of 6\n\nAdFind\r\nCFD201EDE3EBC0DEB0031983B2BDA9FC54E24D244063ED323B0E421A535CFF92\r\nB1102ED4BCA6DAE6F2F498ADE2F73F76AF527FA803F0E0B46E100D4CF5150682\r\nCFD201EDE3EBC0DEB0031983B2BDA9FC54E24D244063ED323B0E421A535CFF92\r\nSMBMap\r\n65DDF061178AD68E85A2426CAF9CB85DC9ACC2E00564B8BCB645C8B515200B67\r\nda4ad44e8185e561354d29c153c0804c11798f26915274f678db0a51c42fe656\r\nResponder-Windows\r\n7DCCC776C464A593036C597706016B2C8355D09F9539B28E13A3C4FFCDA13DE3\r\n47D121087C05568FE90A25EF921F9E35D40BC6BEC969E33E75337FC9B580F0E8\r\nXenArmor Email Password Recovery Pro\r\n85703EFD4BA5B691D6B052402C2E5DEC95F4CEC5E8EA31351AF8523864FFC096\r\nXenArmor Browser Password Recovery Pro\r\n4B7DE800CCAEDEE8A0EDD63D4273A20844B20A35969C32AD1AC645E7B0398220\r\nWinrar\r\nCF0121CD61990FD3F436BDA2B2AFF035A2621797D12FD02190EE0F9B2B52A75D\r\nEA139458B4E88736A3D48E81569178FD5C11156990B6A90E2D35F41B1AD9BAC1\r\nTightVNC Viewer\r\nA7AD23EE318852F76884B1B1F332AD5A8B592D0F55310C8F2CE1A97AD7C9DB15\r\n30B234E74F9ABE72EEFDE585C39300C3FC745B7E6D0410B0B068C270C16C5C39\r\nTcpdump\r\n2CD844C7A4F3C51CB7216E9AD31D82569212F7EB3E077C9A448C1A0C28BE971B\r\n1E0480E0E81D5AF360518DFF65923B31EA21621F5DA0ED82A7D80F50798B6059\r\nProcdump\r\n5D1660A53AAF824739D82F703ED580004980D377BDC2834F1041D512E4305D07\r\nF4C8369E4DE1F12CC5A71EB5586B38FC78A9D8DB2B189B8C25EF17A572D4D6B7\r\nWget\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nPage 3 of 6\n\nC0E27B7F6698327FF63B03FCCC0E45EFF1DC69A571C1C3F6C934EF7273B1562F\r\nCF02B7614FEA863672CCBED7701E5B5A8FAD8ED1D0FAA2F9EA03B9CC9BA2A3BA\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nPage 4 of 6\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nPage 5 of 6\n\nSource: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html" ], "report_names": [ "Lazarus_tools.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434224, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f937db0e5505ee76978394e69b5f287352fd8ab.pdf", "text": "https://archive.orkl.eu/1f937db0e5505ee76978394e69b5f287352fd8ab.txt", "img": "https://archive.orkl.eu/1f937db0e5505ee76978394e69b5f287352fd8ab.jpg" } }