{ "id": "3bf5ed0c-0ea1-4646-b127-4c09bede502b", "created_at": "2026-04-06T00:10:38.012809Z", "updated_at": "2026-04-10T03:38:20.481412Z", "deleted_at": null, "sha1_hash": "25ce33286df842a60957102f119a995df6b1eca6", "title": "MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 96466, "plain_text": "MAR-10301706-2.v1 - North Korean Remote Access Tool:\r\nVIVACIOUSGIFT | CISA\r\nPublished: 2020-08-26 · Archived: 2026-04-05 15:51:15 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts between the Department of Homeland Security (DHS),\r\nthe Federal Bureau of Investigation (FBI), and the Department of Defense (DoD). Working with U.S. Government partners,\r\nDHS, FBI, and DoD identified Remote Access Tool (RAT) malware variants used by the North Korean government. This\r\nmalware variant has been identified as VIVACIOUSGIFT. The U.S. Government refers to malicious cyber activity by the\r\nNorth Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps[:]//www[.]us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to\r\nmaintain a presence on victim networks and to further network exploitation. DHS, FBI, and DoD are distributing this MAR\r\nto enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended\r\nmitigation techniques. Users or administrators should flag activity associated with the malware and report the activity to the\r\nCybersecurity and Infrastructure Security Agency (CISA) or the FBI Cyber Watch (CyWatch), and give the activity the\r\nhighest priority for enhanced mitigation.\r\nThis report looks at the malware samples known as VIVACIOUSGIFT that is used by advanced persistent threat (APT)\r\ncyber actors as a network proxy tool. The proxy requires an encrypted command line argument for its source and destination\r\nInternet Protocol (IP) addresses and has command and control (C2) functionality to retrieve and set the destination IP. The\r\ncommand line argument can also contain a source proxy IP, port, and password. The source proxy is used as an additional\r\nproxy when communicating with the source IP. The library libcurl version 7.94.1 is used when communicating with the\r\nsource proxy.\r\nFor a downloadable copy of IOCs, see MAR-10301706-2.v1.stix.\r\nSubmitted Files (6)\r\n70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38 (70b494b0a8fdf054926829dcb3235f...)\r\n8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1 (8cad61422d032119219f465331308c...)\r\n9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852 (9a776b895e93926e2a758c09e341ac...)\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118 (a917c1cc198cf36c0f2f6c24652e5c...)\r\naca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83 (aca598e2c619424077ef8043cb4284...)\r\nf3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de (f3ca8f15ca582dd486bd78fd57c2f4...)\r\nFindings\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\r\nTags\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 1 of 15\n\nHIDDEN-COBRAproxytrojan\r\nDetails\r\nName a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\r\nSize 408576 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 40e698f961eb796728a57ddf81f52b9a\r\nSHA1 50b4f9a8fa6803f0aabb6fd9374244af40c2ba4c\r\nSHA256 a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\r\nSHA512 2ee35d902f2a4022488bdc75cf7531f75de7e8bb4ca8645a9448f33051e835f0cea62e0157ac292187cd9406901f80570b8e17be52fee4a23f\r\nssdeep 12288:E30MB7N+man4IrT0qhPyRg8o//ND6lAMYqcl:i0YNwrT0qhPFtHN2lLYq\r\nEntropy 6.651902\r\nAntivirus\r\nAhnlab Trojan/Win32.Banker\r\nAntiy Trojan[Banker]/Win32.Agent\r\nAvira TR/SpyBanker.Agent.AM\r\nBitDefender Trojan.GenericKD.4446633\r\nClamAV Win.Trojan.Agent-6971031-0\r\nComodo TrojWare.Win32.Ransom.Teerac.C\r\nCyren W32/Banker.FTBC-3937\r\nESET Win32/Spy.Banker.ADRO trojan\r\nEmsisoft Trojan.GenericKD.4446633 (B)\r\nIkarus Trojan-Spy.Banker\r\nK7 Riskware ( 0040eff71 )\r\nLavasoft Trojan.GenericKD.4446633\r\nMcAfee Generic.abb\r\nMicrosoft Security Essentials TrojanSpy:Win32/Banker\r\nNANOAV Trojan.Win32.Agent.enikaf\r\nQuick Heal TrojanSpy.Banker\r\nSophos Mal/Generic-L\r\nSymantec Trojan Horse\r\nTrendMicro BKDR_KL.89AB2FB2\r\nTrendMicro House Call BKDR_KL.89AB2FB2\r\nVir.IT eXplorer Trojan.Win32.Banker.FUW\r\nVirusBlokAda TrojanBanker.Agent\r\nZillya! Trojan.Agent.Win32.763316\r\nYARA Rules\r\nrule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan\r\n{\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 2 of 15\n\nmeta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r2.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Dropper Proxy Spyware Trojan\"\r\n       Family = \"TWOPENCE\"\r\n       Description = \"Detects strings in TWOPENCE proxy tool\"\r\n       MD5_1 = \"40e698f961eb796728a57ddf81f52b9a\"\r\n       SHA256_1 = \"a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\"\r\n       MD5_2 = \"dfd09e91b7f86a984f8687ed6033af9d\"\r\n       SHA256_2 = \"aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\"\r\n       MD5_3 = \"bda82f0d9e2cb7996d2eefdd1e5b41c4\"\r\n       SHA256_3 = \"f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\"\r\n       MD5_4 = \"97aaf130cfa251e5207ea74b2558293d\"\r\n       SHA256_4 = \"9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\"\r\n       MD5_5 = \"889e320cf66520485e1a0475107d7419\"\r\n       SHA256_5 = \"8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\"\r\n   strings:\r\n       $cmd1 = \"ssylka\"\r\n       $cmd2 = \"ustanavlivat\"\r\n       $cmd3 = \"poluchit\"\r\n       $cmd4 = \"pereslat\"\r\n       $cmd5 = \"derzhat\"\r\n       $cmd6 = \"vykhodit\"\r\n       $cmd7 = \"Nachalo\"\r\n       $cmd8 = \"kliyent2podklyuchit\"\r\n       $frmt1 = \"Host: %s%s%s:%hu\"\r\n       $frmt2 = \"%s%s%s%s%s%s%s%s%s%s\"\r\n   condition:\r\n       (4 of ($cmd*)) and (1 of ($frmt*))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-07-08 19:11:36-04:00\r\nImport Hash 3415ed7e09a44243bcabe4422aeef7dc\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n0e135280ecde05507a86c5681ee38986 header 1024 2.480337\r\ndfcc176fede07939cc4deb950858b6ce .text 333824 6.579572\r\nd72f6b9398a7f267dfe5f1bd44778d62 .rdata 51712 6.391152\r\n1e41f003bafe97cb5bfb59b3ad7d7531 .data 6656 3.459925\r\na8d51b81460671e8fb3df438f0f7fc28 .reloc 15360 5.531184\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis file is a 32-bit Windows executable. The proxy requires a single command line argument. The argument can consist of\r\na maximum of four encrypted strings delineated with the pipe character (\"|\"). When the four strings are parsed and\r\ndecrypted, the strings represent the following: source IP and port, destination IP and port, source proxy IP and port, and\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 3 of 15\n\nsource proxy password. The IP and port strings have the following format: \u003cIP:port\u003e. If the destination IP is missing from\r\nthe command line argument, the proxy will wait to get the destination IP from the actor. The source proxy IP and port, as\r\nwell as the source proxy password, are used as an additional proxy when communicating with the source IP. When\r\ncommunicating with the source proxy, the proxy will use libcurl with the options CURLOPT_HTTPPROXYTUNNEL and\r\nCURLOPT_NOBODY.\r\nThe following is an example of an encrypted command line argument that is missing the destination IP:\r\n--Begin encrypted command line argument--\r\n\u003cencrypted_string\u003e| |\u003cencrypted_string\u003e|\u003cencrypted_string\u003e\r\n--End encrypted command line argument--\r\n--Begin decrypted command line argument--\r\n\u003cIP\u003e:\u003cport\u003e| |\u003cIP\u003e:\u003cport\u003e|\u003cpassword\u003e\r\n--End decrypted command line argument--\r\nThe encrypted strings inside the command line argument can be individually decrypted with the Python script provided in\r\nFigure 1.\r\nBelow is the flow of events that happens when the proxy starts and is issued the commands \"ustanavlivat\" and \"pereslat\". In\r\nthe following example, the command line argument does not contain a source proxy. The command line argument can\r\ncontain a source proxy IP, port, and password. If they exist, the proxy will route all traffic to the source IP through the source\r\nproxy. When communicating with the source proxy, the proxy uses the library libcurl with options\r\nCURLOPT_HTTPPROXYTUNNEL and CURLOPT_NOBODY. The data that is sent and received is encrypted using a\r\ncustom encryption routine.\r\nFirst, it connects to source IP and sends initialization message \"Nachalo\". It sends a custom hash of\r\n\"Dazdrav$958478Zohsf9q@%5555ahshdnZXniohs\". In return it receives two bytes of data. It sends the length (4 bytes) of\r\nstring \"kliyent2podklyuchit\" and then sends the string \"kliyent2podklyuchit\". It sends the length (4 bytes) of string\r\n\"Nachalo\" and then sends the \"Nachalo\".\r\nNext, it receives C2 command \"ustanavlivat\" to set the destination IP address. It receives and decrypts the length of the\r\nstring \"ustanavlivat\" and then receives and decrypts the string \"ustanavlivat\".\r\nThen, it receives C2 command \"pereslat\" to start the proxy functionality. It receives and decrypts the length of the string\r\n\"pereslat\" and then receives and decrypts the string \"pereslat\".\r\nNext, it connects to source IP and sends start proxy functionality message \"ssylka\". It sends a custom hash of\r\n\"Dazdrav$958478Zohsf9q@%5555ahshdnZXniohs\". In response it receives data. Then it sends the length (4 bytes) of string\r\n\"kliyent2podklyuchit\" and then sends the string \"kliyent2podklyuchit\". Then it sends the length (4 bytes) of string \"ssylka\"\r\nand then sends the string \"ssylka\".\r\nFinally, it connects to destination IP and starts proxy functionality between source and destination IP.\r\nThe proxy uses a custom encryption routine to encode the data sent. The Python script provided in Figure 2 can decode the\r\ndata.\r\nScreenshots\r\nFigure 1 - The Python script to individually decrypt the encrypted strings inside the command line argument.\r\nFigure 2 - The Python script to decode the encoded data sent by the proxy custom encryption routine.\r\naca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\r\nTags\r\nHIDDEN-COBRAdropperproxyspywaretrojan\r\nDetails\r\nName aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\r\nSize 232960 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 dfd09e91b7f86a984f8687ed6033af9d\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 4 of 15\n\nSHA1 b8fe7884d2dc4983fb0fbca192694ce2f4685e23\r\nSHA256 aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\r\nSHA512 641dd95c101ae7566defb1a24279badb8c7aa94331442e0f470866b6a1e44c8790a71e83cc1cb188d7530c08bf0e5d227d35caa9a2cf7e54d\r\nssdeep 3072:XU5r72JE+FYWR0jZLShk4cPT/QzSaQ0sCFneZTznIhZJJcrJ1GHeV9:XU5uJpYnZL05STQNddFnAnGZIrV\r\nEntropy 6.524225\r\nAntivirus\r\nAhnlab Trojan/Win32.Alreay\r\nAntiy Trojan[Banker]/Win32.Alreay\r\nClamAV Win.Trojan.Agent-6971031-0\r\nComodo TrojWare.Win32.TrojanDropper.Agent.PRQ\r\nCyren W32/Alreay.SQQX-6406\r\nESET a variant of Win32/Spy.Banker.ADRO trojan\r\nK7 Spyware ( 005198041 )\r\nMcAfee GenericRXFQ-MX!DFD09E91B7F8\r\nMicrosoft Security Essentials TrojanSpy:Win32/Banker!dha\r\nSymantec Trojan Horse\r\nTrendMicro TSPY_BA.C25E7684\r\nTrendMicro House Call TSPY_BA.C25E7684\r\nZillya! Trojan.Alreay.Win32.42\r\nYARA Rules\r\nrule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r2.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Dropper Proxy Spyware Trojan\"\r\n       Family = \"TWOPENCE\"\r\n       Description = \"Detects strings in TWOPENCE proxy tool\"\r\n       MD5_1 = \"40e698f961eb796728a57ddf81f52b9a\"\r\n       SHA256_1 = \"a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\"\r\n       MD5_2 = \"dfd09e91b7f86a984f8687ed6033af9d\"\r\n       SHA256_2 = \"aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\"\r\n       MD5_3 = \"bda82f0d9e2cb7996d2eefdd1e5b41c4\"\r\n       SHA256_3 = \"f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\"\r\n       MD5_4 = \"97aaf130cfa251e5207ea74b2558293d\"\r\n       SHA256_4 = \"9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\"\r\n       MD5_5 = \"889e320cf66520485e1a0475107d7419\"\r\n       SHA256_5 = \"8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\"\r\n   strings:\r\n       $cmd1 = \"ssylka\"\r\n       $cmd2 = \"ustanavlivat\"\r\n       $cmd3 = \"poluchit\"\r\n       $cmd4 = \"pereslat\"\r\n       $cmd5 = \"derzhat\"\r\n       $cmd6 = \"vykhodit\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 5 of 15\n\n$cmd7 = \"Nachalo\"\r\n       $cmd8 = \"kliyent2podklyuchit\"\r\n       $frmt1 = \"Host: %s%s%s:%hu\"\r\n       $frmt2 = \"%s%s%s%s%s%s%s%s%s%s\"\r\n   condition:\r\n       (4 of ($cmd*)) and (1 of ($frmt*))\r\n}\r\nssdeep Matches\r\n99 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\r\nPE Metadata\r\nCompile Date 2016-09-18 23:24:39-04:00\r\nImport Hash 6b8fa355d78d649f199232a25e22d630\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n41a5273e6d92dfe9de72f76c18f6475f header 1024 2.398805\r\ne6412e7fb561ead2b3eddef9bafd3518 .text 198656 6.554337\r\na9890fd54b24cf53425649a92fe290ad .rdata 18432 5.115959\r\n884e0d48d1830995eeade874d295ced0 .data 5632 3.201975\r\n0e79f25ba5ec9ae1502fe80ec7b08f79 .reloc 9216 5.674607\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis file is a 32-bit Windows executable. It has similar functionality as\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.\r\nf3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\r\nTags\r\nHIDDEN-COBRAproxytrojan\r\nDetails\r\nName f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\r\nSize 265216 bytes\r\nType PE32+ executable (GUI) x86-64, for MS Windows\r\nMD5 bda82f0d9e2cb7996d2eefdd1e5b41c4\r\nSHA1 9ff715209d99d2e74e64f9db894c114a8d13229a\r\nSHA256 f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\r\nSHA512 6774cc49f5200d1a427b5a2af77d27eaac671f405e01f3ded2d152e5e08d1217d2b3b9d8508d2924aee5f0925abc32f83645756cf24822219\r\nssdeep 6144:+TW3SZ4GvcPPWi9JhJTxPm26ebMk5Q35m8LERov:invQThJsexib\r\nEntropy 6.304640\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 6 of 15\n\nAhnlab Trojan/Win32.Alreay\r\nAntiy Trojan[Banker]/Win32.Alreay\r\nAvira TR/AD.APTLazerus.dsenf\r\nBitDefender Gen:Variant.Razy.368693\r\nClamAV Win.Trojan.Agent-6971031-0\r\nComodo Malware\r\nCyren W64/Alreay.C\r\nESET a variant of Win64/NukeSped.BB trojan\r\nEmsisoft Gen:Variant.Razy.368693 (B)\r\nIkarus Trojan.Win64.Nukesped\r\nK7 Trojan ( 00538e2b1 )\r\nLavasoft Gen:Variant.Razy.368693\r\nMcAfee PWS-Banker.gen.gj\r\nSymantec Trojan.Gen.6\r\nSystweak trojan.banker\r\nTrendMicro BKDR64_.8979788A\r\nTrendMicro House Call BKDR64_.8979788A\r\nVirusBlokAda TrojanBanker.Alreay\r\nZillya! Trojan.GenericKD.Win32.133035\r\nYARA Rules\r\nrule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r2.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Dropper Proxy Spyware Trojan\"\r\n       Family = \"TWOPENCE\"\r\n       Description = \"Detects strings in TWOPENCE proxy tool\"\r\n       MD5_1 = \"40e698f961eb796728a57ddf81f52b9a\"\r\n       SHA256_1 = \"a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\"\r\n       MD5_2 = \"dfd09e91b7f86a984f8687ed6033af9d\"\r\n       SHA256_2 = \"aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\"\r\n       MD5_3 = \"bda82f0d9e2cb7996d2eefdd1e5b41c4\"\r\n       SHA256_3 = \"f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\"\r\n       MD5_4 = \"97aaf130cfa251e5207ea74b2558293d\"\r\n       SHA256_4 = \"9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\"\r\n       MD5_5 = \"889e320cf66520485e1a0475107d7419\"\r\n       SHA256_5 = \"8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\"\r\n   strings:\r\n       $cmd1 = \"ssylka\"\r\n       $cmd2 = \"ustanavlivat\"\r\n       $cmd3 = \"poluchit\"\r\n       $cmd4 = \"pereslat\"\r\n       $cmd5 = \"derzhat\"\r\n       $cmd6 = \"vykhodit\"\r\n       $cmd7 = \"Nachalo\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 7 of 15\n\n$cmd8 = \"kliyent2podklyuchit\"\r\n       $frmt1 = \"Host: %s%s%s:%hu\"\r\n       $frmt2 = \"%s%s%s%s%s%s%s%s%s%s\"\r\n   condition:\r\n       (4 of ($cmd*)) and (1 of ($frmt*))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-05-01 23:24:39-04:00\r\nImport Hash b2b084698f33fd93bc9e72f0c2af26b5\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n379ffb6e4aeb96c753dbe1f16dae01db header 1024 2.516799\r\n33c1647f8f3a870e4c8f9b48b5ec2c82 .text 212480 6.373885\r\n5bb6bf3a50e4982066d5746d99945853 .rdata 31232 5.302106\r\na62c434f5beb6282b437c5e0dc40c616 .data 7168 2.877953\r\n6ba7963edd09a132976d6830462fc17f .pdata 11776 5.348074\r\n06ce263d0dc81197b88ff3f576787648 .reloc 1536 2.915027\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C++ 8.0 (DLL)\r\nDescription\r\nThis file is a 64-bit Windows executable. It has similar functionality as\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.\r\n9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\r\nTags\r\nHIDDEN-COBRAproxyspywaretrojan\r\nDetails\r\nName 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\r\nSize 232960 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 97aaf130cfa251e5207ea74b2558293d\r\nSHA1 c7e7dd96fefca77bb1097aeeefef126d597126bd\r\nSHA256 9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\r\nSHA512 d8b750263ac8b295a934ef60a694108257c489055c6aee24bae000d70d0bdde70934e8c2a157d38c15469bc5fb2a6cfcb733ddd4729ba052\r\nssdeep 3072:6U5r72JE+FYWR0jZLShk4cPT/QzSaQ0sCFneZTznIhZJJcrJ1GHeV9:6U5uJpYnZL05STQNddFnAnGZIrV\r\nEntropy 6.524151\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 8 of 15\n\nAhnlab Trojan/Win32.Alreay\r\nAntiy Trojan[Banker]/Win32.Alreay\r\nBitDefender Trojan.Generic.22528938\r\nClamAV Win.Trojan.Agent-6971031-0\r\nComodo Malware\r\nCyren W32/Alreay.SQQX-6406\r\nESET a variant of Win32/Spy.Banker.ADRO trojan\r\nEmsisoft Trojan.Generic.22528938 (B)\r\nIkarus Trojan-Spy.Agent\r\nK7 Spyware ( 005198041 )\r\nLavasoft Trojan.Generic.22528938\r\nMcAfee GenericRXFQ-MX!97AAF130CFA2\r\nMicrosoft Security Essentials Trojan:Win32/Alreay\r\nNANOAV Trojan.Win32.Alreay.ettzed\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/Banker-GUU\r\nSymantec Trojan.Gen.2\r\nTrendMicro Trojan.79245AFC\r\nTrendMicro House Call Trojan.79245AFC\r\nVirusBlokAda TrojanBanker.Alreay\r\nZillya! Trojan.Alreay.Win32.42\r\nYARA Rules\r\nrule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r2.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Dropper Proxy Spyware Trojan\"\r\n       Family = \"TWOPENCE\"\r\n       Description = \"Detects strings in TWOPENCE proxy tool\"\r\n       MD5_1 = \"40e698f961eb796728a57ddf81f52b9a\"\r\n       SHA256_1 = \"a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\"\r\n       MD5_2 = \"dfd09e91b7f86a984f8687ed6033af9d\"\r\n       SHA256_2 = \"aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\"\r\n       MD5_3 = \"bda82f0d9e2cb7996d2eefdd1e5b41c4\"\r\n       SHA256_3 = \"f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\"\r\n       MD5_4 = \"97aaf130cfa251e5207ea74b2558293d\"\r\n       SHA256_4 = \"9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\"\r\n       MD5_5 = \"889e320cf66520485e1a0475107d7419\"\r\n       SHA256_5 = \"8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\"\r\n   strings:\r\n       $cmd1 = \"ssylka\"\r\n       $cmd2 = \"ustanavlivat\"\r\n       $cmd3 = \"poluchit\"\r\n       $cmd4 = \"pereslat\"\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 9 of 15\n\n$cmd5 = \"derzhat\"\r\n       $cmd6 = \"vykhodit\"\r\n       $cmd7 = \"Nachalo\"\r\n       $cmd8 = \"kliyent2podklyuchit\"\r\n       $frmt1 = \"Host: %s%s%s:%hu\"\r\n       $frmt2 = \"%s%s%s%s%s%s%s%s%s%s\"\r\n   condition:\r\n       (4 of ($cmd*)) and (1 of ($frmt*))\r\n}\r\nssdeep Matches\r\n99 aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\r\nPE Metadata\r\nCompile Date 2017-02-20 06:09:30-05:00\r\nImport Hash 6b8fa355d78d649f199232a25e22d630\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\nbb573973d723ebac15a2dd783a56921f header 1024 2.372576\r\ne6412e7fb561ead2b3eddef9bafd3518 .text 198656 6.554337\r\na9890fd54b24cf53425649a92fe290ad .rdata 18432 5.115959\r\n884e0d48d1830995eeade874d295ced0 .data 5632 3.201975\r\n0e79f25ba5ec9ae1502fe80ec7b08f79 .reloc 9216 5.674607\r\nPackers/Compilers/Cryptors\r\nDescription\r\nThis file is a 32-bit Windows executable. It has similar functionality as\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.\r\n70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38\r\nTags\r\nHIDDEN-COBRAbackdoorproxytrojan\r\nDetails\r\nName 70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38\r\nSize 1637888 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 3c9e71400b72cc0213c9c3e4ab4df9df\r\nSHA1 bdb632b27ddb200693c1b0b80819a7463d4e7a98\r\nSHA256 70b494b0a8fdf054926829dcb3235fc7bd0346b6a19faf2a57891c71043b3b38\r\nSHA512 c7a02fadb9fbbe0cf05dddd6a78cbf48b9030638420b421b4ff83816ae1cabbe54656b4e1c8e4020cacab93388934b6c79d3d21fe560ed4c71\r\nssdeep 24576:5gDgaE2r55ENJSOZ8jsAMZMF2kPupVevS6ieT17cZ/hJMIYO0:+D9vrrs8OZxZI+wvTTahqO\r\nEntropy 7.956784\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 10 of 15\n\nAhnlab Trojan/Win32.Agent\r\nAntiy Trojan/Win32.AGeneric\r\nAvira TR/Crypt.TPM.Gen\r\nBitDefender Gen:Variant.Symmi.79278\r\nComodo Malware\r\nESET Win32/Spy.Banker.AECT trojan\r\nEmsisoft Gen:Variant.Symmi.79278 (B)\r\nK7 Trojan ( 0040f4ef1 )\r\nLavasoft Gen:Variant.Symmi.79278\r\nMcAfee Generic Trojan.ej\r\nMicrosoft Security Essentials TrojanSpy:Win32/Banker\r\nNANOAV Trojan.Win32.TPM.etiucd\r\nQuick Heal Trojan.Generic\r\nSophos Troj/Agent-AXNK\r\nSymantec Trojan.Gen.2\r\nTrendMicro BKDR_KL.22A80489\r\nTrendMicro House Call BKDR_KL.22A80489\r\nVirusBlokAda Backdoor.Agent\r\nZillya! Backdoor.Agent.Win32.64626\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2017-02-20 06:09:30-05:00\r\nImport Hash baa93d47220682c04d92f7797d9224ce\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\na32e7b28831808e208355ae637e006f0 header 4096 0.814733\r\nca42a315c5287101ffdf2d7843b74d34   119296 7.972251\r\nd41d8cd98f00b204e9800998ecf8427e .rsrc 0 0.000000\r\n9e66a842d63673e7febfc6646ea43c43 .idata 512 1.308723\r\n5668c4714f706c7f669afb1e7f9c6ba7   512 0.260771\r\nde90eb0d146d89f2c2dd76ecf17ea09e dworqjxn 1512960 7.955321\r\n4857cc05e1ea968cfc978d53f2f34126 omrcmqfn 512 3.378388\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 11 of 15\n\nThis file is a 32-bit Windows executable. It has similar functionality as\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.\r\n8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\r\nTags\r\nHIDDEN-COBRAproxyspywaretrojan\r\nDetails\r\nName 8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\r\nSize 480768 bytes\r\nType PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nMD5 889e320cf66520485e1a0475107d7419\r\nSHA1 f5fc9d893ae99f97e43adcef49801782daced2d7\r\nSHA256 8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\r\nSHA512 8da0ab0b3072b3966c5e32c22e7ac5654ff3923b3cf28cc895ae10d520a27bb70360e4d94e54422033aa7c7527d10774ab6d8b8569bab8b6\r\nssdeep 6144:sdqAqUok+00rm9TOi9Vc7/VtXvWLnJlh+efvoRKmjbL/xY4fTKKWSFle3IDgDi2C:xABogwttXuLnJlkkiKU/xtKYydF9iIU\r\nEntropy 6.465490\r\nAntivirus\r\nAhnlab Trojan/Win32.Alreay\r\nAntiy Trojan/Win32.BTSGeneric\r\nAvira TR/Spy.Banker.xbkax\r\nBitDefender Trojan.Generic.20466258\r\nClamAV Win.Trojan.Agent-6971031-0\r\nComodo Malware\r\nESET a variant of Win64/Spy.Banker.AX trojan\r\nEmsisoft Trojan.Generic.20466258 (B)\r\nIkarus Trojan-Spy.Win64.Agent\r\nK7 Spyware ( 00504e561 )\r\nLavasoft Trojan.Generic.20466258\r\nMcAfee Trojan-FLEP!889E320CF665\r\nMicrosoft Security Essentials TrojanSpy:Win64/Cyruslish.A\r\nNANOAV Trojan.Win64.Alreay.elwnmb\r\nSophos Troj/Banker-GSY\r\nSymantec Trojan.Gen.2\r\nTrendMicro BKDR64_.D1FB2862\r\nTrendMicro House Call BKDR64_.D1FB2862\r\nVirusBlokAda TrojanBanker.Alreay\r\nZillya! Trojan.Banker.Win64.148\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 12 of 15\n\nrule CISA_3P_10301706_02 : HiddenCobra TWOPENCE backdoor dropper proxy spyware trojan\r\n{\r\n   meta:\r\n       Author = \"CISA Trusted Third Party\"\r\n       Incident = \"10301706.r2.v1\"\r\n       Date = \"2020-08-11\"\r\n       Actor = \"Hidden Cobra\"\r\n       Category = \"Backdoor Dropper Proxy Spyware Trojan\"\r\n       Family = \"TWOPENCE\"\r\n       Description = \"Detects strings in TWOPENCE proxy tool\"\r\n       MD5_1 = \"40e698f961eb796728a57ddf81f52b9a\"\r\n       SHA256_1 = \"a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118\"\r\n       MD5_2 = \"dfd09e91b7f86a984f8687ed6033af9d\"\r\n       SHA256_2 = \"aca598e2c619424077ef8043cb4284729045d296ce95414c83ed70985c892c83\"\r\n       MD5_3 = \"bda82f0d9e2cb7996d2eefdd1e5b41c4\"\r\n       SHA256_3 = \"f3ca8f15ca582dd486bd78fd57c2f4d7b958163542561606bebd250c827022de\"\r\n       MD5_4 = \"97aaf130cfa251e5207ea74b2558293d\"\r\n       SHA256_4 = \"9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852\"\r\n       MD5_5 = \"889e320cf66520485e1a0475107d7419\"\r\n       SHA256_5 = \"8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1\"\r\n   strings:\r\n       $cmd1 = \"ssylka\"\r\n       $cmd2 = \"ustanavlivat\"\r\n       $cmd3 = \"poluchit\"\r\n       $cmd4 = \"pereslat\"\r\n       $cmd5 = \"derzhat\"\r\n       $cmd6 = \"vykhodit\"\r\n       $cmd7 = \"Nachalo\"\r\n       $cmd8 = \"kliyent2podklyuchit\"\r\n       $frmt1 = \"Host: %s%s%s:%hu\"\r\n       $frmt2 = \"%s%s%s%s%s%s%s%s%s%s\"\r\n   condition:\r\n       (4 of ($cmd*)) and (1 of ($frmt*))\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-08-26 00:11:49-04:00\r\nImport Hash 1cd9192feb9402723bdada868b8c98de\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n2fb3e4c0734998f9629ba86c4e7c6e99 header 1024 2.603055\r\n9319545c7ac53b81b3d56a722dad8ef1 .text 364032 6.423307\r\ne406c9d4f3bdbdbab8191bb701e4ff57 .rdata 81920 6.056842\r\n6198d24ba115f17c5597e2773cb51a75 .data 8704 3.090138\r\nf7b6096db3b9ad55c3bad4c47de6d5b4 .pdata 22016 5.758547\r\nddf5f86578d6de91c211211bdd72f63f .reloc 3072 3.181451\r\nDescription\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 13 of 15\n\nThis file is a 32-bit Windows executable. It has similar functionality as\r\na917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.\r\nMitigation\r\nThe following Snort rules were provided by a CISA trusted third party:\r\n// The following Snort rule can be used to detect proxy handshake\r\nalert tcp any any -\u003e any any (msg:\"Proxy handshake detected\"; content:\"|a7 00 a7 00 fb 00 b0 00 8e 00 c5 00 b0 00 48 00 17\r\n00 c5 00 8b 00 6a 00 8e 00 ec 00 f3 00 fe 00 d9 00 f3 00 a7 00 6a 00 ec 00 a7 00 b0 00 17 00 fc 00 48 00 48 00 09 00 09 00\r\n09 00 48 00 8e 00 ce|\"; rev:1; sid:1;)\r\n// The following Snort rule can be used to detect encrypted proxy string kliyent2podklyuchit\r\nalert tcp any any -\u003e any any (msg:\"Proxy string detected\"; content:\"|d1 14 23 b3 c7 b2 ac fe 70 0d 1c d1 14 b3 d7 f9 38 23\r\nac|\"; rev:1; sid:1;)\r\n// The following Snort rule can be used to detect encrypted proxy string poluchit\r\nalert tcp any any -\u003e any any (msg:\"Proxy string detected\"; content:\"|70 0d 14 d7 f9 38 23 ac|\"; rev:1; sid:1;)\r\n// The following Snort rule can be used to detect encrypted proxy string pereslat\r\nalert tcp any any -\u003e any any (msg:\"Proxy string detected\"; content:\"|70 c7 be c7 c9 14 ab ac|\"; rev:1; sid:1;)\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 14 of 15\n\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nRevisions\r\nAugust 26, 2020: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b" ], "report_names": [ "ar20-239b" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434238, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25ce33286df842a60957102f119a995df6b1eca6.pdf", "text": "https://archive.orkl.eu/25ce33286df842a60957102f119a995df6b1eca6.txt", "img": "https://archive.orkl.eu/25ce33286df842a60957102f119a995df6b1eca6.jpg" } }