{ "id": "038553cd-1ff5-4a7e-97c2-43c9edbb289c", "created_at": "2026-04-06T01:30:10.60827Z", "updated_at": "2026-04-10T03:38:19.225786Z", "deleted_at": null, "sha1_hash": "30eb047ce9c5f2394ceef0897ad5b363c4014f3c", "title": "North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 323721, "plain_text": "North Korea Bitten by Bitcoin Bug: Financially motivated\r\ncampaigns reveal new dimension of the Lazarus Group |\r\nProofpoint US\r\nBy December 19, 2017 Darien Huss\r\nPublished: 2017-12-20 · Archived: 2026-04-06 00:34:33 UTC\r\nShare with your network!\r\n Download full report (PDF)\r\nOverview\r\nProofpoint researchers have uncovered a number of multistage attacks that use cryptocurrency-related lures to\r\ninfect victims with sophisticated backdoors and reconnaissance malware that we attribute to the Lazarus Group.\r\nVictims of interest are then infected with additional malware including Gh0st RAT to steal credentials for\r\ncryptocurrency wallets and exchanges, enabling the Lazarus Group to conduct lucrative operations stealing\r\nBitcoin and other cryptocurrencies. We also discovered what appears to be the first publicly documented instance\r\nof a nation-state targeting a point-of-sale related framework for the theft of credit card data in a related set of\r\nattacks. Moreover, the timing of the point-of-sale related attacks near the holiday shopping season makes the\r\npotential financial losses considerable.\r\nWith activity dating at least to 2009, the Lazarus Group has consistently ranked among the most disruptive,\r\nsuccessful, and far-reaching nation-state sponsored actors. The March 20, 2013 attack in South Korea, the Sony\r\nPictures hack in 2014, the successful theft of $81 million from the Bangladesh Bank in 2014, and perhaps most\r\nfamously this year’s WannaCry ransomware attack and its global impact have all been attributed to the group. The\r\nLazarus Group is widely accepted as being a North Korean state-sponsored threat actor by numerous\r\norganizations in the information security industry, law enforcement agencies, and intelligence agencies around the\r\nworld.\r\nThe group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the\r\nincreasing interest and skyrocketing prices for cryptocurrencies. The Lazarus Group’s arsenal of tools, implants,\r\nand exploits is extensive and under constant development. Previously, they have employed DDoS botnets, wiper\r\nmalware to temporarily incapacitate a company, and a sophisticated set of malware targeting the SWIFT banking\r\nsystem to steal millions of dollars.\r\nIn this research we detail a new implant dubbed PowerRatankba, a PowerShell-based malware variant that closely\r\nresembles the original Ratankba implant. We believe that PowerRatankba was likely developed as a replacement\r\nin Lazarus Group’s strictly financially motivated team’s arsenal to fill the hole left by Ratankba’s discovery and\r\nvery public documentation earlier this year.\r\nhttps://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new\r\nPage 1 of 3\n\nWe also provide a brief timeline of events related to the malicious activity and describe the various delivery\r\nmethods that Lazarus Group utilized to infect victims with PowerRatankba (Fig. 1). We then detail the inner\r\nworkings of PowerRatankba and how it is utilized to deliver a more fully capable backdoor to interesting victims\r\n(Fig. 1). Following that, we share details on a new and emerging threat targeting the point-of-sale industry that we\r\nhave dubbed RatankbaPOS (Fig. 1). Finally, we explain our high-confidence attribution to Lazarus Group.\r\nFigure 1: Flow of PowerRatankba activity from victims to the Lazarus Group operators\r\nWhile this report has introduced several new additions to Lazarus Group’s ever-growing arsenal, including a\r\nvariety of different attack vectors, a new PowerShell implant and Gh0st RAT variant, as well as an emerging\r\npoint-of-sale threat targeting South Korean devices, there are two key takeaways from this research:\r\nAnalyzing a financially motivated arm of a state actor highlights an often overlooked or underestimated\r\naspect of state-sponsored attacks; in this case, we were able to differentiate the actions of the financially\r\nmotivated team within Lazarus from those of their espionage and disruption teams that have recently\r\ngrabbed headlines.\r\nThis group is now appears to be targeting individuals rather than just organizations:; individuals are softer\r\ntargets, often lacking resources and knowledge to defend themselves and providing new avenues of\r\nmonetization for a state-sponsored threat actor’s toolkit.\r\nMoreover, both the explosive growth in cryptocurrency values and the emergence of new point-of-sale malware\r\nnear the peak holiday shopping season provide an interesting example of how one state-sponsored actor is\r\nfollowing the money, adding direct theft from individuals and organizations to the more “traditional” approach of\r\ntargeting financial institutions for espionage that we often observe with other APT actors.\r\nhttps://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new\r\nPage 2 of 3\n\nTo read more, download the full report.\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new\r\nhttps://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new" ], "report_names": [ "north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439010, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30eb047ce9c5f2394ceef0897ad5b363c4014f3c.pdf", "text": "https://archive.orkl.eu/30eb047ce9c5f2394ceef0897ad5b363c4014f3c.txt", "img": "https://archive.orkl.eu/30eb047ce9c5f2394ceef0897ad5b363c4014f3c.jpg" } }