{ "id": "46af85fd-b874-4b37-81af-d61ddae8f01c", "created_at": "2026-04-06T00:11:14.728506Z", "updated_at": "2026-04-10T03:38:19.073715Z", "deleted_at": null, "sha1_hash": "325b611e44de4400ebcef6e60c89f48b0ed957b6", "title": "Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57451, "plain_text": "Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent\r\nLarge Bank Robberies\r\nBy Kaspersky\r\nPublished: 2017-04-05 · Archived: 2026-04-02 12:02:26 UTC\r\nKaspersky Lab has published the results of its more-than-year-long investigation into the activity of\r\nLazarus – a notorious hacking group allegedly responsible for the theft of 81 million dollars from the\r\nCentral Bank of Bangladesh in 2016.\r\nKaspersky Lab has published the results of its more-than-year-long investigation into the activity of\r\nLazarus – a notorious hacking group allegedly responsible for the theft of 81 million dollars from the\r\nCentral Bank of Bangladesh in 2016. During the forensic analysis of artefacts left by the group in South-East Asian and European banks, Kaspersky Lab has reached a deep understanding of what malicious tools\r\nthe group uses and how it operates while attacking financial institutions, casinos, software developers for\r\ninvestment companies and crypto-currency businesses around the world. This knowledge has helped to\r\ninterrupt at least two other operations which had one goal - to steal a large amount of money from financial\r\ninstitutions.\r\nIn February 2016, a group of hackers (unidentified at that time) attempted to steal $851 million USD, and\r\nmanaged to transfer 81 million USD from the Central Bank of Bangladesh. This is considered to be one of the\r\nlargest, most successful cyber heists ever. Further investigation conducted by researchers from different IT\r\nsecurity companies including Kaspersky Lab revealed a high chance that the attacks were conducted by Lazarus –\r\na notorious cyber espionage and sabotage group responsible for a series of regular and devastating attacks, and\r\nknown for attacking manufacturing companies, media and financial institutions in at least 18 countries around the\r\nworld since 2009.\r\nAlthough several months of silence followed the Bangladesh attack, the Lazarus group was still active. They had\r\nbeen preparing for a new operation to steal money from other banks and, by the time they were ready, they already\r\nhad their foot in a financial institution in South East Asia. After being interrupted by Kaspersky Lab products and\r\nthe following investigation, they were set back for another few months, and later decided to change their operation\r\nby moving to Europe. But here too, their attempts were interrupted by Kaspersky Lab’s security software\r\ndetections, as well as the quick incident response, forensic analysis, and reverse engineering with support from\r\ncompany’s top researchers.\r\nLazarus Formula\r\nBased on the results of the forensic analysis of these attacks, Kaspersky Lab researchers were able to reconstruct\r\nthe modus operandi of the group.\r\nInitial compromise: A single system inside a bank is breached either with remotely accessible vulnerable\r\ncode (i.e. on a webserver) or through a watering hole attack through an exploit planted on a benign website.\r\nhttps://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies\r\nPage 1 of 3\n\nOnce such a site is visited, the victim’s (bank employee) computer gets malware, which brings additional\r\ncomponents.\r\nFoothold established: Then the group migrates to other bank hosts and deploys persistent backdoors – the\r\nmalware allows them to come and go whenever they want.\r\nInternal reconnaissance: Subsequently the group spends days and weeks learning the network, and\r\nidentifying valuable resources. One such resource may be a backup server, where authentication\r\ninformation is stored, a mail server or the whole domain controller with keys to every “door” in the\r\ncompany, as well as servers storing or processing records of financial transactions.\r\nDeliver and steal: Finally, they deploy special malware capable of bypassing the internal security features\r\nof financial software and issuing rogue transactions on behalf of the bank.\r\nGeography and Attribution\r\nThe attacks investigated by Kaspersky Lab researchers lasted for weeks. However, the attackers could operate\r\nunder the radar for months. For example, during the analysis of the incident in South-East Asia, experts\r\ndiscovered that hackers were able to compromise the bank network no less than seven months prior to the day\r\nwhen the bank’s security team requested incident response. In fact, the group had access to the network of that\r\nbank even before the day of the Bangladesh incident.\r\nAccording to Kaspersky Lab records, from December 2015, malware samples relating to Lazarus group activity\r\nappeared in financial institutions, casinos software developers for investment companies and crypto-currency\r\nbusinesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya,\r\nNigeria, Uruguay, Gabon, Thailand and several other countries. The latest samples known to Kaspersky Lab were\r\ndetected in March 2017, showing that attackers have no intention of stopping.\r\nEven though attackers were careful enough to wipe their traces, at least one server they breached for another\r\ncampaign contained a serious mistake with an important artefact being left behind. In preparation for operation,\r\nthe server was configured as the command \u0026 control center for the malware. The first connections made on the\r\nday of configuration were coming from a few VPN/proxy servers indicating a testing period for the C\u0026C server.\r\nHowever, there was one short connection on that day which was coming from a very rare IP address range in\r\nNorth Korea.\r\nAccording to researchers, that could mean several things:\r\nThe attackers connected from that IP address in North Korea\r\nIt was someone else’s carefully planned false flag operation\r\nSomeone in North Korea accidentally visited the command and control URL\r\nThe Lazarus group heavily invests in new variants of their malware. For months they were trying to create a\r\nmalicious toolset which would be invisible to security solutions, but every time they did this, Kaspersky Lab’s\r\nspecialists managed to identify unique features in how they create their code, allowing Kaspersky Lab to keep\r\ntracking the new samples. Now, the attackers have gone relatively quiet, which probably means that they have\r\npaused to rework their arsenal.\r\nhttps://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies\r\nPage 2 of 3\n\n“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus group show that a minor\r\nmisconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds\r\nof millions of dollars in loss. We hope that chief executives from banks, casinos and investment companies around\r\nthe world will become wary of the name Lazarus,” said Vitaly Kamluk, Head of Global Research and Analysis\r\nTeam APAC at Kaspersky Lab.\r\nKaspersky Lab products successfully detect and block the malware used by the Lazarus threat actor with the\r\nfollowing specific detection names:\r\nHEUR:Trojan-Banker.Win32.Alreay*,\r\nTrojan-Banker.Win32.Agent*\r\nThe company is also releasing crucial Indicators of Compromise (IOC) and other data to help organizations search\r\nfor traces of these attack groups in their corporate networks. For more information go to Securelist.com\r\nWe urge all organizations to carefully scan their networks for the presence of Lazarus malware samples and, if\r\ndetected, to disinfect their systems and report the intrusion to law enforcement and incident response teams.\r\nTo learn more about financial attacks by Lazarus group, read the blog post available at Securelist.com or watch the\r\nvideo.\r\nLazarus_Eng\r\nSource: https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberi\r\nes\r\nhttps://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies" ], "report_names": [ "2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434274, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/325b611e44de4400ebcef6e60c89f48b0ed957b6.pdf", "text": "https://archive.orkl.eu/325b611e44de4400ebcef6e60c89f48b0ed957b6.txt", "img": "https://archive.orkl.eu/325b611e44de4400ebcef6e60c89f48b0ed957b6.jpg" } }