{ "id": "4df50f2d-ad5a-462e-89e3-6160e42b05d6", "created_at": "2026-04-06T00:10:21.128766Z", "updated_at": "2026-04-10T13:13:06.245744Z", "deleted_at": null, "sha1_hash": "3348044f4d95fc10b3a2c555ad6129b69a3b2259", "title": "Cryptocurrency businesses still being targeted by Lazarus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 311501, "plain_text": "Cryptocurrency businesses still being targeted by Lazarus\r\nBy GReAT\r\nPublished: 2019-03-26 · Archived: 2026-04-05 14:58:56 UTC\r\nIt’s hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial\r\nentities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its\r\ntactics, techniques, and procedures constantly evolving to avoid detection.\r\nIn the middle of 2018, we published our Operation Applejeus research, which highlighted Lazarus’s focus on\r\ncryptocurrency exchanges utilizing a fake company with a backdoored product aimed at cryptocurrency\r\nbusinesses. One of the key findings was the group’s new ability to target macOS. Since then Lazarus has been\r\nbusy expanding its operations for the platform.\r\nFurther tracking of their activities targeting the financial sector enabled us to discover a new operation, active\r\nsince at least November 2018, which utilizes PowerShell to control Windows systems and macOS malware for\r\nApple users.\r\nInfection procedure\r\nLazarus is a well-organized group, something that can be seen from their malware population: not only have we\r\nseen them build redundancy to reserve some malware in case of in-operation hot spare replacement of ‘burnt’\r\n(detected) samples but they also conform to specific internal standards and protocols when developing backdoors.\r\nThis case is no different. They have developed custom PowerShell scripts that communicate with malicious C2\r\nservers and execute commands from the operator. The C2 server script names are disguised as WordPress (popular\r\nblog engine) files as well as those of other popular open source projects. After establishing the malware control\r\nsession with the server, the functionality provided by the malware includes:\r\nSet sleep time (delay between C2 interactions)\r\nExit malware\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 1 of 8\n\nCollect basic host information\r\nCheck malware status\r\nShow current malware configuration\r\nUpdate malware configuration\r\nExecute system shell command\r\nDownload \u0026 Upload files\r\nLazarus uses different tactics to run its C2 servers: from purchasing servers to using hacked ones. We have seen\r\nsome legitimate-looking servers that are most likely compromised and used in malicious campaigns. According to\r\nserver response headers, they are most likely running an old vulnerable instance of Internet Information Services\r\n(IIS) 6.0 on Microsoft Windows Server 2003. Another C2 server was probably purchased by Lazarus from a\r\nhosting company and used to host macOS and Windows payloads. The geography of the servers varies, from\r\nChina to the European Union. But why use two different types of servers? The group seems to have a rule (at least\r\nin this campaign) to only host malware on rented servers, while hosting C2 scripts for malware communication on\r\ncompromised servers.\r\nInfrastructure segregation by purpose\r\nThe malware was distributed via documents carefully prepared to attract the attention of cryptocurrency\r\nprofessionals. Seeing as how some of the documents were prepared in Korean, we believe that South Korean\r\nbusinesses are a high priority for Lazarus. One document entitled ‘Sample document for business plan evaluation\r\nof venture company’ (translated from Korean) looks like this:\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 2 of 8\n\nContent of weaponized document from Lazarus (4cbd45fe6d65f513447beb4509a9ae3d)\r\nAnother macro-weaponized document (e9a6a945803722be1556fd120ee81199) contains a business overview of\r\nwhat seems to be a Chinese technology consulting group named LAFIZ. We couldn’t confirm if it’s a legitimate\r\nbusiness or another fake company made up by Lazarus. Their website lafiz[.]link has been parked since 2017.\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 3 of 8\n\nContents of another weaponized document (e9a6a945803722be1556fd120ee81199)\r\nBased on our telemetry, we found a cryptocurrency exchange company attacked with a malicious document\r\ncontaining the same macro. The document’s content provided information for coin listings with a translation in\r\nKorean:\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 4 of 8\n\nContent of another weaponized document (6a0f3abd05bc75edbfb862739865a4cc)\r\nThe payloads show that Lazarus keeps exploring more ways to evade detection to stay under the radar longer. The\r\ngroup builds malware for 32-bit and 64-bit Windows separately to support both platforms and have more variety\r\nin terms of compiled code. The Windows payloads distributed from the server (nzssdm[.]com) hosting the Mac\r\nmalware have a CheckSelf export function, and one of them (668d5b5761755c9d061da74cb21a8b75) has the\r\ninternal name ‘battle64.dll’. From that point we managed to find additional Windows malware samples containing\r\nthe CheckSelf export function and an internal name containing the word ‘battle’.\r\nThese Windows malware samples were delivered using malicious HWP (Korean Hangul Word Processor format)\r\ndocuments exploiting a known PostScript vulnerability. It should be noted that HWP documents are only popular\r\namong Korean users (Hangul Word Processor was developed in South Korea) and we have witnessed several\r\nattacks using the same method.\r\nConnection with previous HWP attacks\r\nIt’s no secret that Apple products are now very popular among successful internet startups and fintech companies,\r\nand this is why the malicious actor built and used macOS malware. While investigating earlier Lazarus incidents,\r\nwe anticipated this actor would eventually expand its attacks to macOS.\r\nIt appears that Lazarus is using the same developers to expand to other platforms, because some of the features\r\nhave remained consistent as its malware evolves.\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 5 of 8\n\nOverlap of current campaign and previous hwp-based attack cases\r\nWe’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re\r\npart of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with\r\nnew third parties or installing software on your systems. It’s best to check new software with an antivirus or at\r\nleast use popular free virus-scanning services such as VirusTotal. And never ‘Enable Content’ (macro scripting) in\r\nMicrosoft Office documents received from new or untrusted sources. Avoid being infected by fake or backdoored\r\nsoftware from Lazarus – if you need to try out new applications, it’s better do so offline or on an isolated network\r\nvirtual machine which you can erase with a few clicks. We’ll continue posting on Lazarus’s latest tactics and tricks\r\nin our blog. In the meantime, stay safe!\r\nFor more details on this and other research, please contact intelreports@kaspersky.com.\r\nFile Hashes:\r\nMalicious office document used in real attack\r\n4cbd45fe6d65f513447beb4509a9ae3d 샘플_기술사업계획서(벤처기업평가용).doc\r\n6a0f3abd05bc75edbfb862739865a4cc 문의_Evaluation Table.xls\r\nTesting office document\r\n29a37c6d9fae5664946c6607f351a8dc list.doc\r\ne9a6a945803722be1556fd120ee81199 list.doc\r\na18bc8bc82bca8245838274907e64631 list.doc\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 6 of 8\n\nmacOS malware\r\n4345798b2a09fc782901e176bd0c69b6\r\nPowerShell script\r\ncb713385655e9af0a2fc10da5c0256f5 test.ps1\r\ne6d5363091e63e35490ad2d76b72e851 test.ps1 – It does not contain URLs.\r\nDa4981df65cc8b5263594bb71a0720a1\r\nWindows executable payload\r\n171b9135540f89bf727b690b9e587a4e wwtm.dat\r\n668d5b5761755c9d061da74cb21a8b75 wwtm.dat\r\nad3f966d48f18b5e7b23a579a926c7e8\r\nManuscrypt payload\r\n35e38d023b253c0cd9bd3e16afc362a7\r\n72fe869aa394ef0a62bb8324857770dd\r\n86d3c1b354ce696e454c42d8dc6df1b7\r\n5182e7a2037717f2f9bbf6ba298c48fb\r\nMalicious hwp file\r\nF392492ef5ea1b399b4c0af38810b0d6 일일동향보고_180913.hwp\r\n0316f6067bc02c23c1975d83c659da21 국가핵심인력등록관리제등검토요청(10.16)(김경환변호사).hwp\r\nDomains and IPs\r\nCompromised first stage C2 server\r\nhttp://bluecreekrobotics[.]com/wp-includes/common.php\r\nhttp://dev.microcravate[.]com/wp-includes/common.php\r\nhttp://dev.whatsyourcrunch[.]com/wp-includes/common.php\r\nhttp://enterpriseheroes.com[.]ng/wp-includes/common.php\r\nhttp://hrgp.asselsolutions[.]com/wp-includes/common.php\r\nhttps://baseballcharlemagnelegardeur[.]com/wp-content/languages/common.php\r\nhttps://bogorcenter[.]com/wp-content/themes/index2.php\r\nhttps://eventum.cwsdev3.bi[.]com/wp-includes/common.php\r\nhttps://streamf[.]ru/wp-content/index2.php\r\nhttps://towingoperations[.]com/chat/chat.php\r\nhttps://vinhsake[.]com//wp-content/uploads/index2.php\r\nhttps://www.tangowithcolette[.]com/pages/common.php\r\nSecond stage C2 server\r\nhttp://115.28.160[.]20:443 – Compromised server\r\nMalware hosting server\r\nhttp://nzssdm[.]com/assets/wwtm.dat – Windows payload distribution URL\r\nhttp://nzssdm[.]com/assets/mt.dat – Mac payload distribution URL\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 7 of 8\n\nSource: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nhttps://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/" ], "report_names": [ "90019" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434221, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3348044f4d95fc10b3a2c555ad6129b69a3b2259.pdf", "text": "https://archive.orkl.eu/3348044f4d95fc10b3a2c555ad6129b69a3b2259.txt", "img": "https://archive.orkl.eu/3348044f4d95fc10b3a2c555ad6129b69a3b2259.jpg" } }