{ "id": "164c29f9-5acc-47d0-9b0f-9676a21cfff2", "created_at": "2026-04-06T00:14:18.541618Z", "updated_at": "2026-04-10T03:38:20.199919Z", "deleted_at": null, "sha1_hash": "346b5c9da05e034d9ad4718a74fc5aa1cab86a79", "title": "Lazarus Group使用Dacls RAT攻击Linux平台", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3222395, "plain_text": "Lazarus Group使用Dacls RAT攻击Linux平台\r\nBy jinye\r\nPublished: 2019-12-17 · Archived: 2026-04-05 17:32:28 UTC\r\n背景介绍\r\n2019年10月25号,360Netlab未知威胁检测系统发现一个可疑的ELF文件\r\n(80c0efb9e129f7f9b05a783df6959812)。一开始,我们以为这是在我们发现的Unknown Botnet中比较平凡的\r\n一个,并且在那时候VirusTotal上有2款杀毒引擎能够识别。当我们关联分析它的相关样本特征和IoC时,\r\n我们发现这个案例跟Lazarus Group有关,并决定深入分析它。\r\n目前,业界也从未公开过关于Lazarus Group针对Linux平台的攻击样本和案例。通过详细的分析,我们确\r\n定这是一款功能完善,行为隐蔽并适用于Windows和Linux平台的RAT程序,并且其幕后攻击者疑似\r\nLazarus Group。\r\n事实上,这款远程控制软件相关样本早在2019年5月份就已经出现,目前在VirusTotal上显示被26款杀毒软\r\n件厂商识别为泛型的恶意软件,但它还是不为人所知,我们也没有找到相关分析报告。所以,我们会详\r\n细披露它的一些技术特征,并根据它的文件名和硬编码字符串特征将它命名为Dacls。\r\nDacls 概览\r\nDacls是一款新型的远程控制软件,包括Windows和Linux版本并共用C2协议,我们将它们分别命名为\r\nWin32.Dacls和Linux.Dacls。它的功能模块化,C2协议使用TLS和RC4双层加密,配置文件使用AES加密并\r\n支持C2指令动态更新。其中Win32.Dacls的插件模块是通过远程URL动态加载,而Linux版本的插件是直接\r\n编译在Bot程序里。我们已经确认在Linux.Dacls中包含6个插件模块:执行命令,文件管理,进程管理,测\r\n试网络访问,C2连接代理,网络扫描。\r\n如何关联上 Lazarus Group\r\n⾸先,我们通过样本 80c0efb9e129f7f9b05a783df6959812 中的硬编码字符串特征 c_2910.cls 和\r\nk_3872.cls ,在VirusTotal上找到了5个样本,我们从这些样本代码和相同的C2指令码上可以确认它们是\r\n同⼀套RAT程序,并且分别适⽤于Windows和Linux平台。\r\n其中⼀个Win32.Dacls样本 6de65fc57a4428ad7e262e980a7f6cc7 ,它的下载地址为\r\nhttps://thevagabondsatchel.com/wp-content/uploads/2019/03/wm64.avi ,在VirusTotal社区⽤户\r\n@raeezabdulla留⾔中将它标记为Lazarus Group,并引⽤了⼀篇报告《CES Themed Targeting from\r\nLazarus》。然后,我们通过这个下载地址我们关联到另⼀个NukeSped样本\r\nb578ccf307d55d3267f98349e20ecff1 ,它的下载地址为 http://thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi 。在2019年10⽉份,这个NukeSped样本\r\nb578ccf307d55d3267f98349e20ecff1 曾被推特⽤户@cyberwar_15标记为Lazarus Group。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 1 of 23\n\n另外,我们也在Google上搜到到很多Lazarus Group的分析报告和⼀些开源威胁情报数据,并指出\r\nthevagabondsatchel.com 曾被Lazarus Group⽤于存放样本。\r\n所以,我们推测Dacls RAT的幕后攻击者是Lazarus Group。\r\nDownloader服务器\r\n我们在疑似被感染的下载服务器 http://www.areac-agr.com/cms/wp-content/uploads/2015/12/ 上找到了一\r\n系列样本,其中包括Win32.Dacls和Linux.Dacls,开源程序Socat,以及Confluence CVE-2019-3396\r\nPayload。所以,我们推测Lazarus Group曾经利用CVE-2019-3396 N-day漏洞传播Dacls Bot程序。\r\nMD5 (check.vm) = a99b7ef095f44cf35453465c64f0c70c //Confluence CVE-2019-3396 Payload\r\nMD5 (hdata.dat) = 982bf527b9fe16205fea606d1beed7fa //Log Collector\r\nMD5 (ldata.dat) = 80c0efb9e129f7f9b05a783df6959812 //Linux Dacls Bot\r\nMD5 (mdata.dat) = 80c0efb9e129f7f9b05a783df6959812 //Linux Dacls Bot\r\nMD5 (r.vm) = a99b7ef095f44cf35453465c64f0c70c //Confluence CVE-2019-3396 Payload\r\nMD5 (rdata.dat) = bea49839390e4f1eb3cb38d0fcaf897e //Windows Dacls Bot\r\nMD5 (sdata.dat) = e883bf5fd22eb6237eb84d80bbcf2ac9 //Open-Source Socat\r\n逆向分析\r\nLog Collector样本分析\r\nMD5: 982bf527b9fe16205fea606d1beed7fa\r\nELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header\r\n这个样本的功能很简单,它通过运行参数指定日志搜集接口然后收集目标主机信息。它会避开扫描一些\r\n指定的根目录和二级目录,并把检索到的文件路径写入 /tmp/hdv.log。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 2 of 23\n\nAvoid Scanning Root Directory\r\n/bin\r\n/boot\r\n/dev\r\n/etc\r\n/lib\r\n/lib32\r\n/lib64\r\n/lost+found\r\n/sbin\r\n/sys\r\n/tmp\r\n/proc\r\n/run\r\nAvoid Scanning Secondary Directory\r\n/usr/bin\r\n/usr/etc\r\n/usr/games\r\n/usr/include\r\n/usr/lib\r\n/usr/lib32\r\n/usr/lib64\r\n/usr/libexec\r\n/usr/sbin\r\n/usr/share\r\n/usr/src\r\n/usr/tmp\r\n/var/adm\r\n/var/cache\r\n/var/crash\r\n/var/db\r\n/var/empty\r\n/var/games\r\n/var/gopher\r\n/var/kerberos\r\n/var/lock\r\n/var/nis\r\n/var/preserve\r\n/var/run\r\n/var/yp\r\n日志记录格式示例\r\ndeep name type size last date\r\n0 / D 0 000000000000\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 3 of 23\n\n1 bin D 0 201911290628\r\n2 bash F 1037528 201907121226\r\n2 bunzip2 F 31352 201907040536\r\n2 busybox F 1984584 201903070712\r\n2 bzcat F 31352 201907040536\r\n2 bzcmp F 2140 201907040536\r\n....\r\n最后通过执行系统tar命令把日志文件压缩 tar -cvzf /tmp/hdv.rm /tmp/hdv.log 并上传到指定日志搜集接\r\n口。\r\nLinux.Dacls样本分析\r\nMD5: 80c0efb9e129f7f9b05a783df6959812\r\nELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0,\r\nBuildID[sha1]=e14724498374cb9b80a77b7bfeb1d1bd342ee139, stripped\r\nLinux.Dacls Bot主要功能包括:执行命令,文件管理,进程管理,测试网络访问,C2连接代理,网络扫描\r\n模块。\r\n初始化行为\r\nLinux.Dacls Bot启动后以daemon方式后台运行,并通过启动参数 /pro ,Bot PID文件 /var/run/init.pid\r\n和Bot进程名 /proc/\u003cpid\u003e/cmdline ,来区分不同运行环境,我们猜测可能是用于Bot程序升级。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 4 of 23\n\n配置文件 .memcahce\r\nLinux.Dacls Bot配置文件固定存放在 $HOME/.memcache ,文件内容固定为0x8E20+4个字节。如果Bot启动后\r\n找不到配置文件,就会根据样本中硬编码的信息,使用AES加密生成默认的配置文件,当Bot和C2 通信后\r\n还会继续更新配置文件。\r\n数据结构\r\n我们把配置文件的数据结构信息定义为struct_global_cfg,这里存放了Bot运行参数,C2信息,和插件信息\r\n等。\r\nstruct struct_plugin_cfg_data\r\n{\r\n int plugin_id;\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 5 of 23\n\nint plugin_type;\r\n int unk3;\r\n char name[1040];\r\n};\r\nstruct struct_c2_content\r\n{\r\n char content[2048];\r\n};\r\nstruct struct_global_cfg\r\n{\r\n int session_id;\r\n int unk_const1;\r\n int sus_version_20190417;\r\n int connect_retry_sleep_time;\r\n char unk_array1[88];\r\n int c2_num;\r\n struct_c2_content c2_list[3];\r\n char unknown_filed_186C[14340];\r\n struct_plugin_cfg_data plug_cfg_data_list[15];\r\n};\r\nAES 加密算法\r\nAES,CBC Mode\r\nKey:A0 D2 89 29 27 78 75 F6 AA 78 C7 98 39 A0 05 ED\r\nIV:39 18 82 62 33 EA 18 BB 18 30 78 97 A9 E1 8A 92\r\n解密配置文件\r\n我们把配置文件解密后,可以看到配置文件中一些明文信息,例如:会话ID,版本信息,重新连接C2时\r\n间,C2信息等,当成功连接C2后配置文件会根据C2指令更新,比如在配置文件中增加Bot支持的插件信\r\n息,更新C2信息等。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 6 of 23\n\nC2 协议\r\nLinux.Dacls Bot和C2通信主要分为3个阶段,并采用了TLS和RC4双层加密算法,保障数据通信安全。第1\r\n阶段是建立TLS连接,第2阶段是双方协议认证过程(Malware Beaconing),第3阶段是Bot发送RC4加密\r\n后的数据。\r\nSSL 连接\r\n协议认证\r\n建立SSL连接会发送若干次Beacon消息和C2互相确认身份。\r\nCmd Direction Encrypted Description\r\n0x20000 send no Beacon\r\n0x20100 recv no Beacon\r\n0x20200 send no Beacon\r\nRC4 加密和解密流程\r\nRC4 Key生成算法,完全由随机函数生成,Key长度范围:大于0且小于50\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 7 of 23\n\n置换表生成算法,根据RC4 Key生成RC4加密用的置换表\r\n加/解密算法,根据置换表生成算法完成加/解密,因为RC4是个对称加密算法,所以加/解密算法是\r\n一致的\r\nRC4解密示例\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 8 of 23\n\n在完成协议认证之后,Bot向C2发送RC4 Key长度(头4个字节)和 RC4 Key数据。\r\nC2收到加密Key,向Bot发送密文,解密后为0x00000700指令,之后Bot就会上传主机名相关信息给C2。\r\nKey:\r\na3 2f c2 10 f3 92 79 c3 0e f6 e4 e5 2e 69 29 86\r\n0d 3a 92 f5 b7 23 fc 91 d9 46 91 55 a3 86 5a 47\r\n36 1d 58 2a af d1 6d 3d 49 52 23 77 bc 4d fd 49\r\n87\r\n密文:\r\nfe 3c 2c d7 bf 08 e3 91 d7 00 1f d0\r\n明文:\r\n00 07 00 00 00 00 00 00 00 00 00 00\r\nC2指令码表\r\nLinux.Dacls Bot接受的指令实际共12个字节,但实际有效大小为4个字节,并分成控制两种模式。\r\n第一种模式:当第3个字节为0,控制Bot主逻辑。\r\n以下是0x00000700指令对应的网络序数据包示例:模式为0x00,指令2为0x07控制Bot上传主机名信息\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 9 of 23\n\n指令1 指令2 模式 未知\r\n00 07 00 00\r\n第二种模式:当第3个字节为1,控制加载插件逻辑。\r\n以下是0x00010101指令对应的网络序数据包示例:模式为0x01,指令1为0x01控制加载编号为1的插件\r\n指令1 指令2 模式 未知\r\n01 01 01 00\r\nBot收到指令后,执行成功返回0x20500,执行失败返回0x20600。\r\nC2指令表,Bot主逻辑部分\r\nModule Cmd Encrypt Description\r\nCore 0x00000601 Yes 上传C2配置信息\r\nCore 0x00000602 Yes 下载配置信息保存到 $HOME/.memcache\r\nCore 0x00000700 Yes 要求Bot上传主机信息\r\nCore 0x00000900 Yes 要求Bot发送心跳信息\r\nC2指令表,Bot插件部分\r\nModule Cmd Encrypt Description\r\n/bin/bash 0x00010000 Yes 执行C2下发的bash命令\r\n/bin/bash 0x00010002 Yes 连接到指定的C2执行下发的系统命令\r\nplugin_file 0x00010100 Yes 写文件\r\nplugin_file 0x00010101 Yes 读文件\r\nplugin_file 0x00010103 Yes 删除文件\r\nplugin_file 0x00010104 Yes 扫描目录结构\r\nplugin_file 0x00010110 Yes 从指定url下载文件\r\nplugin_process 0x00010200 Yes 扫描并上传主机进程相关信息\r\nplugin_process 0x00010201 Yes 杀死指定进程\r\nplugin_process 0x00010202 Yes 创建daemon进程\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 10 of 23\n\nModule Cmd Encrypt Description\r\nplugin_process 0x00010204 Yes 获得并上报进程PID和PPID\r\nplugin_test 0x00010300 Yes 测试是否可以访问指定IP\r\nplugin_reverse_p2p 0x00010400 Yes C2连接代理\r\nlogsend 0x00011100 Yes 测试是否可以访问Log服务器\r\nlogsend 0x00011101 Yes 上传公网端口扫描结果和命令执行输出\r\nlogsend 0x00011102 Yes 无操作\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 11 of 23\n\nC2通信流程图\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 12 of 23\n\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 13 of 23\n\n插件模块\r\nLinux.Dacls Bot采用静态编译的方式将插件和Bot本体代码编译在一起,通过发送不同的指令调用不同的\r\n插件可以完成多种任务。我们分析的样本中共包含6个插件,由于插件的配置信息是一块连续的结构体数\r\n组(0x00~0x0e)。我们猜测Bot可能存在更多的插件。\r\n每个插件都会有相应的配置信息,它们会保存在Bot的配置文件 $HOME/.memcache 中,在插件初始化时,\r\n加载这些配置信息。\r\nBash 插件\r\nBash插件是编号为0的插件,主要支持两个功能:接收C2服务器的下发的系统命令并执行;C2通过指令下\r\n发临时C2,Bot然后连接到临时C2并执行临时C2下发的系统命令。\r\nFile 插件\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 14 of 23\n\nFile插件主要功能是文件管理,除了支持对文件的读,写,删除,查找操作,还可以从指定的下载服务器\r\n下载文件。\r\nProcess 插件\r\nProcess插件的主要功能是进程管理,包括:杀死指定进程,创建daemon进程,获得当前进程的PID和\r\nPPID,以及获取进程列表信息。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 15 of 23\n\n如果Linux进程中的PID对应的 /proc/\u003cpid\u003e/task 目录存在,Bot样本会收集如下进程信息:\r\n从 /proc/\u003cpid\u003e/cmdline 读取命令行全名\r\n从 /proc/\u003cpid\u003e/status 中读取:\r\nName //进程名\r\nUid //用户ID\r\nGid //用户组ID\r\nPPid //父进程ID\r\nTest插件\r\nTest插件的主要功能是通过连接C2指定的IP地址和端口,测试其网络连通性。\r\nReverse P2P插件\r\nReverse P2P插件实际上是一种C2连接代理(Connection Proxy),它通过下发控制命令可以将指定的C2数\r\n据完整的转发到指定IP端口。这在Lazarus Group中是一种常见的降低被检测风险的技术手段,既可以减少\r\n目标主机连接数又可以隐藏目标主机和真实C2的通信数据,在某些场合还可以利用被感染的内网主机进\r\n一步渗透至隔离网段。\r\nreverse_p2p插件初始化\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 16 of 23\n\n当Bot收到指令后,先尝试连接指定的C2端口并发送0x21000指令,如果C2返回0x21300说明C2连接成\r\n功。此时Bot会连接指令中指定的目标主机端口,如果连接成功会返回0x21100给C2说明转发连接已经建\r\n立可以转发数据。接下来Bot会将C2发送过来的数据完整的转发给目标主机,同时将目标主机的返回数据\r\n完整的返回给C2,直至任何一方中断连接。\r\n以下是Reverse P2P插件工作流程图:\r\nLogSend 插件\r\nLogSend插件主要包括3个功能:测试连接Log服务器,随机扫描全网8291端口并上报给Log服务器,执行\r\n耗时较长的系统命令并将控制台输出结果实时上报给Log服务器。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 17 of 23\n\nLogSend插件初始化\r\nLogSend相关操作回调函数\r\n测试连接Log服务器\r\nBot收到指令后会向Log服务器发送一个测试请求。如果Log服务器返回 {\"result\":\"ok\"} 说明测试成功,\r\n此时C2就可以下发更多的LogSend指令。\r\n使用C2指定的HTTP接口地址,内置的User-Agent,发送POST请求\r\nPOST /%s HTTP/1.0\r\nHost: %s\r\nContent-Length: 9\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.18\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nCache-Control: no-cache\r\nConnection: close\r\nlog=check\r\n随机扫描全网8291端口并上报给Log服务器。\r\n当Bot收到该指令后会按照3种规则随机生成公网IP地址并尝试连接8291端口,如果连接成功就向log server\r\n回传扫描结果。\r\nIP生成规则:\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 18 of 23\n\nip = \u003cpart1\u003e.\u003cpart2\u003e.\u003cpart3\u003e.\u003cpart4\u003e\r\nrule1: part1 != 127\r\nrule2: part1 == 172 and (part2 \u003c= 15 or part2 \u003e 31)\r\nrule3: part1 != 192 and part2 != 168\r\nrule4: part1 != 10\r\n随机IP生成算法如下\r\n我们可以看到Bot硬编码TCP/8291端口,并调用系统connect函数进行端口扫描,只检测端口是否开放,不\r\n发送Payload数据。我们知道MikroTik Router设备的Winbox协议工作在TCP/8291端口上,并暴露在互联网\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 19 of 23\n\n上,之前我们也披露了2篇文章关于TCP/8291端口威胁事件[1][2]。\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 20 of 23\n\n执行耗时较长的bash命令,并将控制台输出实时上报给Log服务器。\r\n执行bash命令并转发输出给Log服务器\r\n所有上报的Log数据都以HTTP POST的方式提交。Payload部分的格式如下:\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 21 of 23\n\nlog=save\u0026session_id=\u003csession id\u003e\u0026value=\u003clog content\u003e\r\n处置建议\r\n我们建议Confluence用户及时更新补丁,并根据Dacls RAT创建的进程,文件名以及TCP网络连接特征,判\r\n断是否被感染,然后清理它的相关进程和文件。\r\n我们建议读者对Dacls RAT相关IP,URL和域名进行监控和封锁。\r\n相关安全和执法机构,可以邮件联系netlab[at]360.cn交流更多信息。\r\n联系我们\r\n感兴趣的读者,可以在 twitter 或者在微信公众号 360Netlab 上联系我们。\r\nIoC list\r\n样本MD5\r\n6de65fc57a4428ad7e262e980a7f6cc7\r\n80c0efb9e129f7f9b05a783df6959812\r\n982bf527b9fe16205fea606d1beed7fa\r\n8910bdaaa6d3d40e9f60523d3a34f914\r\na99b7ef095f44cf35453465c64f0c70c\r\nbea49839390e4f1eb3cb38d0fcaf897e\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 22 of 23\n\ncef99063e85af8b065de0ffa9d26cb03\r\ne883bf5fd22eb6237eb84d80bbcf2ac9\r\n硬编码C2 IP:\r\n23.81.246.179 United States ASN19148 Leaseweb USA, Inc.\r\n23.254.119.12 Canada ASN55286 B2 Net Solutions Inc.\r\n23.227.196.116 United States ASN35017 Swiftway Sp. z o.o.\r\n37.72.175.179 United States ASN29802 HIVELOCITY, Inc.\r\n23.227.199.53 United States ASN35017 Swiftway Sp. z o.o.\r\n107.172.197.175 United States ASN36352 ColoCrossing\r\n172.93.201.219 United States ASN20278 Nexeon Technologies, Inc.\r\n64.188.19.117 United States ASN8100 QuadraNet Enterprises LLC\r\n74.121.190.121 United States ASN23033 Wowrack.com\r\n192.210.213.178 United States ASN36352 ColoCrossing\r\n209.90.234.34 United States ASN23033 Wowrack.com\r\n198.180.198.6 United States ASN26658 HT\r\nURL\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/check.vm\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/hdata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/ldata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/mdata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/r.vm\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/rdata.dat\r\nhttp://www.areac-agr.com/cms/wp-content/uploads/2015/12/sdata.dat\r\nSource: https://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nhttps://blog.netlab.360.com/dacls-the-dual-platform-rat/\r\nPage 23 of 23\n\n日志记录格式示例 deep name type size last date \n0 / D 0 000000000000 \n Page 3 of 23", "extraction_quality": 1, "language": "ZH", "sources": [ "Malpedia" ], "references": [ "https://blog.netlab.360.com/dacls-the-dual-platform-rat/" ], "report_names": [ "dacls-the-dual-platform-rat" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434458, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/346b5c9da05e034d9ad4718a74fc5aa1cab86a79.pdf", "text": "https://archive.orkl.eu/346b5c9da05e034d9ad4718a74fc5aa1cab86a79.txt", "img": "https://archive.orkl.eu/346b5c9da05e034d9ad4718a74fc5aa1cab86a79.jpg" } }