{ "id": "5919f224-4d95-472b-bb37-60ce597dd8ee", "created_at": "2026-04-06T00:17:08.027602Z", "updated_at": "2026-04-10T13:11:33.049919Z", "deleted_at": null, "sha1_hash": "3896f2a0847b9912621c509fee0dfc7758575cd7", "title": "Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1054138, "plain_text": "Lazarus Threat Group Attacking Windows Servers to Use as\r\nMalware Distribution Points - ASEC\r\nBy ATCP\r\nPublished: 2023-07-13 · Archived: 2026-04-05 17:34:27 UTC\r\nAhnLab Security Emergency response Center (ASEC) has discovered that Lazarus, a threat group deemed to be\r\nnationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as\r\ndistribution points for their malware.\r\nThe group is known to use the watering hole technique for initial access. [1] The group first hacks Korean\r\nwebsites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE\r\nCrossWeb EX V6 visits this website via a web browser, the Lazarus malware (SCSKAppLink.dll) is installed from\r\nthe distribution site through the INISAFECrossWebEXSvc.exe vulnerability.\r\nWhile the INITECH vulnerability has already been patched, vulnerability attacks against systems that have not\r\nyet been patched still continue to this day. After the Lazarus group attacks an IIS web server and obtains control,\r\nit will use the server to distribute malware used for INITECH vulnerability attacks. If a system has a vulnerable\r\nversion of INISAFE CrossWeb EX V3 installed on it, it must be uninstalled and updated to the latest version\r\nfollowing the security update recommendation below.\r\nInitech Product (INISAFE CrossWEB) Security Update Recommendation\r\n1. Attacks Against Windows IIS Web Servers\r\nCases of the Lazarus threat group targeting IIS servers had also been covered in the past blog post (May 2023),\r\n“Lazarus Group Targeting Windows IIS Web Servers”[2]. It was identified in the attack case at the time that the\r\nthreat actor used poorly managed or vulnerable web servers as the initial access point. There were also\r\ncircumstances of RDP being used for lateral movement after the internal reconnaissance process.\r\nOrdinarily, when attackers find a web server with a vulnerable version from scanning, they use the vulnerability\r\nsuitable for the version to install a WebShell or execute malicious commands. When the threat actor exploits the\r\nvulnerability to execute malicious commands or uses WebShell to download/upload files and execute remote\r\ncommands, the malicious behaviors are performed by w3wp.exe that is the IIS web server process.\r\nThe recently identified attack showed that the Lazarus threat group’s malware strains were generated by w3wp.exe\r\n(IIS web server process), similar to past cases.\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 1 of 7\n\n2. Privilege Escalation Malware JuicyPotato (usopriv.exe)\r\nThe malware generated by the w3wp.exe process, usopriv.exe is the JuicyPotato malware packed with Themida.\r\nThe Potato malware strains are responsible for privilege escalation. There are many types such as JuicyPotato,\r\nRottenPotato, and SweetPotato according to the privilege escalation method.\r\nWhile threat actors can control the processes through WebShells or dictionary attacks, they cannot perform the\r\nintended malicious behaviors because the w3wp.exe process does not have the appropriate privilege. The case is\r\nthe same for the sqlservr.exe process in MS-SQL servers. To resolve this problem, threat actors often\r\nsimultaneously use privilege escalation tools in their attacks.\r\nParticularly, the Potato strains of malware for privilege escalation are mainly used in attacks against IIS web\r\nservers and MS-SQL database servers. Potato types escalate privilege by abusing some processes with certain\r\nprivileges activated. Afterward, the threat actor is able to perform malicious behaviors using the elevated\r\nprivilege.\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 2 of 7\n\nThe following is a list of commands executed by the threat actor using JuicyPotato installed in infected systems.\r\nThe whoami command was used to check if privilege escalation had occurred correctly. A log was also found\r\nshowing that a loader malware which is responsible for the actual malicious behavior had been executed.\r\nTime Location Command\r\n2023-\r\n6-28\r\n11:35\r\nAM\r\n%ALLUSERSPROFILE%\\usopriv.exe\r\n%SystemRoot%\\system32\\cmd.exe\r\n/c whoami \u003e c:\\programdata\r\n2023-\r\n6-29\r\n7:48\r\nAM\r\n%ALLUSERSPROFILE%\\usopriv.exe\r\n%SystemRoot%\\system32\\cmd.exe\r\n/c whoami \u003e c:\\programdata\r\n2023-\r\n6-29\r\n7:51\r\nAM\r\n%ALLUSERSPROFILE%\\usopriv.exe\r\n%SystemRoot%\\system32\\cmd.exe\r\n/c whoami \u003e\r\nc:\\programdata\\nueio.txt\r\n2023-\r\n6-29\r\n8:27\r\nAM\r\n%ALLUSERSPROFILE%\\usopriv.exe\r\n%SystemRoot%\\system32\\cmd.exe\r\n/c rundll32\r\nc:\\programdata\\usoshared.dat\r\n,usoprivfunc 4729858204985024133\r\n2023-\r\n6-29\r\n8:40\r\nAM\r\n%ALLUSERSPROFILE%\\usopriv.exe\r\n%SystemRoot%\\system32\\cmd.exe\r\n/c del c:\\programdata\\nueio.txt\r\n2023-\r\n6-29\r\n3:08\r\nPM\r\n%USERPROFILE%\\desktop\\ngc\\usopriv.exe\r\n%SystemRoot%\\system32\\cmd.exe\r\n/c whoami \u003e\r\nc:\\users\\%ASD%\\desktop\\ngc\\test.txt\r\nTable 1. List of commands executed through the privilege escalation malware\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 3 of 7\n\n3. Loader Malware (usoshared.dat)\r\nThe threat actor used JuicyPotato to execute a loader. The loader is in DLL format, so rundll32 was used to\r\nexecute it. A random string was given as the argument.\r\n\u003e rundll32 c:\\programdata\\usoshared.dat ,usoprivfunc 4729858204985024133\r\nFirst, the loader decrypts the file name of the data to be used and obtains the string “{20D1BF68-64EE-489D-9229-95FEFE5F12A4}”. This string is the name of the data file. Files with this name are searched for in a total of\r\nthree paths. While the files in these paths have not been procured as of yet, it could be identified through the\r\nloader malware routine that this malware type is a loader that decrypts encrypted data files and executes them in\r\nthe memory area.\r\nA folder containing rundll32.exe\r\nA folder containing usoshared.dat\r\nC:\\Windows\\Installer\\\r\nIf the file {20D1BF68-64EE-489D-9229-95FEFE5F12A4} exists in the above path, the first 3 bytes are read to\r\ndetermine if it is the string “GIF”. It appears that the threat actor disguised the data file as a GIF image file. If the\r\nconditions match, the next 4 bytes are read. This contains the size of the data that will be read.\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 4 of 7\n\nBecause the remaining data is executed in the memory area through the following decryption routine, it is deemed\r\nto be the actual encrypted PE. The first obtained data (starting with 0xC00) is given as an argument when\r\nexecuting PE in the memory area, and so is deemed to be the configuration data to be used by the decrypted\r\nmalware.\r\nOffset Size Data\r\n0x0000 0x0003 Signature (GIF)\r\n0x0003 0x0004 The size of the configuration data\r\n0x0007 SizeOfConfig encrypted configuration data\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 5 of 7\n\n0x0007 +\r\nSizeOfConfig\r\nRemainder\r\nThe size of the encrypted PE (0x04) and the\r\nencrypted PE itself\r\nTable 2. Structure of the encrypted data file\r\nGenerally, the Lazarus group uses a loader malware and an encrypted data file together as shown above. As shown\r\nabove, the process involves a loader in the PE format finding a data file in a certain path. The file will be run after\r\nit is decrypted in the memory area. While the data file has not been identified yet, examining past cases reveals\r\nthat the ultimately executed malware strains are mostly downloaders that download additional malware types or\r\nbackdoors that can receive commands from the threat actor to perform malicious behaviors.\r\n4. INISAFE Vulnerability Exploitation\r\nAccording to AhnLab Smart Defense (ASD) logs, INISAFE vulnerability attacks against systems using unpatched\r\npast versions of INISAFECrossWebEX are continuously ongoing.\r\nAfter these attacks, the threat actor attempted to install an additional malware “SCSKAppLink.dll” in the infected\r\nsystem through INISAFE vulnerability attacks. The download URL for “SCSKAppLink.dll” was identified as\r\nbeing the aforementioned IIS web server. This signifies that the threat actor attacked and gained control over IIS\r\nweb servers before using these as servers for distributing malware.\r\nThe malware installed through exploiting this vulnerability (“SCSKAppLink.dll”) has not been identified, but it is\r\nprobably similar to that covered in a previous ASEC Blog post, “New Malware of Lazarus Threat Actor Group\r\nExploiting INITECH Process”[3]. “SCSKAppLink.dll” was identified in the past as being a downloader malware\r\nthat downloads and executes additional malware strains from an external source. It can install malware types\r\ndesignated by the attacker in the system to gain control.\r\n5. Conclusion\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 6 of 7\n\nThe Lazarus group used various attack vectors for initial access such as joint certificate vulnerabilities and 3CX\r\nsupply chain attacks. It is one of the most dangerous threat groups highly active worldwide. Thus, corporate\r\nsecurity managers must practice strict management by employing attack surface management to identify assets\r\nthat may be exposed to threat actors and continuously applying the latest security patches.\r\nThe threat actor is continuously using vulnerability attacks for initial access to unpatched systems. If a system\r\ndoes not have the latest version of INITECH products installed, the latest update must be applied following the\r\nsecurity update recommendation below.\r\nInitech Product (INISAFE CrossWEB) Security Update Recommendation\r\nAlso, V3 should be updated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Exploit/Win.JuicyPotato.C5452409 (2023.07.12.03)\r\n– Trojan/Win.Loader.C5452411 (2023.07.12.03)\r\nBehavior Detection\r\n– InitialAccess/MDP.Event.M4242\r\nMD5\r\n280152dfeb6d3123789138c0a396f30d\r\nd0572a2dd4da042f1c64b542e24549d9\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/55369/\r\nhttps://asec.ahnlab.com/en/55369/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/55369/" ], "report_names": [ "55369" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434628, "ts_updated_at": 1775826693, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3896f2a0847b9912621c509fee0dfc7758575cd7.pdf", "text": "https://archive.orkl.eu/3896f2a0847b9912621c509fee0dfc7758575cd7.txt", "img": "https://archive.orkl.eu/3896f2a0847b9912621c509fee0dfc7758575cd7.jpg" } }