{ "id": "31389c3f-8807-4498-b7e0-9a26224c6422", "created_at": "2026-04-06T00:10:03.112864Z", "updated_at": "2026-04-10T03:38:19.068701Z", "deleted_at": null, "sha1_hash": "451eaae10f18b5a816b3d6e8b9aedf45c58d8689", "title": "Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2108119, "plain_text": "Analysis Report on Lazarus Threat Group’s Volgmer and Scout\r\nMalwares\r\nBy ATCP\r\nPublished: 2023-10-03 · Archived: 2026-04-05 21:29:24 UTC\r\nOverview\r\n1. Analysis of Volgmer Backdoor\r\n…. 1.1. Initial Version of Volgmer\r\n…….. 1.1.1. Analysis of Volgmer Dropper\r\n…….. 1.1.2. Analysis of Volgmer Backdoor\r\n…. 1.2. Later Version of Volgmer\r\n…….. 1.2.1. Analysis of Volgmer Backdoor\r\n2. Analysis of Scout Downloader\r\n…. 2.1. Droppers (Volgmer, Scout)\r\n…. 2.2. Analysis of Scout Downloader\r\n…….. 2.2.1. Scout Downloader v1\r\n…….. 2.2.2. Scout Downloader v2\r\n3. Conclusion\r\nTable of Contents\r\nThe seemingly state-sponsored Lazarus threat group has records of activity that date back to 2009. In the early\r\ndays, their activities were mostly focused on Korea, but since 2016, the group has been attacking the defense,\r\nadvanced technology, and finance sectors worldwide. The Lazarus group usually employed spear phishing and\r\nsupply chain attacks, usually disguising the malware as legitimate programs in their attack process. [1]\r\nFor the last few years, the group launched watering hole attacks to attack multiple Korean enterprises and\r\norganizations in the fields of defense, satellite, software, and media. Their method for initial access involved the\r\nexploitation of a security vulnerability of a Korean financial security certification software. [2] Even after initial\r\naccess, the threat actor exploited vulnerabilities in web security software or enterprise asset management programs\r\nduring lateral movement. [3] The Lazarus group attacks not only ordinary PCs but also server systems for the\r\npurpose of using them as malware distribution or C\u0026C servers. [4] [5]\r\nBecause the Lazarus threat group has been active since a long time ago, there are many attack cases and various\r\nmalware strains are used in each case. In particular, there is also a wide variety of backdoors used for controlling\r\nthe infected system after initial access. AhnLab Security Emergency response Center (ASEC) is continuously\r\ntracking and analyzing attacks by the Lazarus group, and in this post, we will analyze Volgmer and Scout, the two\r\nmajor malware strains used in their attacks.\r\nVolgmer is a backdoor that has been used by the Lazarus threat group since 2014. Volgmer, which usually runs by\r\nbeing registered as a service, is installed with a name that disguises it as a legitimate file. It differs from other\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 1 of 22\n\nmalware in the fact that it encrypts and saves the configuration data in the registry key\r\n“HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security”. ASEC identified that since 2014, Volgmer\r\nunderwent many changes and has been used in attacks until about 2021. We also confirmed that since 2022, a\r\ndownloader named Scout has been used in attacks instead of Volgmer. The basic operating mechanism of Scout is\r\nsimilar to the previous one, with the only difference in the actual features. The payload it downloads is presumed\r\nto be a backdoor for controlling the infected system.\r\nScout has been in use for attacks since around 2022. While there are many instances where the specific attack\r\ncases could not be confirmed, there are cases where the initial access process was identified. For example, it was\r\nfound alongside other pieces of malware in the attack case mentioned above, where a security vulnerability of a\r\nKorean financial security certification software was exploited. Much like the Lazarus group’s ordinary activities,\r\nits targets include multiple Korean enterprises and organizations in the defense, manufacturing, ICT, and financial\r\nsectors. The threat actor used this malware to control the infected systems. There has also been a case of BYOVD\r\n(Bring Your Own Vulnerable Driver), where the threat actor leveraged a vulnerable driver module of a hardware\r\nsupplier to disable security products. [6] [7]\r\nThis blog post will analyze the initial version of Volgmer backdoor that was identified first and the later version\r\nthat began to be used in attacks in around 2017. Afterward, we will analyze the Scout downloader and also cover\r\nthe dropper that was used to install Scout.\r\n1. Analysis of Volgmer Backdoor\r\nThe oldest record regarding Volgmer is presumed to be the “Trojan.Volgmer” malware analysis page published by\r\nSymantec in 2014. [8] (link currently unavailable) Volgmer continued to be used in later attacks, and in 2017,\r\nCISA (Cybersecurity and Infrastructure Security Agency) of the U.S. also mentioned Volgmer when they\r\ndisclosed the malware used by the Lazarus group. [9] (link currently unavailable) According to AhnLab’s ASD\r\nlogs, the Volgmer malware type disclosed by Symantec was detected from at least 2014 to 2015, and there are\r\nrecords of a similar variant being used in attacks until 2016.\r\nAn updated version of Volgmer was found to have been used since 2017, and there were records of its use until\r\naround 2021. As determined by the comparison of the C\u0026C command routines despite a few differences, this type\r\ncan be considered as the same type as the backdoor used in the attack case shared by Kaspersky in 2021 where the\r\nbackdoor was disguised as a DeFi application. [10] There were no other cases of Volgmer being used in attacks\r\nafter the emergence of the Scout downloader around 2022.\r\nHere we will analyze the initial version of Volgmer in the past before analyzing the later version of Volgmer used\r\nbetween 2017 and 2020. The initial version of Volgmer will be briefly analyzed even if it is an old malware strain,\r\nsince there are many functional similarities with other malware that came after it. Subsequently, the later version\r\nof Volgmer will be analyzed; while this type has a different C\u0026C command routine, its flow of operation is\r\nnotably almost identical to the past version of Volgmer.\r\n1.1. Initial Version of Volgmer\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 2 of 22\n\n1.1.1. Analysis of Volgmer Dropper\r\nBecause Volgmer is a DLL-type backdoor, it needs malware that installs it. A dropper was identified alongside the\r\ninitial version of Volgmer, and this dropper installs Volgmer by creating a password-protected compressed version\r\nin the resource area before registering it as a service. The dropper also checks the number of arguments,\r\nrecognizes Korean operating environments, and even checks the version of Windows operating environments, and\r\nif these do not match pre-configured conditions, it either displays a message box or deletes itself. A batch file is\r\nused for self-deletion, and the use of the file name “pdm.bat” is notable.\r\nThe encrypted configuration data is decrypted during execution. This contains the registry key which will include\r\nthe configuration data with the C\u0026C server addresses, the string used to register the malware as a service, and the\r\nfile “pdm.bate” to be used for self-deletion. The 0x10 byte-sized key used for decryption is still used by the\r\nmalware from the Andariel group, a subsidiary group of Lazarus. [11]\r\nKey: 74 61 51 04 77 32 54 45 89 95 12 52 12 02 32 73\r\nOne of the characteristics of Volgmer is that it follows a certain logic to randomly generate strings for the name of\r\nthe Volgmer DLL file to be created, as well as the name and description of the service to be registered. These\r\nstrings are created by combining the following strings contained in the decrypted configuration data.\r\nString A: svc, mgmt, mgr, enum, app, bg, c, d, ex, f, g, h, i, k, l, m, net, o, p, q, rm, sec, ti, up, vol, win, dc,\r\nud\r\nString B: Service, Management, Manager, Enumerator, Application, Background, Control, Desktop,\r\nExtension, Function, Group, Host, Intelligent, Key, Layer, Multimedia, Network, Operation, Portable,\r\nQuality, Remote, Security, TCP/IP, User Profile, Volume, Windows, Device, Update\r\nFor example, the file name is a combination of four selections from the “String A” list, resulting in names such as\r\n“hlrmenum.dll”. Likewise, service-related items are created by combining four selections from the “String B” list,\r\nas follows.\r\nService name: “[Host Layer Remote Enumerator]”\r\nService description: “The [Host Layer Remote Enumerator] is an essential service for management of\r\nWindows System. If the service is stopped or disabled, Windows will be able to damaged seriously.”\r\nService DLL path: “C:\\Windows\\system32{hlrmenum}.dll”\r\nThe Volgmer dropper decompresses “MYRES” in the resource area to obtain the Volgmer DLL and configuration\r\nfiles. These files are compressed with the ZIP compression algorithm and password-protected with the following\r\npassword.\r\nPassword for the compressed file: “!1234567890 dghtdhtrhgfjnui$%^^\u0026fdt”\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 3 of 22\n\nAfter creating the Volgmer DLL in the path %SystemDirectory%, the dropper sets the time configuration\r\ninformation to be the same as the Notepad (notepad.exe) file. This timestomping is one of the major anti-forensic\r\ntechniques employed for the purpose of evading timeline analysis. Besides the timestomping technique, the\r\nLazarus group uses a variety of anti-forensic techniques such as file deletion and data concealment in their attack\r\nprocess, and this trend continues to this day. [12]\r\nBefore being written into the registry key, the decompressed configuration file is encrypted with the same method\r\nas the algorithm used for decrypting the configuration data. This data includes C\u0026C server addresses and is later\r\nread, decrypted, and used by Volgmer. After these processes are complete, it uses the generated service\r\nconfiguration data to register Volgmer as a service and executes it.\r\nRegistry Key – 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / 125463f3-2a9c-bdf0-\r\nd890-5a98b08d8898\r\nRegistry Key – 2: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / f0012345-2a9c-bdf8-\r\n345d-345d67b542a1\r\n1.1.2. Analysis of Volgmer Backdoor\r\nVolgmer, running as a service, decrypts the registry value above to obtain the configuration data. As shown below,\r\nthe configuration data consists of the signature string “cgi_config”, the ID, and C\u0026C server addresses.\r\nAdditionally, the ID value is NULL when the dropper is generated, but afterward, Volgmer uses the infected\r\nsystem’s hardware information to create an ID value.\r\nOffset Size Data\r\n0x00 0x0A “cgi_config”\r\n0x0A 0x08 Victim ID\r\n0x12 0x04 The first C\u0026C server’s IP address\r\n0x16 0x04 The first C\u0026C server’s port number\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 4 of 22\n\n0x1A 0x04 The second C\u0026C server’s IP address\r\n0x1E 0x04 The second C\u0026C server’s port number\r\n… … …\r\nTable 1. Configuration data\r\nVolgmer obtains one of the C\u0026C servers from the list in the configuration data and connects to it. It then transmits\r\nan HTTP packet, which is created using a random combination of strings, similar to when the service and file\r\nname were created. One HTTP request method is selected among “GET”, “POST”, or “HEAD”, and one of the\r\neight User Agent strings is selected. A characteristic of Volgmer is that the User Agent strings contain a typo,\r\nwhere it reads “Mozillar” instead of “Mozilla”. After these processes, it transmits an arbitrarily selected HTTP\r\npacket, and then uses the RIPEMD-160 hash to perform the verification process with the C\u0026C server.\r\nAfter the verification process with the C\u0026C server is complete, information on the infected system is transmitted\r\nover two batches. The first includes information such as whether or not the currently running system is a virtual\r\nmachine, currently running security programs, and installed software.\r\nOffset Size Data\r\n0x00 0x08 ID\r\n0x08 0x08 NULL\r\n0x10 0x04 Execution Flag\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 5 of 22\n\n0x14 0x04 Time\r\n0x18 0x04 Scan for virtual machine environments\r\n0x1C 0x04 Scan for installed software\r\n0x20 0x04 Scan for security programs\r\n0x24 0x04 Scan for debugging\r\n0x28 0x04 Scan to check if it is running in the svchost.exe process\r\nTable 2. Data transmitted to the C\u0026C server – 1\r\nNext, it collects a variety of information such as the computer name, network information, hardware information,\r\nlanguage, installed antivirus software, and running services, before sending them to the C\u0026C server. Additionally,\r\nrunning services are scanned through the port that is currently being listened to; targets include FTP, SSH, DNS,\r\nHTTP, SMB, RDP, MS-SQL, and VNC.\r\nOffset Data\r\n0x0000 IP address\r\n0x0004 Computer name\r\n0x0084 CPU information\r\n0x0184 Number of processors\r\n0x0188 Windows version\r\n0x02D0 MAC address\r\n0x02D6 Malware name\r\n0x0316 Malware file name\r\n0x0358 Sleep time\r\n0x035C Installed antivirus software\r\n0x0360 Locale information\r\n0x03E0 List of services in use\r\n0x03E8 “DING”\r\n0x03EC “PADD”\r\n0x03F0 “INGX”\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 6 of 22\n\n0x03F4 “XPAD”\r\nTable 3. Data transmitted to the C\u0026C server – 2\r\nAfterward, Volgmer can receive commands from the C\u0026C server to run features such as file-related tasks,\r\ncommand execution, reverse shell, etc.\r\nCommand Feature\r\n0x1000 Transmit system information\r\n0x1009 Modify C\u0026C address list (registry key)\r\n0x100A Transmit C\u0026C address list\r\n0x100B Download file\r\n0x100C Upload and delete file\r\n0x100D Upload file\r\n0x100E Execute file\r\n0x100F Download and execute file\r\n0x1010 Delete file\r\n0x1011 Set sleep time\r\n0x1012 Reverse shell\r\nTable 4. C\u0026C commands\r\nThere is also a variant of the initial version of Volgmer. While it has the same C\u0026C command routines, the major\r\ndifferences include the fact that the signature string used in the configuration data was “config_reg” instead of\r\n“cgi_config” and that the registry key where the configuration data is saved was changed to the following.\r\nRegistry Key – 1: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / 2d54931A-47A9-b749-\r\n8e23-311921741dcd\r\nRegistry Key – 2: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / c72a93f5-47e6-4a2a-b13e-6AFE0479cb01\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 7 of 22\n\n1.2. Later Version of Volgmer\r\nA new version of Volgmer started being used in 2017. While there are differences in the C\u0026C command routine\r\nbetween this and the initial version, there are various similarities including the major characteristic that the\r\nconfiguration data is encrypted and saved in the registry key\r\n“HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security” for use. Other similarities can be seen in the fact\r\nthat the dropper runs after being registered as a service because it is in a service DLL format and that Volgmer\r\nDLL’s file name or the strings used when registering it as a service are created by randomly combining certain\r\nstrings.\r\nThe later version of Volgmer covered in this section has the same C\u0026C command routine as the backdoor in the\r\nreport released by Kaspersky in 2021. [13] Because the Lazarus group is known for using a variety of backdoors,\r\nit is presumed that the backdoors that were often used in attacks in Korea were altered and used in other attacks as\r\nwell. Here we will analyze the later version of Volgmer backdoor DLL, and the malware thought to be the dropper\r\nthat installs this will be covered alongside the analysis of Scout later on.\r\n1.2.1. Analysis of Volgmer Backdoor\r\nThe later version of Volgmer decrypts the configuration data saved in a certain registry key to obtain the C\u0026C\r\naddresses. When creating the Volgmer backdoor, the dropper creates a file name by randomly combining certain\r\nstrings and uses the Hex value of the first four letters of this file name as the registry value where the\r\nconfiguration data will be stored. This will be covered in more detail later on. Accordingly, Volgmer references the\r\nfirst four letters of its own file name and reads the following registry value while running.\r\nRegistry Key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / [First four letters of the file\r\nname]-5903-ed41-902f-e93a29dafef5\r\nThe read data is decrypted using the RC4 algorithm. While later versions of Volgmer all use the RC4 algorithm,\r\nthey are largely divided into two types depending on the decryption method. The first is a type that uses a\r\nmanually implemented RC4 algorithm, and the other type uses Crypto API to obtain the SHA-1 hash and uses the\r\nresulting value to perform RC4 decryption. The method of manually-implemented RC4 algorithm uses a 4-byte\r\nkey for decryption, and the routine that uses Crypto API uses a 4-byte key to obtain the SHA-1 hash before using\r\nthis as the RC4 key. Additionally, the first 0x10 size of the SHA-1 value is used as the RC4 algorithm key. For\r\nexample, the SHA-1 hash of the value “DE A7 00 00” is “8f919e6d8970faede0b10cfd5f82da53a83ca34d”, but the\r\nvalue “8766fe8380b144907efa286a814c2241″ is used as the RC4 key.\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 8 of 22\n\nRC4 Key (manually implemented): E2 28 00 00\r\nRC4 Key (Crypto API): DE A7 00 00\r\nVolgmer selects one of the C\u0026C server addresses from the configuration data and connects to it. The later version\r\nof Volgmer and the Scout downloader to be covered later use the HTTP protocol to communicate with the C\u0026C\r\nserver. All identified C\u0026C addresses used https. The POST method is used for initial connection to the C\u0026C\r\nserver or when receiving commands from it; different parameters have been used depending on the point in time.\r\nThe most recent version of Volgmer which appeared after 2020 uses a similar parameter as that mentioned in\r\nKaspersky’s report of 2021. Additionally, the period and types mentioned in this blog post only refer to instances\r\nwhere cases of attacks have been identified and may differ depending on the cases that have not actually been\r\nconfirmed.\r\nPeriod Parameter Format\r\n2017 – 2019 secgb=[param1]\u0026secdata=[param2]\r\n2019 sessions=[param1]\u0026secinfo=[param2]\r\n2020 jsessid=[param1]\u0026cookie=[param2]\r\nTable 5. Format of the HTTP request to the C\u0026C server\r\nPeriod Request Type\r\nParameter\r\n#1\r\nParameter\r\n#1 Structure\r\nParameter\r\n#2\r\nParameter #2\r\nStructure\r\n2017 –\r\n2019\r\nInitial access secgb Random\r\n(0x9)\r\nsecdata message ID –\r\n“60D49D98”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 9 of 22\n\nRandom (0x8)\r\n+ C\u0026C address\r\n(Base64)\r\n \r\nC\u0026C\r\ncommunication\r\nsecgb\r\nRandom\r\n(0x9)\r\nsecdata\r\nmessage ID –\r\n“60D49D99”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\n+\r\n0x60D49D94\r\n(RC4)\r\n  Send results secgb\r\nRandom\r\n(0x9)\r\nsecdata\r\nmessage ID –\r\n“60D49D99”,\r\netc. (0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\n+ Data (RC4)\r\n2019 Initial access sessions\r\nRandom\r\n(0x6)\r\nsecinfo\r\nmessage ID –\r\n“60D49D98”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\n+ C\u0026C address\r\n(Base64)\r\n \r\nC\u0026C\r\ncommunication\r\nsessions\r\nRandom\r\n(0x6)\r\nsecinfo\r\nmessage ID –\r\n“60D49D99”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\n+\r\n0x60D49D94\r\n(RC4)\r\n  Send results sessions Random\r\n(0x6)\r\nsecinfo “60D49D99”\r\n(0x08),\r\nvictim ID\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 10 of 22\n\n(0x08),\r\nRandom (0x8)\r\n+ Data (RC4)\r\nFrom\r\n2020\r\nonwards\r\nInitial access cookie\r\nRandom\r\n(0x10)\r\n+\r\n0x60D49D94\r\n(Base64)\r\n+ Random\r\n(0x10)\r\njsessid\r\nmessage ID –\r\n“60D49D99”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\n \r\nC\u0026C\r\ncommunication\r\ncookie\r\nRandom\r\n(0x10)\r\n+\r\n0x60D49D94\r\n(RC4)\r\n+ Random\r\n(0x10)\r\njsessid\r\nmessage ID –\r\n“60D49D99”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\n  Send results cookie\r\nRandom\r\n(0x10)\r\n+ Data (RC4)\r\n+ Random\r\n(0x10)\r\njsessid\r\nmessage ID –\r\n“60D49D99”\r\n(0x08),\r\nvictim ID\r\n(0x08),\r\nRandom (0x8)\r\nTable 6. Argument parameters\r\nThe message ID “60D49D98″ is used for initial communication with the C\u0026C server. For the data, the C\u0026C\r\nserver address is encrypted in Base64 and transmitted. Afterward, the 0x60D49D94 value is transmitted with the\r\nmessage ID “60D49D99″ to receive commands. The value 0x60D49D94 is not only used for requests but also for\r\nresponding. This is because Volgmer verifies communications with the C\u0026C server by checking whether the\r\ndecrypted response value is 0x60D49D94.\r\nmessage ID Feature\r\n60D49D98 Establish connection\r\n60D49D99 Request command\r\n60D49DB6 Transmit system information\r\nTable 7. Types of msg IDs\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 11 of 22\n\nThe Base64 algorithm is used for data encryption upon initial authentication. Afterward, the RC4 algorithm is\r\nused for encryption and decryption. There are types of Volgmer that also manually implement the RC4 algorithm\r\nor use the Crypto API, and Volgmer is particular for using a different RC4 key for each type.\r\nRC4 Key (manually implemented): 8D 52 00 00\r\nRC4 Key (Crypto API): A3 D5 00 00\r\nVolgmer provides features to control the infected system, much like a typical backdoor. The following is a list of\r\ncommands for a certain version of Volgmer backdoor. Volgmer types categorized as the later version mostly\r\nsupport the same commands.\r\nCommand Feature\r\n0x60D49D94 Default response\r\n0x60D49D95 Default\r\n0x60D49D97 Set the wait time using the default value\r\n0x60D49D9F Set the wait time using the received value\r\n0x60D49DA0\r\nTransmit system information (computer name, Windows version,\r\narchitecture, IP information, etc.)\r\n0x60D49DA1 Look up drive information\r\n0x60D49DA2 Look up list of files\r\n0x60D49DA3 Look up list of processes\r\n0x60D49DA4 Terminate process\r\n0x60D49DA5 Set the current task path\r\n0x60D49DA6 Scan (connect to the received address)\r\n0x60D49DA7 Timestomping\r\n0x60D49DA8 Reverse shell\r\n0x60D49DA9 Delete file\r\n0x60D49DAA Execute program\r\n0x60D49DAB Execute program (with certain privileges)\r\n0x60D49DAC Execute program (as an administrator)\r\n0x60D49DAD Download files\r\n0x60D49DAE Transfer file contents\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 12 of 22\n\n0x60D49DAF Transfer file (compressed in cab format)\r\n0x60D49DB0 Look up directory\r\n0x60D49DB1 Send configuration data\r\n0x60D49DB2 Download and apply configuration data\r\n0x60D49DB3 Apply the current time to the configuration data\r\n0x60D49DB4 Sleep\r\n0x60D49DB5 Transmit information (module name, etc.)\r\n0x60D49DB7 Delete and terminate the “CMb*.a-p” file\r\nTable 8. List of commands\r\nA notable point is that the aforementioned timestomping and file deletion techniques often employed by the\r\nLazarus group are supported as commands. The timestomping command changes the timestamp of the file at a\r\npath received from the C\u0026C server to the timestamp of another file in another path received alongside the first\r\npiece of information. Instead of simply deleting the file, the file deletion command overwrites it with the value\r\n“0x5F 00 00 00 00 …” before deletion to prevent recovery.\r\nAlthough there are records of PebbleDash being recently used by another threat group, it is by default a backdoor\r\nknown to have been used by the Lazarus group. When a new drive or session is created, PebbleDash supports the\r\nfeature of terminating the wait routine and initializing communication with the C\u0026C server (i.e., being\r\nactivated). [14] This is because PebbleDash has a long wait time in the process of communicating with the C\u0026C\r\nserver and it is difficult for it to respond to changes in the infected system in real-time. These features are also\r\nfound in other backdoors of the Lazarus group, with the major one being Volgmer. Aside from Volgmer, there was\r\na case where this feature was supported by the OpenCarrot backdoor mentioned in a report from SentinelOne. [15]\r\nAdditionally, among the files that Volgmer deletes periodically, the file “BIT*.tmp” is presumed to be for deleting\r\nthe CAB file which is created while executing the 0x60D49DAF command responsible for the file transfer\r\nfeature. However, the file named “CMb*.a-p” deleted by the 0x60D49DB7 command is not observed with the\r\ncurrent analysis target, Volgmer, alone.\r\n2. Analysis of Scout Downloader\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 13 of 22\n\nFollowing its first use in 2014, Volgmer was used until around 2021. In 2022, a downloader began being detected.\r\nThis is similar to Volgmer, but instead of having backdoor features, it is a downloader that downloads another\r\nmalware from an external source and executes it in the memory area. While the downloaded payload could not be\r\nprocured, there are three notable points about it. First is that it is being detected after the end of Volgmer’s active\r\nperiod. The second is that its communication method with the C\u0026C server and loading of the configuration data\r\nare the same as Volgmer. Lastly, it also has records of being created by a similar dropper.\r\nThis malware is largely categorized into two types depending on the routine. One was mainly observed in the first\r\nhalf of 2022 and the other was distributed from late 2022 to 2023. The second type has a few more routines added\r\nin comparison to the first, and as mentioned in the PDB information above, the presence of the keyword “Scout”\r\nand the version v2.x allow us to assume that this is an improved version of Scout that was distributed in the first\r\nhalf of 2022. Accordingly, we will classify the type distributed in the first half of 2022 as Scout v1 and the type\r\nbeing identified from late 2022 to 2023 as Scout v2. Additionally, the period and types mentioned in this blog post\r\nonly refer to instances where cases of attacks have been identified and may differ depending on the cases that have\r\nnot actually been confirmed.\r\nMost Windows versions of malware are created with a character user interface (CUI) to run in the background\r\nwithout the user being aware. The Scout downloader characteristically creates a window when running, like\r\nGraphical User Interface (GUI) programs. Of course, the window size is set to 0 and is not actually noticeable to\r\nthe user, and this is likely to disguise the malware as a legitimate program.\r\nUnlike the Volgmer backdoor that saved the configuration data in the registry key, there is a type of Scout\r\ndownloader where the configuration data is in the Overlay area at the end of the file. In this case, Scout uses the\r\nstring transmitted as an argument for the decryption key.\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 14 of 22\n\nIn this section, we will analyze the Scout downloader; for this, we will first cover the dropper that installs Scout.\r\nThis dropper contains the actual malware and registry value in the Overlay area at the end of the file, and as these\r\nare encrypted with the RC4 algorithm, the string given as an argument is used as the RC4 key for decryption.\r\nWhile the argument has not been identified, there are AhnLab ASD logs that show Scout having been created.\r\nIn addition, an examination of the same type of dropper observed in around 2021 reveals a routine that configures\r\nthe registry key used by the Volgmer backdoor, and it also uses the same RC4 key for encrypting the registry\r\nvalue. This shows that the threat actor installed the Volgmer backdoor until 2021 and from 2022 used the same\r\ndropper to install the Scout downloader.\r\n2.1. Dropper (Volgmer, Scout)\r\nThe dropper is classified as either the Volgmer dropper or Scout dropper depending on the malware it creates. The\r\ndifferences are in the registry key for writing configuration data to and the RC4 key for encrypting the\r\nconfiguration data. Other than those, the actual routines are identical. However, it is divided into the injector type\r\nand the service registration type according to the way it installs the malware.\r\nLike the initial version of the Volgmer dropper, the injector-type dropper creates the file name randomly; a random\r\n2-5 character string is randomly generated, then one of the “svc”, “mgr”, or “mgmt” strings is selected randomly\r\nand added. If the generated file name is “bnsvc.dll”, the hex value of the first four letters is set as the registry\r\nvalue where the configuration data will be saved. For example, the hex value of “bnsv” is “62 6E 73 76″. In this\r\ncase, the registry value where Volgmer and Scout’s configuration data is to be stored is as follows.\r\nVolgmer: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / “626e7376-5903-ed41-902f-e93a29dafef5”\r\nScout: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / “626e7376-2790-10f2-dd2a-d92f482d094f”\r\nAfterward, it uses the string given as an argument for the RC4 key, decrypts the encrypted DLL (i.e., Volgmer or\r\nScout) added to the overlay area at the end of the file, and creates it under the name generated above in the\r\n%SystemDirectory% directory. The configuration data that contains the C\u0026C addresses is also decrypted and\r\nsaved in the registry value created in the stage above. Because the malware created in the %SystemDirectory%\r\ndirectory has its timestamp set to recent time, this is changed to the timestamp information of the calculator (i.e.,\r\ncalc.exe).\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 15 of 22\n\nIt is unclear whether the malware runs as intended after all the procedures up to this point, but the service is\r\nregistered to the registry settings of the security package, and then the created DLL is injected into the lsass.exe\r\nprocess.\r\nSecurity Package Registry Key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa / Security Packages\r\nThe service registration type is different starting in the name generation routine. First, it obtains the netsvcs\r\nservice group from the following registry key, then searches for each service in the\r\n“HKLM\\SYSTEM\\CurrentControlSet\\Services\\” entry and selects a service that is not currently registered.\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost / netsvcs\r\nIf the selected service is “LogonHours”, it is registered to the netsvcs service, and the service DLL is created in\r\nthe %SystemDirectory% directory under the name “LogonHourss.dll” with an extra “s”.\r\n2.2. Analysis of Scout Downloader\r\n2.2.1. Scout Downloader V1\r\nLike Volgmer, Scout performs a file name-based lookup of the registry value where the encrypted configuration\r\ndata is saved. RC4 is used for the encryption algorithm, and identified instances of Scout all use Crypto API to\r\ndecrypt the configuration data.\r\nRegistry Key: HKLM\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security / [First four letters of the file\r\nname]-2790-10f2-dd2a-d92f482d094f\r\nRC4 Key (Crypto API): F9 A3 DE 48\r\nAfter decrypting the configuration data, it creates a window titled “Windows” as mentioned above. Its actual\r\nroutine is implemented in the registered procedure. Scout characteristically has each feature implemented based\r\non Windows messages. For example, first, it uses the SendMessageW() API to send a 0x5450 message which\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 16 of 22\n\nbranches out into the 0x5451 message. The 0x5451 message connects to the C\u0026C server and branches out into\r\ndifferent routes depending on whether the authentication was successful or not.\r\nMessage Number Feature\r\n0x5450 Starting routine\r\n0x5451 Connect to the C\u0026C server and authenticate\r\n0x5452 Download additional payload and execute it in the memory area (PE)\r\n0x5453 Reset the C\u0026C server address and reattempt to connect to the server\r\n0x546D Reattempt to connect to the C\u0026C server\r\nTable 9. Features of each message – Scout v1\r\nUnlike Volgmer, the initial version of Scout had a single parameter and the string “param” was used. As it is a\r\ndownloader, it has a simple structure with only two message IDs used: “184D0382” and “0E8AFD28”. The string\r\n“cqce” is encrypted and transmitted during the initial authentication process, and in order for the C\u0026C server\r\nauthentication process to be successful, the transmitted data string must be “1111”.\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 17 of 22\n\nRequest\r\nType\r\nParameter Parameter Structure Data Structure\r\nInitial access param\r\nRandom (0x8),\r\nvictim ID (0x08),\r\nmessage ID – “184D0382”\r\n(0x08),\r\nData (Base64)\r\nRandom (0x4), “cqce”, C\u0026C\r\nURL\r\nDownload param\r\nRandom (0x8),\r\nvictim ID (0x08),\r\nmessage ID – “0E8AFD28”\r\n(0x08),\r\nData (RC4)\r\nRandom (0x4), configuration\r\ndata\r\nTable 10. Format of the HTTP request to the C\u0026C server\r\nThe RC4 key used in communication with the C\u0026C server is a 0x20 byte-sized key instead of the 4-byte key used\r\nfor decrypting the configuration data. The download process involves first receiving the size of the payload to be\r\ndownloaded. At this stage, the 0x20 byte-sized RC4 key is used, and when the encrypted payload with the defined\r\nsize is downloaded, a 0x20 byte NULL data value is used as the RC4 key.\r\nRC4 Key (Crypto API): 54 A6 BA C3 13 98 DB 1A 62 45 23 12 A8 83 71 82 4E 74 D2 38 00 00 00 00 00\r\n00 00 00 00 00 00 00\r\nThe payload downloaded and decrypted with the RC4 key scans the “MZ” signature, then executes it in the\r\nmemory area.\r\n2.2.2. Scout Downloader V2\r\nSince the second half of 2022, types with a few more routines added have been observed, but the actual features\r\nare the same. Among these types, there are multiple pieces of malware for which the PDB information still exists;\r\nthis shows that the threat actor named the malware “Scout”.\r\nY:\\Development\\RT\\Windows\\Scout\\Scout v2.1\\Engine\\Engine\\x64\\Penetrator\\Engine.pdb\r\nY:\\Development\\RT\\Windows\\Scout\\Scout v2.1\\Engine\\Engine\\x64\\Lsass\\Engine.pdb\r\nY:\\Development\\RT\\Windows\\Scout\\Scout v2.1\\Engine\\Engine\\x64\\Netsvc\\Engine.pdb\r\nZ:\\Development\\RT\\Windows\\Scout\\Scout v2.2\\Engine\\Engine\\x64\\Netsvc\\Engine.pdb\r\nZ:\\Development\\RT\\Windows\\Scout\\Scout v2.3\\Engine\\Engine\\x64\\Lsass\\Engine.pdb\r\nScout versions v2.x support more commands (i.e., messages) in comparison to the past versions of Scout. While\r\nthe Windows messages of the past versions have a simple flow, in versions v2.x, it downloads messages from the\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 18 of 22\n\nC\u0026C server and uses them as commands. Accordingly, it can also execute commands for changing the\r\nconfiguration data aside from downloading additional payloads, Also, past versions encrypted the string “cqce”\r\nand transmitted it to the C\u0026C server. In versions v2.x, the first string “bqce” is transmitted, but depending on the\r\nmessage command received from the C\u0026C server, the values “fqce”, “eqce”, “dqce”, or “cqce” can be transmitted.\r\nMessage\r\nNumber\r\nFeature\r\n0x5450\r\nStarting routine. Connect to the C\u0026C server and authenticate. (Flag :\r\n“bqce”)\r\n0x5451 Download message.\r\n0x5452\r\nDownload additional payload and execute it in the memory area\r\n(Shellcode). Download message.\r\n0x5453 Download configuration data.\r\n0x5454 Change settings data.\r\n0x5455 Download additional payload and execute it in the memory area (PE).\r\n0x5456 Download additional payload and inject (PE).\r\n0x5457 Reattempt to connect to the C\u0026C server. (Flag : “eqce”)\r\n0x5458 Reattempt to connect to the C\u0026C server. (Flag : “fqce”)\r\n0x5459 Self-delete.\r\n0x545A Reattempt to connect to the C\u0026C server. (Flag : “cqce”)\r\n0x545B Reattempt to connect to the C\u0026C server. (Flag : “dqce”)\r\nTable 11. Features of each message – Scout v2\r\nIn comparison to the past versions, the method of communication with the C\u0026C server for versions up to v2.2\r\nused the “param” parameter, like the past versions. From v2.3, “jsessionid” is used as the parameter, and the RC4\r\nkey value is also different.\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 19 of 22\n\nRequest Type Parameter Parameter Structure Data Structure\r\nInitial access jsessionid\r\nRandom (0x5),\r\nvictim ID (0x08),\r\nmessage ID – “184D0382”\r\n(0x08)\r\n+ Data (Base64)\r\nFlag, C\u0026C\r\naddresses\r\nDownloading\r\ncommands\r\njsessionid\r\nRandom (0x5),\r\nvictim ID (0x08),\r\nmessage ID – “0E8AFD28”\r\n(0x08)\r\n \r\nDownload settings jsessionid\r\nRandom (0x5),\r\nvictim ID (0x08),\r\nmessage ID – “0E8AFD28”\r\n(0x08)\r\n+ Data (RC4)\r\nConfiguration data\r\nTable 12. Format of the HTTP request to the C\u0026C server\r\nRC4 Key (param): 54 A8 BA C3 E3 98 DB 1A 6D 45 23 12 A8 83 71 82 4E 74 D2 38 00 00 00 00 00 00\r\n00 00 00 00 00 00\r\nRC4 Key (jsessionid): 73 D3 FE CC 23 AA 74 BA 53 47 88 32 73 11 19 AC FF D3 14 08 00 00 00 00 00\r\n00 00 00 00 00 00 00\r\n3. Conclusion\r\nThe Lazarus group is one of the very dangerous groups that are highly active worldwide, using various attack\r\nvectors such as spear phishing and supply chain attacks. Recently, the group exploited a security vulnerability in a\r\nKorean financial security authentication software in their initial access process and also exploited vulnerabilities\r\nin web security software or enterprise asset management programs in the lateral movement process.\r\nSecurity managers of enterprises must identify assets that may be exposed to threat actors through attack surface\r\nmanagement and always apply the latest security patches. Users must be particularly cautious of attachments to\r\nemails from unknown sources or executable files downloaded from web pages. Users should also apply the latest\r\npatch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent such malware\r\ninfection in advance.\r\nFile Detection\r\n– Backdoor/Win.Lazardoor.C5233133 (2022.09.07.00)\r\n– Backdoor/Win32.Agent.C3351518 (2019.07.25.00)\r\n– Backdoor/Win32.Agent.R283184 (2019.07.25.00)\r\n– Backdoor/Win64.Agent.C3371791 (2019.08.08.03)\r\n– Data/BIN.Encoded (2022.10.05.00)\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 20 of 22\n\n– Data/BIN.Encoded (2023.03.08.00)\r\n– Data/BIN.EncPe (2022.09.07.00)\r\n– Dropper/Win.Agent.C5499468 (2023.10.02.00)\r\n– Dropper/Win32.Agent.C3371843 (2019.08.08.03)\r\n– Dropper/Win64.Agent.C3371802 (2019.08.08.03)\r\n– Malware/Win64.Generic.C4065063 (2020.04.16.07)\r\n– Trojan/Win.Lazardoor.C4979367 (2022.02.24.02)\r\n– Trojan/Win.Lazardoor.C4979368 (2022.02.24.03)\r\n– Trojan/Win.Lazardoor.C5037872 (2022.03.31.00)\r\n– Trojan/Win.Lazardoor.R474265 (2022.02.24.03)\r\n– Trojan/Win.Lazardoor.R482731 (2022.04.07.01)\r\n– Trojan/Win.Lazardoor.R495643 (2022.06.04.00)\r\n– Trojan/Win.Lazardoor.R500179 (2022.06.24.00)\r\n– Trojan/Win.LazarLoader.C5194304 (2022.07.06.01)\r\n– Trojan/Win.LazarLoader.C5196326 (2022.07.06.03)\r\n– Trojan/Win.LazarLoader.C5196363 (2022.07.06.04)\r\n– Trojan/Win.LazarLoader.C5196414 (2022.07.07.00)\r\n– Trojan/Win.LazarLoader.C5201772 (2022.07.11.03)\r\n– Trojan/Win.LazarLoader.C5210732 (2022.07.19.00)\r\n– Trojan/Win.LazarLoader.C5211408 (2022.07.20.01)\r\n– Trojan/Win.LazarLoader.C5233120 (2022.09.07.00)\r\n– Trojan/Win.LazarLoader.R480766 (2022.03.31.00)\r\n– Trojan/Win.LazarLoader.R491208 (2022.05.10.02)\r\n– Trojan/Win.LazarLoader.R500065 (2022.06.22.03)\r\n– Trojan/Win.LazarLoader.R501218 (2022.06.28.03)\r\n– Trojan/Win.Scout.R536659 (2022.11.30.00)\r\n– Trojan/Win32.Agent.C876729 (2015.06.03.00)\r\n– Trojan/Win32.Agent.R128643 (2014.12.17.00)\r\n– Trojan/Win32.Akdoor.C3450548 (2019.08.29.04)\r\n– Trojan/Win32.Backdoor.R174379 (2016.02.16.05)\r\n– Trojan/Win32.Dllbot.C715400 (2015.02.12.04)\r\n– Trojan/Win32.Ghost.C695717 (2015.01.27.05)\r\n– Trojan/Win64.Agent.R274329 (2019.06.04.03)\r\n– Trojan/Win64.Akdoor.R289258 (2019.08.29.00)\r\nBehavior Detection\r\n– Execution/MDP.Behavior.M10661\r\nMD5\r\n0171c4a0a53188fe6f9c3dfcc5722be6\r\n05bb1d8b7e62f4305d97042f07c64679\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 21 of 22\n\n0b746394c9d23654577f4c0f2a39a543\r\n0b78347acf76d4bb66212bf9a41b9fb9\r\n0ed86587124f08325cd8f3d3d2556292\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//buygermany[.]co[.]kr/custom/qna_list[.]asp\r\nhttps[:]//eng[.]pac[.]or[.]kr/eng/include/mobile_header[.]asp\r\nhttps[:]//file4[.]photomon[.]com/order/UpLoader_html_delete_order[.]asp\r\nhttps[:]//jjmhome[.]co[.]kr/data/base/board/community/community[.]asp\r\nhttps[:]//lightingmart[.]co[.]kr/admin/goods/pop_categoryExcel[.]asp\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/57685/\r\nhttps://asec.ahnlab.com/en/57685/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://asec.ahnlab.com/en/57685/" ], "report_names": [ "57685" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434203, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/451eaae10f18b5a816b3d6e8b9aedf45c58d8689.pdf", "text": "https://archive.orkl.eu/451eaae10f18b5a816b3d6e8b9aedf45c58d8689.txt", "img": "https://archive.orkl.eu/451eaae10f18b5a816b3d6e8b9aedf45c58d8689.jpg" } }