{ "id": "1194c60e-7c53-44ee-bae5-0d0fb8ad17db", "created_at": "2026-04-06T01:31:46.971669Z", "updated_at": "2026-04-10T03:38:19.864562Z", "deleted_at": null, "sha1_hash": "47d67560b50561bc81db4567c3c3edd778bbbd58", "title": "Linux malware strengthens links between Lazarus and the 3CX supply-chain attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1343092, "plain_text": "Linux malware strengthens links between Lazarus and the 3CX\r\nsupply-chain attack\r\nBy Peter KálnaiMarc-Etienne M.Léveillé\r\nArchived: 2026-04-06 00:22:13 UTC\r\nESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation\r\nDreamJob is the name for a series of campaigns where the group uses social engineering techniques to\r\ncompromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain,\r\nfrom the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux\r\nbackdoor distributed through an OpenDrive cloud storage account. To our knowledge, this is the first public\r\nmention of this major North Korea-aligned threat actor using Linux malware as part of this operation.\r\nAdditionally, this discovery helped us confirm with a high level of confidence that the recent 3CX supply-chain\r\nattack was in fact conducted by Lazarus – a link that was suspected from the very beginning and demonstrated by\r\nseveral security researchers since. In this blogpost, we corroborate these findings and provide additional evidence\r\nabout the connection between Lazarus and the 3CX supply-chain attack.\r\nThe 3CX supply-chain attack\r\n3CX is an international VoIP software developer and distributor that provides phone system services to many\r\norganizations. According to its website, 3CX has more than 600,000 customers and 12,000,000 users in various\r\nsectors including aerospace, healthcare, and hospitality. It provides client software to use its systems via a web\r\nbrowser, mobile app, or a desktop application. Late in March 2023, it was discovered that the desktop application\r\nfor both Windows and macOS contained malicious code that enabled a group of attackers to download and run\r\narbitrary code on all machines where the application was installed. Rapidly, it was determined that this malicious\r\ncode was not something that 3CX added themselves, but that 3CX was compromised and that its software was\r\nused in a supply-chain attack driven by external threat actors to distribute additional malware to specific 3CX\r\ncustomers.\r\nThis cyber-incident has made headlines in recent days. Initially reported on March 29th, 2023 in a Reddit thread\r\nby a CrowdStrike engineer, followed by an official report by CrowdStrike, stating with high confidence that\r\nLABIRINTH CHOLLIMA, the company’s codename for Lazarus, was behind the attack (but omitting any\r\nevidence backing up the claim). Because of the seriousness of the incident, multiple security companies started to\r\ncontribute their summaries of the events, namely Sophos, Check Point, Broadcom, Trend Micro, and more.\r\nFurther, the part of the attack affecting systems running macOS was covered in detail in a Twitter thread and a\r\nblogpost by Patrick Wardle.\r\nTimeline of events\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 1 of 15\n\nFigure 1. Timeline of events related to the preparation and distribution of 3CX trojanized applications\r\nThe timeline shows that the perpetrators had planned the attacks long before execution; as early as December\r\n2022. This suggests they already had a foothold inside 3CX’s network late last year.\r\nWhile the trojanized 3CX macOS application shows it was signed in late January, we did not see the bad\r\napplication in our telemetry until February 14th, 2023. It is unclear whether the malicious update for macOS was\r\ndistributed prior to that date.\r\nAlthough ESET telemetry shows the existence of the macOS second-stage payload as early as February, we did\r\nnot have the sample itself, nor metadata to tip us off about its maliciousness. We include this information to help\r\ndefenders determine how far back systems might have been compromised.\r\nSeveral days before the attack was publicly revealed, a mysterious Linux downloader was submitted to VirusTotal.\r\nIt downloads a new Lazarus malicious payload for Linux and we explain its relationship to the attack later in the\r\ntext.\r\nAttribution of the 3CX supply-chain attack to Lazarus\r\nWhat is already published\r\nThere is one domain that plays a significant role in our attribution reasoning: journalide[.]org. It is mentioned in\r\nsome of the vendor reports linked above, but its presence is never explained. Interestingly, articles by SentinelOne\r\nand ObjectiveSee do not mention this domain. Neither does a blogpost by Volexity, which even refrained from\r\nproviding attribution, stating “Volexity cannot currently map the disclosed activity to any threat actor”. Its\r\nanalysts were among the first to investigate the attack in depth and they created a tool to extract a list of C\u0026C\r\nservers from encrypted icons on GitHub. This tool is useful, as the attackers did not embed the C\u0026C servers\r\ndirectly in the intermediate stages, but rather used GitHub as a dead drop resolver. The intermediate stages are\r\ndownloaders for Windows and macOS that we denote as IconicLoaders, and the payloads they get as IconicStealer\r\nand UpdateAgent, respectively.\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 2 of 15\n\nOn March 30th\r\n, Joe Desimone, a security researcher from Elastic Security, was among the first to provide, in a\r\nTwitter thread, substantial clues that the 3CX-driven compromises are probably linked to Lazarus. He observed\r\nthat a shellcode stub prepended to the payload from d3dcompiler_47.dll is similar to AppleJeus loader stubs\r\nattributed to Lazarus by CISA back in April 2021.\r\nOn March 31st it was being reported that 3CX had retained Mandiant to provide incident response services\r\nrelating to the supply-chain attack.\r\nOn April 3rd, Kaspersky, through its telemetry, showed a direct relationship between the 3CX supply-chain\r\nvictims and the deployment of a backdoor dubbed Gopuram, both involving payloads with a common name,\r\nguard64.dll. Kaspersky data shows that Gopuram is connected to Lazarus because it coexisted on victim machines\r\nalongside AppleJeus, malware that was already attributed to Lazarus. Both Gopuram and AppleJeus were\r\nobserved in attacks against a cryptocurrency company.\r\nThen, on April 11\r\nth\r\n, the CISO of 3CX summarized Mandiant’s interim findings in a blogpost. According to that\r\nreport, two Windows malware samples, a shellcode loader called TAXHAUL and a complex downloader named\r\nCOLDCAT, were involved in the compromise of 3CX. No hashes were provided, but Mandiant’s YARA rule,\r\nnamed TAXHAUL, also triggers on other samples already on VirusTotal:\r\nSHA-1: 2ACC6F1D4656978F4D503929B8C804530D7E7CF6 (ualapi.dll),\r\nSHA-1: DCEF83D8EE080B54DC54759C59F955E73D67AA65 (wlbsctrl.dll)\r\nThe filenames, but not MD5s, of these samples coincide with those from Kaspersky’s blogpost. However, 3CX\r\nexplicitly states that COLDCAT differs from Gopuram.\r\nThe next section contains a technical description of the new Lazarus malicious Linux payload we recently\r\nanalyzed, as well as how it helped us strengthen the existing link between Lazarus and the 3CX compromise.\r\nOperation DreamJob with a Linux payload\r\nThe Lazarus group's Operation DreamJob involves approaching targets through LinkedIn and tempting them with\r\njob offers from industry leaders. The name was coined by ClearSky in a paper published in August 2020. That\r\npaper describes a Lazarus cyberespionage campaign targeting defense and aerospace companies. The activity has\r\noverlap with what we call Operation In(ter)ception, a series of cyberespionage attacks that have been ongoing\r\nsince at least September 2019. It targets aerospace, military, and defense companies and uses specific malicious,\r\ninitially Windows-only, tools. During July and August 2022, we found two instances of Operation In(ter)ception\r\ntargeting macOS. One malware sample was submitted to VirusTotal from Brazil, and another attack targeted an\r\nESET user in Argentina. A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed\r\nPDF lure. This completes Lazarus’s ability to target all major desktop operating systems.\r\nOn March 20th, a user in the country of Georgia submitted to VirusTotal a ZIP archive called HSBC job\r\noffer.pdf.zip. Given other DreamJob campaigns by Lazarus, this payload was probably distributed through\r\nspearphishing or direct messages on LinkedIn. The archive contains a single file: a native 64-bit Intel Linux binary\r\nwritten in Go and named HSBC job offer․pdf.\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 3 of 15\n\nInterestingly, the file extension is not .pdf. This is because the apparent dot character in the filename is a leader\r\ndot represented by the U+2024 Unicode character. The use of the leader dot in the filename was probably an\r\nattempt to trick the file manager into treating the file as an executable instead of a PDF. This could cause the file\r\nto run when double-clicked instead of opening it with a PDF viewer. On execution, a decoy PDF is displayed to\r\nthe user using xdg-open, which will open the document using the user’s preferred PDF viewer (see Figure 3). We\r\ndecided to call this ELF downloader OdicLoader, as it has a similar role as the IconicLoaders on other platforms\r\nand the payload is fetched from OpenDrive.\r\nOdicLoader drops a decoy PDF document, displays it using the system’s default PDF viewer (see Figure 2), and\r\nthen downloads a second-stage backdoor from the OpenDrive cloud service. The downloaded file is stored in\r\n~/.config/guiconfigd (SHA-1: 0CA1723AFE261CD85B05C9EF424FC50290DCE7DF). We call this second-stage\r\nbackdoor SimplexTea.\r\nAs the last step of its execution, the OdicLoader modifies ~/.bash_profile, so SimplexTea is launched with Bash\r\nand its output is muted (~/.config/guiconfigd \u003e/dev/null 2\u003e\u00261).\r\nFigure 2. Illustration of the probable chain of compromise\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 4 of 15\n\nFigure 3. An HSBC-themed lure in the Linux DreamJob campaign\r\nSimplexTea is a Linux backdoor written in C++. As highlighted in Table 1, its class names are very similar to\r\nfunction names found in a sample, with filename sysnetd, submitted to VirusTotal from Romania (SHA-1:\r\nF6760FB1F8B019AF2304EA6410001B63A1809F1D). Because of the similarities in class names and function\r\nnames between SimplexTea and sysnetd, we believe SimplexTea is an updated version, rewritten from C to C++.\r\nTable 1. Comparison of the original symbol names from two Linux backdoors submitted to VirusTotal\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 5 of 15\n\nguiconfigd\r\n(SimplexTea for Linux, from Georgia)\r\nsysnetd\r\n(BADCALL for Linux, from Romania)\r\nCMsgCmd::Start(void) MSG_Cmd\r\nCMsgSecureDel::Start(void) MSG_Del\r\nCMsgDir::Start(void) MSG_Dir\r\nCMsgDown::Start(void) MSG_Down\r\nCMsgExit::Start(void) MSG_Exit\r\nCMsgReadConfig::Start(void) MSG_ReadConfig\r\nCMsgRun::Start(void) MSG_Run\r\nCMsgSetPath::Start(void) MSG_SetPath\r\nCMsgSleep::Start(void) MSG_Sleep\r\nCMsgTest::Start(void) MSG_Test\r\nCMsgUp::Start(void) MSG_Up\r\nCMsgWriteConfig::Start(void) MSG_WriteConfig\r\nMSG_GetComInfo\r\nCMsgHibernate::Start(void)\r\nCMsgKeepCon::Start(void)\r\nCMsgZipDown::Start(void)\r\nCMsgZip::StartZip(void *)\r\nCMsgZip::Start(void)\r\nCHttpWrapper::RecvData(uchar *\u0026,uint *,uint,signed char)\r\nRecvMsg\r\nCHttpWrapper::SendMsg(_MSG_STRUCT *) SendMsg\r\nCHttpWrapper::SendData(uchar *,uint,uint)\r\nCHttpWrapper::SendMsg(uint,uint,uchar *,uint,uint)\r\nCHttpWrapper::SendLoginData(uchar *,uint,uchar *\u0026,uint *)\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 6 of 15\n\nHow is sysnetd related to Lazarus? The following section shows similarities with Lazarus’s Windows backdoor\r\ncalled BADCALL.\r\nBADCALL for Linux\r\nWe attribute sysnetd to Lazarus because of its similarities with the following two files (and we believe that sysnetd\r\nis a Linux variant of the group’s backdoor for Windows called BADCALL):\r\nP2P_DLL.dll (SHA-1: 65122E5129FC74D6B5EBAFCC3376ABAE0145BC14), which shows code\r\nsimilarities to sysnetd in the form of domains used as a front for fake TLS connection (see Figure 4). It was\r\nattributed to Lazarus by CISA in December 2017. From September 2019, CISA started to call newer\r\nversions of this malware BADCALL (SHA-1: D288766FA268BC2534F85FD06A5D52264E646C47).\r\nFigure 4. Similarities between a Windows and a Linux variant of BADCALL (a list of domains used as a front for\r\na fake TLS connection)\r\nprtspool (SHA-1: 58B0516D28BD7218B1908FB266B8FE7582E22A5F), which shows code similarities to\r\nsysnetd (see Figure 5). It was attributed to Lazarus by CISA in February 2021. Note as well that\r\nSIMPLESEA, a macOS backdoor found during the 3CX incident response, implements the A5/1 stream\r\ncipher.\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 7 of 15\n\nFigure 5. Similarities between AppleJeus for macOS and the Linux variant of BADCALL (the key for the A5/1\r\nstream cipher)\r\nThis Linux version of the BADCALL backdoor, sysnetd, loads its configuration from a file named\r\n/tmp/vgauthsvclog. Since Lazarus operators have previously disguised their payloads, the use of this name, which\r\nis used by the VMware Guest Authentication service, suggests that the targeted system may be a Linux VMware\r\nvirtual machine. Interestingly, the XOR key in this case is the same as one used in SIMPLESEA from the 3CX\r\ninvestigation.\r\nFigure 6. Loading a configuration file by BADCALL for Linux, cf. Figure 8\r\nTaking a look at the three 32-bit integers, 0xC2B45678, 0x90ABCDEF, and 0xFE268455 from Figure 5, which\r\nrepresent a key for a custom implementation of the A5/1 cipher, we realized that the same algorithm and the\r\nidentical keys were used in Windows malware that dates back to the end of 2014 and was involved in one of the\r\nmost notorious Lazarus cases: the cybersabotage of Sony Pictures Entertainment (SHA-1:\r\n1C66E67A8531E3FF1C64AE57E6EDFDE7BEF2352D).\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 8 of 15\n\nFigure 7. The decryption routine shared between the BADCALL for Linux and targeted destructive malware for\r\nWindows from 2014\r\nAdditional attribution data points\r\nTo recap what we’ve covered so far, we attribute the 3CX supply-chain attack to the Lazarus group with a high\r\nlevel of confidence. This is based on the following factors:\r\n1. Malware (the intrusion set):\r\n1. The IconicLoader (samcli.dll) uses the same type of strong encryption – AES-GCM – as\r\nSimplexTea (whose attribution to Lazarus was established via the similarity with BALLCALL for\r\nLinux); only the keys and initialization vectors differ.\r\n2. Based on the PE Rich Headers, both IconicLoader (samcli.dll) and IconicStealer (sechost.dll) are\r\nprojects of a similar size and compiled in the same Visual Studio environment as the executables\r\niertutil.dll (SHA-1: 5B03294B72C0CAA5FB20E7817002C600645EB475) and iertutil.dll (SHA-1:\r\n7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC) reported in the Lazarus cryptocurrency\r\ncampaigns by Volexity and Microsoft. We include below the YARA rule\r\nRichHeaders_Lazarus_NukeSped_IconicPayloads_3CX_Q12023, which flags all these samples,\r\nand no unrelated malicious or clean files, as tested on the current ESET databases and recent\r\nVirusTotal submissions.\r\n3. SimplexTea payload loads its configuration in a very similar way to the SIMPLESEA malware from\r\nthe 3CX official incident response. The XOR key differs (0x5E vs. 0x7E), but the configuration\r\nbears the same name: apdl.cf (see Figure 8).\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 9 of 15\n\nFigure 8. Loading a configuration file by SimplexTea for Linux, cf. Figure 6\r\n2. Infrastructure:\r\n1. There is shared network infrastructure with SimplexTea, as it uses https://journalide[.]org/djour.php\r\nas it C\u0026C, whose domain is reported in the official results of the incident response of the 3CX\r\ncompromise by Mandiant.\r\nFigure 9. A hardcoded URL in SimplexTea for Linux\r\nConclusion\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 10 of 15\n\nThe 3CX compromise has gained a lot of attention from the security community since its disclosure on March\r\n29th. This compromised software, deployed on various IT infrastructures, which allows the download and\r\nexecution of any kind of payload, can have devastating impacts. Unfortunately, no software publisher is immune\r\nto being compromised and inadvertently distributing trojanized versions of their applications.\r\nThe stealthiness of a supply-chain attack makes this method of distributing malware very appealing from an\r\nattacker’s perspective. Lazarus has already used this technique in the past, targeting South Korean users of\r\nWIZVERA VeraPort software in 2020. Similarities with existing malware from the Lazarus toolset and with the\r\ngroup’s typical techniques strongly suggest the recent 3CX compromise is the work of Lazarus as well.\r\nIt is also interesting to note that Lazarus can produce and use malware for all major desktop operating systems:\r\nWindows, macOS, and Linux. Both Windows and macOS systems were targeted during the 3CX incident, with\r\n3CX’s VoIP software for both operating systems being trojanized to include malicious code to fetch arbitrary\r\npayloads. In the case of 3CX, both Windows and macOS second-stage malware versions exist. This article\r\ndemonstrates the existence of a Linux backdoor that probably corresponds to the SIMPLESEA macOS malware\r\nseen in the 3CX incident. We named this Linux component SimplexTea and showed that it is part of Operation\r\nDreamJob, Lazarus’s flagship campaign using job offers to lure and compromise unsuspecting victims.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename\r\nESET detection\r\nname\r\nDescription\r\n0CA1723AFE261CD85B05\r\nC9EF424FC50290DCE7DF\r\nguiconfigd Linux/NukeSped.E\r\nSimplexTea for\r\nLinux.\r\n3A63477A078CE10E53DF\r\nB5639E35D74F93CEFA81\r\nHSBC_job_offer․pdf Linux/NukeSped.E\r\nOdicLoader, a 64-bit\r\ndownloader for\r\nLinux, written in\r\nGo.\r\n9D8BADE2030C93D0A010\r\nAA57B90915EB7D99EC82\r\nHSBC_job_offer.pdf.zip Linux/NukeSped.E\r\nA ZIP archive with a\r\nLinux payload, from\r\nVirusTotal.\r\nF6760FB1F8B019AF2304\r\nEA6410001B63A1809F1D\r\nsysnetd Linux/NukeSped.G\r\nBADCALL for\r\nLinux.\r\nNetwork\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 11 of 15\n\nIP address Domain\r\nHosting\r\nprovider\r\nFirst seen Details\r\n23.254.211[.]230 N/A Hostwinds LLC. N/A\r\nC\u0026C server for BADCALL for\r\nLinux\r\n38.108.185[.]79\r\n38.108.185[.]115\r\nod[.]lk\r\nCogent\r\nCommunications\r\n2023-03-16\r\nRemote OpenDrive storage\r\ncontaining SimplexTea\r\n(/d/NTJfMzg4MDE1NzJf/vxmedia)\r\n172.93.201[.]88 journalide[.]org\r\nNexeon\r\nTechnologies,\r\nInc.\r\n2023-03-29\r\nC\u0026C server for SimplexTea\r\n(/djour.php)\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nReconnaissance T1593.001\r\nSearch Open\r\nWebsites/Domains: Social\r\nMedia\r\nLazarus attackers probably approached a\r\ntarget with a fake HSBC-themed job\r\noffer that would fit the target’s interest.\r\nThis has been done mostly via LinkedIn\r\nin the past.\r\nResource\r\nDevelopment\r\nT1584.001\r\nAcquire Infrastructure:\r\nDomains\r\nUnlike many previous cases of\r\ncompromised C\u0026Cs used in Operation\r\nDreamJob, Lazarus operators registered\r\ntheir own domain for the Linux target.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nCustom tools from the attack are very\r\nlikely developed by the attackers.\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nThe attackers hosted the final stage on\r\nthe cloud service OpenDrive.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nThe attackers hosted the final stage on\r\nthe cloud service OpenDrive.\r\nExecution T1204.002\r\nUser Execution: Malicious\r\nFile\r\nOdicLoader masquerades as a PDF file\r\nin order to fool the target.\r\nInitial Access T1566.002 Phishing: Spearphishing Link\r\nThe target likely received a link to third-party remote storage with a malicious\r\nZIP archive, which was later submitted\r\nto VirusTotal.\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 12 of 15\n\nTactic ID Name Description\r\nPersistence T1546.004\r\nEvent Triggered Execution:\r\nUnix Shell Configuration\r\nModification\r\nOdicLoader modifies the victim’s Bash\r\nprofile, so SimplexTea is launched each\r\ntime Bash is stared and its output is\r\nmuted.\r\nDefense Evasion\r\nT1134.002\r\nAccess Token Manipulation:\r\nCreate Process with Token\r\nSimplexTea can create a new process, if\r\ninstructed by its C\u0026C server.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nSimplexTea stores its configuration in an\r\nencrypted apdl.cf.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nThe droppers of all malicious chains\r\ncontain an embedded data array with an\r\nadditional stage.\r\nT1562.003\r\nImpair Defenses: Impair\r\nCommand History Logging\r\nOdicLoader modifies the victim’s Bash\r\nprofile, so the output and error messages\r\nfrom SimplexTea are muted. SimplexTea\r\nexecutes new processes with the same\r\ntechnique.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nSimplexTea has the ability to delete files\r\nsecurely.\r\nT1497.003\r\nVirtualization/Sandbox\r\nEvasion: Time Based Evasion\r\nSimplexTea implements multiple custom\r\nsleep delays in its execution.\r\nDiscovery T1083 File and Directory Discovery\r\nSimplexTea can list the directory content\r\ntogether with their names, sizes, and\r\ntimestamps (mimicking the ls -la\r\ncommand).\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nSimplexTea can use HTTP and HTTPS\r\nfor communication with its C\u0026C server,\r\nusing a statically linked Curl library.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nSimplexTea encrypts C\u0026C traffic using\r\nthe AES-GCM algorithm.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nSimplexTea encodes C\u0026C traffic using\r\nbase64.\r\nT1090 Proxy\r\nSimplexTea can utilize a proxy for\r\ncommunications.\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 13 of 15\n\nTactic ID Name Description\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nSimplexTea can exfiltrate data as ZIP\r\narchives to its C\u0026C server.\r\nAppendix\r\nThis YARA rule flags the cluster containing both IconicLoader and IconicStealer, as well as the payloads deployed\r\nin the cryptocurrency campaigns from December 2022.\r\n/*\r\nThe following rule will only work with YARA version \u003e= 3.11.0\r\n*/\r\nimport \"pe\"\r\nrule RichHeaders_Lazarus_NukeSped_IconicPayloads_3CX_Q12023\r\n{\r\nmeta:\r\ndescription = \" Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3\r\nauthor = \"ESET Research\"\r\ndate = \"2023-03-31\"\r\nhash = \"3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B\"\r\nhash = \"CAD1120D91B812ACAFEF7175F949DD1B09C6C21A\"\r\nhash = \"5B03294B72C0CAA5FB20E7817002C600645EB475\"\r\nhash = \"7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC\"\r\ncondition:\r\npe.rich_signature.toolid(259, 30818) == 9 and\r\npe.rich_signature.toolid(256, 31329) == 1 and\r\npe.rich_signature.toolid(261, 30818) \u003e= 30 and pe.rich_signature.toolid(261, 30818) \u003c= 38 and\r\npe.rich_signature.toolid(261, 29395) \u003e= 134 and pe.rich_signature.toolid(261, 29395) \u003c= 164 an\r\npe.rich_signature.toolid(257, 29395) \u003e= 6 and pe.rich_signature.toolid(257, 29395) \u003c= 14\r\n}\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 14 of 15\n\nSource: https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nhttps://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack" ], "report_names": [ "linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439106, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47d67560b50561bc81db4567c3c3edd778bbbd58.pdf", "text": "https://archive.orkl.eu/47d67560b50561bc81db4567c3c3edd778bbbd58.txt", "img": "https://archive.orkl.eu/47d67560b50561bc81db4567c3c3edd778bbbd58.jpg" } }