{ "id": "c6bde81c-32c8-43c3-8f5f-90d8eab067c1", "created_at": "2026-04-06T00:11:34.753303Z", "updated_at": "2026-04-10T13:13:06.479382Z", "deleted_at": null, "sha1_hash": "4926ca2eabc38ec56ab8fda283c75777ccdc6f2d", "title": "The Blockbuster Sequel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1879093, "plain_text": "The Blockbuster Sequel\r\nBy Anthony Kasza, Micah Yates\r\nPublished: 2017-04-07 · Archived: 2026-04-06 00:02:27 UTC\r\nUnit 42 has identified malware with recent compilation and distribution timestamps that has code, infrastructure, and themes\r\noverlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta. This\r\nreport details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer\r\nnetworks. The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks.\r\nThis recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely\r\nspeak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the\r\nthreat group behind Operation Blockbuster.\r\nInitial Discovery and Delivery\r\nThis investigation began when we identified two malicious Word document files in AutoFocus threat intelligence tool.\r\nWhile we cannot be certain how the documents were sent to the targets, phishing emails are highly likely. One of the\r\nmalicious files was submitted to VirusTotal on 6 March 2017 with the file name \"한싹시스템.doc\". Once opened, both files\r\ndisplay the same Korean language decoy document which appears to be the benign file located online at\r\n\"www.kuipernet.co.kr/sub/kuipernet-setup.docx\".\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 1 of 12\n\nFigure 1 Dropped decoy document\r\nThis file (Figure 1) appears to be a request form used by the organization. Decoy documents are used by attackers who want\r\nto trick victims into thinking a received file is legitimate. At the moment, the malware infects the computer, it opens a non-malicious file that contains content the target expected to receive (Figure 2.) This serves to fool the victim into thinking\r\nnothing suspicious has occurred.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 2 of 12\n\nFigure 2 Spear Phishing Attack uses a decoy a file to trick the target\r\nWhen these malicious files are opened by a victim, malicious Visual Basic for Applications (VBA) macros within them\r\nwrite an executable to disk and run it. If macros are disabled in Microsoft Word, the user must click the “Enable Content”\r\nbutton for malicious VBA script to execute. Both documents make use of logic and variable names within their macros,\r\nwhich are very similar to each other. Specifically, they both contain strings of hex that when reassembled and XOR-decoded\r\nreveal a PE file. The PE file is written to disk with a filename that is encoded in the macro using character substitution.\r\nFigure 3 shows part of the logic within the macros which is identical in both files.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 3 of 12\n\nFigure 3 Malicious document malicious macro source code\r\nThe Embedded Payload\r\nThe executable which is dropped by both malicious documents is packed with UPX. Once unpacked, the payload\r\n(032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0) can be statically examined. The compile\r\ntimestamp of the sample is March 2nd, 2017, just a few days before one of the documents carrying the implant was\r\nsubmitted to VirusTotal.\r\nThe payload ensures a copy of itself is located on disk within the %TEMP% directory and creates the following registry\r\nentry to maintain persistence if the system is shutdown\r\n1\r\n2\r\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\JavaUpdate ,\r\nValue:%TEMP%\\java.exe /c /s\r\nIt then executes itself with the following command line:\r\n1 %TEMP%\\java.exe /c %TEMP%\\java.exe\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 4 of 12\n\nThe implant beacons to its command and control (C2) servers directly via the servers' IPv4 addresses, which are hard coded\r\nin the binary, no domain name is used to locate the servers. The communications between the implant and the server highly\r\nresemble the \"fake TLS\" protocol associated with malware tools used by the Lazarus group and described in the Operation\r\nBlockbuster report. However, the possible values of the Server Name Indication (SNI) record within the CLIENT HELLO\r\nof the TLS handshake used by the implant differ from those described in the report. The names embedded in the new sample\r\nand chosen for communications include:\r\ntwitter.com\r\nwww.amazon.com\r\nwww.apple.com\r\nwww.bing.com\r\nwww.facebook.com\r\nwww.microsoft.com\r\nwww.yahoo.com\r\nwww.join.me\r\nThe C2 servers contacted by the implant mimic the expected TLS server responses from the requested SNI field domain\r\nname, including certificate fields such as the issuer and subject. However, the certificates' validity, serial number, and\r\nfingerprint are different. Figure 4 shows a fake TLS session which includes the SNI record \"www.join.me\" destined for an\r\nIPv4 address which does not belong to Join.Me.\r\nFigure 4 The use of \"www.join.me\" as an SNI record of a TLS handshake to an IPv4 address which does not host that\r\ndomain name\r\nExpanding the Analysis\r\nBecause the attackers reused similar logic and variable names in their macros, we were able to locate additional malicious\r\ndocument samples. Due to the heavy reuse of code in the macros we also speculate the documents are created using an\r\nautomated process or script. Our analysis of the additional malicious documents showed some common traits across the\r\ndocuments used by the attackers:\r\n1. Many, but not all, of the documents have the same author\r\n2. Malicious documents support the ability to drop a payload as well as an optional decoy document\r\n3. XOR keys used to encode embedded files within the macros seem to be configurable\r\n4. All of the dropped payloads were compressed with a packer (the packer used varied)\r\nMultiple testing documents which dropped and executed the Korean version of the Microsoft calc.exe executable, but\r\ncontained no malicious code, were also identified. This mirrors a common practice in demonstrating exploits of\r\nvulnerabilities. Interestingly enough, all of the test documents identified were submitted to VirusTotal with English file\r\nnames from submitters located in the United States (although not during US \"working hours\"). Despite the documents\r\nhaving Korean code pages, when executed they open decoy documents with the English text:\r\n\"testteststeawetwetwqetqwetqwetqw\". These facts lead us to believe at least some of the developers or testers of the\r\ndocument weaponizing tool may be English speakers.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 5 of 12\n\nWhile some of the documents identified carry benign payloads, most of the payloads were found to be malicious. A cluster\r\nof three malicious documents were identified that drop payloads which are related via C2 domains. The payloads can be\r\nseen highlighted in Figure 5.\r\nFigure 5 Related executables, their C2 domain names, their dropper documents, and the shared batch file\r\nThe two malicious payloads circled in Figure 5 write a batch script to disk that is used for deleting the sample and itself,\r\nwhich is a common practice. The batch script dropped by the two payloads share a file name, file path, and hash value with a\r\nscript sample (77a32726af6205d27999b9a564dd7b020dc0a8f697a81a8f597b971140e28976). This sample is described in a\r\n2016 research report by Blue Coat discussing connections between the DarkSeoul group and the Sony breach of 2014.\r\nThe script's (Figure 6) hash value will vary depending on the name of the file it is to delete. It also includes an uncommon\r\nlabel inside it of \"L21024\". The file the script deletes is the payload which writes the script to disk. In the case of Figure 6,\r\nthe payload was named \"thing.exe\".\r\nFigure 6 The contents of the shared batch script\r\nTies to Previous Attacks\r\nIn addition to the commonalities already identified in the communication protocols and the shared cleanup batch script use\r\nby implants, the payloads also share code similarities with samples detailed in Operation Blockbuster. This is demonstrated\r\nby analyzing the following three samples, which behave in similar ways:\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 6 of 12\n\n032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0\r\n79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18\r\n520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18\r\nWe used these three samples to reach the conclusion that the samples investigated are tied to the Lazarus group.\r\nFirst, these three samples all use a unique method of executing a shell command on the system. An assembly function is\r\npassed four strings. Some of the strings contain placeholders. The function interpolates the strings and creates a system\r\ncommand to be executed. The following four parameters are passed to the function:\r\n\"PM\",\r\n\"xe /\"\r\n\"md\"\r\n\"c%s.e%sc \\ \"%s \u003e %s 2\u003e\u00261\\\"\r\nThese are used not only in the implant we investigated, but also in the two samples above. Additionally, many samples\r\ndiscussed in the Operation Blockbuster report also made use of this technique. Figure 7 shows the assembly from the\r\nunpacked implant (032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0) delivered by our malicious\r\ndocument and shows the string interpolation function being used.\r\nFigure 7 The string interpolation function assembly with library names from\r\n032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0\r\nFigure 8 shows the same string interpolation logic but within a different sample\r\n(79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18.) The instructions are the same except where\r\nthe system calls are replaced with DWORDs which brings us to a second similarity.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 7 of 12\n\nFigure 8 The string interpolation function assembly without library names from\r\n79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18\r\nThe second similarity ties this sample to a known Lazarus group sample\r\n(520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18.) Upon execution, both samples set aside\r\nmemory to be used as function pointers. These pointers are assigned values by a dedicated function in the binary. Other\r\nfunctions in the binary call the function pointers instead of the system libraries directly. The motivation for the use of this\r\nindirection is unclear, however, it provides an identifying detection mechanism.\r\nThese two samples resolve system library functions in a similar yet slightly different manner. The sample known to belong\r\nto the Lazarus group uses this indirect library calling in addition to a function that further obfuscates the function's names\r\nusing a lookup table within a character substitution function. This character substitution aspect was removed in the newer\r\nsamples. The purpose for removing this functionality between the original Operation Blockbuster report samples and these\r\nnewer ones is unclear. Figure 9 displays how this character substitution function was called within the Lazarus group\r\nsample.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 8 of 12\n\nFigure 9 The character substitution function from\r\n520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18 being called\r\nSHA256 Hash\r\nString\r\nInterpolation\r\nFunction\r\nSystem\r\nLibrary\r\nObfuscation\r\nFake TLS\r\nCommunications\r\nL\r\n032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0 Yes No Yes\r\nIn\r\nid\r\npa\r\n79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18 Yes Yes Yes\r\nSa\r\nid\r\nto\r\nre\r\nin\r\npa\r\nan\r\nO\r\nB\r\nsa\r\n520778a12e34808bd5cf7b3bdf7ce491781654b240d315a3a4d7eff50341fb18 Yes Yes Yes\r\nK\r\nO\r\nB\r\nsa\r\nFigure 10: A comparison of features between samples\r\nFinal Thought\r\nOverlaps in network protocols, library name obfuscation, process creation string interpolation, and dropped batch file\r\ncontents demonstrate a clear connection between the recent activity Unit 42 has identified and previously reported threat\r\ncampaigns. Demonstrated by the malicious document contents, the targets of this new activity are likely Korean speakers,\r\nwhile the attackers are likely English and Korean speakers.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 9 of 12\n\nIt is unlikely these threat actors will stop attacking their targets. Given the slight changes that have occurred within samples\r\nbetween reports, it is likely this group will continue to develop their tools and skillsets.\r\nCustomers using WildFire are protected from these threats and customers using AutoFocus can find samples from this\r\ncampaign tagged as Blockbuster Sequel.\r\nIndicators of Compromise\r\nInitial Malicious Documents\r\ncec26d8629c5f223a120677a5c7fbd8d477f9a1b963f19d3f1195a7f94bc194b\r\nff58189452668d8c2829a0e9ba8a98a34482c4f2c5c363dc0671700ba58b7bee\r\nInitial Payload\r\n1322b5642e19586383e663613188b0cead91f30a0ab1004bf06f10d8b15daf65\r\n032ccd6ae0a6e49ac93b7bd10c7d249f853fff3f5771a1fe3797f733f09db5a0 (unpacked)\r\nTesting Malicious Documents\r\n90e74b5d762fa00fff851d2f3fad8dc3266bfca81d307eeb749cce66a7dcf3e1\r\n09fc4219169ce7aac5e408c7f5c7bfde10df6e48868d7b470dc7ce41ee360723\r\nd1e4d51024b0e25cfac56b1268e1de2f98f86225bbad913345806ff089508080\r\n040d20357cbb9e950a3dd0b0e5c3260b96b7d3a9dfe15ad3331c98835caa8c63\r\ndfc420190ef535cbabf63436e905954d6d3a9ddb65e57665ae8e99fa3e767316\r\nf21290968b51b11516e7a86e301148e3b4af7bc2a8b3afe36bc5021086d1fab2\r\n1491896d42eb975400958b2c575522d2d73ffa3eb8bdd3eb5af1c666a66aeb08\r\n31e8a920822ee2a273eb91ec59f5e93ac024d3d7ee794fa6e0e68137734e0443\r\n49ecead98ebc750cf0e1c48fccf5c4b07fadef653be034cdcdcd7ba654f713af\r\n5c10b34e99b0f0681f79eaba39e3fe60e1a03ec43faf14b28850be80830722cb\r\n600ddacdf16559135f6e581d41b30d0867aae313fbaf66eb4d18345b2136cdd7\r\n6ccb8a10e253cddd8d4c4b85d19bbb288b56b8174a3f1f2fe1f9151732e1a7da\r\n8b2c44c4b4dc3d7cf1b71bd6fcc37898dcd9573fcf3cb8159add6cb9cfc9651b\r\n9e71d0fdb9874049f310a6ab118ba2559fc1c491ed93c3fd6f250c780e61b6ff\r\nAdditional Related Samples\r\n02d74124957b6de4b087a7d12efa01c43558bf6bdaccef9926a022bcffcdcfea\r\n0c5cdbf6f043780dc5fff4b7a977a1874457cc125b4d1da70808bfa720022477\r\n18579d1cc9810ca0b5230e8671a16f9e65b9c9cdd268db6c3535940c30b12f9e\r\n19b23f169606bd390581afe1b27c2c8659d736cbfa4c3e58ed83a287049522f6\r\n1efffd64f2215e2b574b9f8892bbb3ab6e0f98cf0684e479f1a67f0f521ec0fe\r\n440dd79e8e5906f0a73b80bf0dc58f186cb289b4edb9e5bc4922d4e197bce10c\r\n446ce29f6df3ac2692773e0a9b2a973d0013e059543c858554ac8200ba1d09cf\r\n557c63737bf6752eba32bd688eb046c174e53140950e0d91ea609e7f42c80062\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 10 of 12\n\n5c10b34e99b0f0681f79eaba39e3fe60e1a03ec43faf14b28850be80830722cb\r\n644c01322628adf8574d69afe25c4eb2cdc0bfa400e689645c2ab80becbacc33\r\n6a34f4ce012e52f5f94c1a163111df8b1c5b96c8dc0836ba600c2da84059c6ad\r\n77a32726af6205d27999b9a564dd7b020dc0a8f697a81a8f597b971140e28976\r\n79fe6576d0a26bd41f1f3a3a7bfeff6b5b7c867d624b004b21fadfdd49e6cb18\r\n8085dae410e54bc0e9f962edc92fa8245a8a65d27b0d06292739458ce59c6ba1\r\n8b21e36aa81ace60c797ac8299c8a80f366cb0f3c703465a2b9a6dbf3e65861e\r\n9c6a23e6662659b3dee96234e51f711dd493aaba93ce132111c56164ad02cf5e\r\nd843f31a1fb62ee49939940bf5a998472a9f92b23336affa7bccfa836fe299f5\r\ndcea917093643bc536191ff70013cb27a0519c07952fbf626b4cc5f3feee2212\r\ndd8c3824c8ffdbf1e16da8cee43da01d43f91ee3cc90a38f50a6cc8d6a778b57\r\nefa2a0bbb69e60337b783db326b62c820b81325d39fb4761c9b575668411e12c\r\nf365a042fbf57ed2fe3fd75b588c46ae358c14441905df1446e67d348bd902bf\r\nf618245e69695f6e985168f5e307fd6dc7e848832bf01c529818cbcfa4089e4a\r\nfa45603334dae86cc72e356df9aa5e21151bb09ffabf86b8dbf5bf42bd2bbadf\r\nfc19a42c423aefb5fdb19b50db52f84e1cbd20af6530e7c7b39435c4c7248cc7\r\nff4581d0c73bd526efdd6384bc1fb44b856120bc6bbf0098a1fa0de3efff900d\r\nC2 Domains\r\ndaedong.or[.]kr\r\nkcnp.or[.]kr\r\nkosic.or[.]kr\r\nwstore[.]lt\r\nxkclub[.]hk\r\nC2 IPv4 Addresses\r\n103.224.82[.]154\r\n180.67.205[.]101\r\n182.70.113[.]138\r\n193.189.144[.]145\r\n199.26.11[.]17\r\n209.105.242[.]64\r\n211.233.13[.]11\r\n211.233.13[.]62\r\n211.236.42[.]52\r\n211.49.171[.]243\r\n218.103.37[.]22\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 11 of 12\n\n221.138.17[.]152\r\n221.161.82[.]208\r\n23.115.75[.]188\r\n61.100.180[.]9\r\n61.78.63[.]95\r\n80.153.49[.]82\r\nIgnite ’17 Security Conference: Vancouver, BC June 12–15, 2017\r\nIgnite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from\r\ninnovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach\r\nprevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee\r\nsessions.\r\nSource: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" ], "report_names": [ "unit42-the-blockbuster-sequel" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434294, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4926ca2eabc38ec56ab8fda283c75777ccdc6f2d.pdf", "text": "https://archive.orkl.eu/4926ca2eabc38ec56ab8fda283c75777ccdc6f2d.txt", "img": "https://archive.orkl.eu/4926ca2eabc38ec56ab8fda283c75777ccdc6f2d.jpg" } }