{ "id": "51403957-77ab-4df6-a4ce-c20a998e140d", "created_at": "2026-04-06T00:13:23.097207Z", "updated_at": "2026-04-10T13:11:49.097411Z", "deleted_at": null, "sha1_hash": "4bd0086572a16e8d607480221b5daa24dce24bc3", "title": "Red flags flew over software supply chain-compromised 3CX update | ReversingLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75926, "plain_text": "Red flags flew over software supply chain-compromised 3CX\r\nupdate | ReversingLabs\r\nBy Karlo Zanki, Reverse Engineer at ReversingLabsKarlo Zanki\r\nPublished: 2023-03-30 · Archived: 2026-04-05 12:46:21 UTC\r\nReversingLabs is analyzing a supply chain compromise of the firm 3CX Ltd., a maker of enterprise voice over IP\r\n(VOIP) solutions. Beginning on March 22nd, 2023, compromised versions of the 3CXDesktopApp, a desktop\r\nclient version of the company’s VoIP software, were found to contain malicious code.\r\nWhile more time and effort will be needed to fully reconstruct and study this incident, our analysis of the\r\nmalicious files used in the attack points strongly to a compromise of 3CX’s software build pipeline, resulting in\r\nmodifications that inserted malicious code to the 3CXDesktopApp software package.\r\nThere are many possible explanations for how such a thing could happen. However, our analysts focused on\r\ninvestigating the two most likely scenarios: a compromise of the 3CX development pipeline that resulted in\r\nmalicious code being added during the build, or the possibility of a malicious dependency being served by a\r\npackage repository. The former is represented by the SolarWinds incident while the latter theory is closer to the\r\nsupply chain attacks commonly found in open source repositories like npm and PyPI.\r\nReversingLabs analysis shows that attackers appended RC4 encrypted shellcode into the signature appendix of\r\nd3dcompiler.dll, a standard library used with OpenJS Electron applications such as 3CXDesktopApp. Another\r\nstandard Electron application module, ffmpeg was modified with code to extract and run the malicious content\r\nfrom the d3dcompiler file.\r\nEvidence of those changes are clearly visible when comparing images of “clean” versions of the 3CXDesktopApp\r\nwith subsequent, tampered versions. The ReversingLabs Software Supply Chain Security platform identified\r\nsignatures in the appended code pointing to SigFlip, a tool for modifying the authenticode-signed Portable\r\nExecutable (PE) files without breaking the existing signature. Subsequently, our threat research platform linked\r\nmalicious code added to ffmpeg library to code found in SigLoader, another malicious tool used by an advanced\r\npersistent threat group in multiple campaigns.\r\nAs was the case with the compromise of SolarWinds’ Orion software, the manner in which the malicious code was\r\nadded to the 3CXDesktopApp is of little value to 3CX customers who downloaded malicious code onto internal\r\nsystems. However, it should be of intense interest to organizations engaged in software development, as it points\r\nto the need for increased scrutiny of compiled software images to detect malicious code, unexplained\r\nmodifications or other discrepancies that may be a critical, early indicator of a supply chain compromise.\r\nSEE RELATED:\r\nAnalysis: The 3CX attack was targeted — but the plan was broader\r\nWebinar: Deconstructing the 3CX Software Supply Chain Attack\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 1 of 7\n\nDeminar: Analyzing the 3CX Software Package\r\nIntroduction\r\n3CX is a VoIP IPBX software development company. The 3CX Phone System is used by more than 600,000\r\ncompanies worldwide and counts more than 12 million daily users, including firms in the automotive,\r\nmanufacturing, healthcare, aviation and other industries.\r\nBeginning around March 22, 2023 customers of voice over IP (VoIP) vendor 3CX started peppering the\r\ncompany’s support groups with complaints about an update to the company’s 3CXDesktopApp client running\r\nafoul of endpoint detection and response products, which were flagging the update as malicious.\r\nThe troubles with the 3CXDesktopApp simmered quietly for days, with customers wondering about “false\r\npositives,” until, on Wednesday, reports from a string of endpoint security firms including CrowdStrike and\r\nSentinelOne confirmed what many suspected: that the warnings from endpoint protection software were not in\r\nerror, and that the 3CXDesktopApp had been compromised. By Thursday morning, 3CX’s CEO, Nick Galea,\r\nmade it official.\r\n“As many of you have noticed the 3CX DesktopApp has a malware (sp) in it,” Galea wrote in a post to a 3CX\r\nsupport page. “It affects the Windows Electron client for customers running update 7. It was reported to us\r\nyesterday night and we are working on an update to the DesktopApp which we will release in the coming hours.”\r\nGalea advised uninstalling the malicious app and promised more information on the incident.\r\nFor customers affected by the incident, the 3CX compromise is serious. CrowdStrike and others have attributed\r\nthe incident to a threat actor dubbed “LABYRINTH CHOLLIMA,” believed to be associated with the government\r\nof North Korea and known for targeting military and political entities. Many of the customers that downloaded the\r\nmalicious update did not see malicious code activated in their environment. However, Crowdstrike wrote that it\r\nhas observed malicious activity including hands-on-keyboard actions in a number of 3CXDesktopApp customer\r\nenvironments.\r\nMuch will be written about the “what” and the “who” of the attack (what APT group is responsible). We would\r\nlike to focus on the “how.” That is, how was it that malicious actors placed information stealing code within a\r\nsigned 3CXDesktopApp software update?\r\nOur analysis of the malicious update points either to a compromise of the 3CX development pipeline that resulted\r\nin malicious code being added during the build, or the possibility of a malicious dependency being served by a\r\npackage repository. The attack on 3CX — though sophisticated — had clear indicators that could have tipped off\r\n3CX to the breach before customer systems were affected.\r\nDetecting the 3CX compromise with differential analysis\r\nThe ReversingLabs Software Supply Chain Security (SSCS) platform analyzes software packages prior to release\r\nor at any stage during development. As a final step in the build process, the ReversingLabs platform has unique\r\nvisibility into the state of a produced software artifact. That gives it the ability to detect the multitude of software\r\nsupply chain attack possibilities. Scanning binaries, without the presumption of having the source available, can\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 2 of 7\n\nsurface software supply chain compromises within the developer’s source code, their build environment, or the\r\ndependencies used to assemble the final software package.\r\nA required capability for detecting supply chain compromises is the ability to track the evolution of software\r\npackages through differential analysis of their contents. This includes the raw metadata properties of each\r\nsoftware component in the release, as well as their respective behaviors. Odd or inexplicable changes between\r\nbuilds should be considered a cause to investigate a possible compromise. This becomes even more important\r\nwhen software packages include components that are pre-compiled at offsite locations and, therefore, not subject\r\nto review prior to deployment.\r\nA required capability for detecting supply chain compromises is the ability to track the evolution of\r\nsoftware packages through differential analysis of their contents.\r\nChanges introduced in 18.12 had red flags\r\nIn the case of the 3CXDesktopApp: 3CX distributed macOS DMG and MSI installer packages containing the\r\ncompromised update. ReversingLabs has also identified a NuGet package containing the version 18.12.416 of the\r\n3CXDesktopApp among the compromised artifacts we analyzed.\r\nWhen we look at the MSI packages distributed by 3CX through our solution, and make a diff between\r\nv18.11.1213 (the last known good version) and v18.12.407 (the first known compromised version), a number of\r\nred flags pop up that are cause for a deeper investigation.\r\nFor example: ReversingLabs Software Supply Chain Security policy SQ20116 detects that a Microsoft digitally\r\nsigned-binary has been modified post-signing without breaking the signature integrity. This is not something that\r\nwould normally happen during the build process and it is not something that could happen inadvertently.\r\nDevelopers would have had to make a conscious choice to implement a change like this, and that would never\r\nhappen for a software component they own.\r\nHowever, doing so is a great technique for ferrying malicious code onto a system under the cover of a digitally\r\nsigned (and therefore “legitimate”) binary. Freely available, off the shelf tools like SigFlip and SigLoader help\r\nfacilitate these kinds of operations. For that reason, the ReversingLabs supply chain security solution makes the\r\nfollowing recommendation when it encounters a digitally signed binary that has been modified post-signing:\r\nInvestigate: Take a closer look at these kinds of files, because malware commonly tries to go unnoticed by hiding\r\nwithin these validation gaps.\r\nThis warning popped up in our analysis of 3CXDesktopApp in association with d3dcompiler, a standard library\r\nused with OpenJS Electron applications such as 3CXDesktopApp. Adding to the alarm in our analysis of the\r\n3CXDesktopApp was the behavior of another standard Electron file, ffmpeg, which we saw referencing the\r\nd3dcompiler, the tampered file.\r\nOther indicators of malicious intent were hard to come by as the malware hides itself as a statically linked\r\nfunction with ffmpeg library. But even without observing the malware execute, there’s enough suspicious goings-on just in the diff between the two 3CXDesktopApp updates to warrant a deeper investigation.\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 3 of 7\n\nDigging into the suspicious changes\r\nThe choice of these two DLLs -- ffmpeg and d3dcompiler_47 - by the threat actors behind this attack was no\r\naccident. The target in question, 3CXDesktopApp is built on the Electron open source framework. Both of the\r\nlibraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within\r\ncustomer environments. Additionally, d3dcompiler_47, the tampered-with file, is signed with a certificate issued\r\nto Microsoft Corporation and Windows digital signature details report no issues related to the signature. For\r\nendpoint protection applications, a signed binary using a legitimate certificate from a reputable firm like Microsoft\r\nis likely to get the “green light\".\r\nFigure 1: Windows digital signature details for d3dcompiler_47\r\nThe “smoking gun,” in this case, was a combination of RC4 encrypted shellcode into the signature appendix of\r\nd3dcompiler and a reference to the d3dcompiler library that was added to the ffmpeg library.\r\nThere was no sensible explanation for these changes, as there were no functional changes to d3dcompiler_47 to\r\nwarrant such a change. That pointed in the direction of malicious functionality being added within the ffmpeg\r\nlibrary. And, indeed, detailed analysis shows that malicious code was added to that DLL. It is invoked shortly after\r\nthe call to its entry point to extract the RC4 encrypted malicious content from the signature appendix of\r\nd3dcompiler.\r\nWhen we looked more closely, we saw that the beginning of the RC4 encrypted content was marked by a\r\nsignature: 0xFE 0xED 0xFA 0xCE 0xFE 0xED 0xFA 0xCE. That specific sequence of bytes is what we term a\r\n“magic signature” — a value that the program seeks and interprets in a specific way. In this case, the sequence is\r\nknown to be associated with the SigLoader tool.\r\nWhen SigLoader encounters this signature, it knows that a malicious shellcode payload follows immediately after\r\nthe sequence, which it will extract and decrypt. And, indeed, rest of the appended data after that initial signature\r\ncontains the encrypted shellcode which is decrypted using the RC4 key: 3jB(2bsG#@c7\r\nAppending data to a signed executable and using the specific magic byte signature are strong signs that the loader\r\npayloads were created using SigFlip — a tool designed “for patching authenticode signed PE files without\r\ninvalidating or breaking the existing signature.” Finally, the code responsible for loading the encrypted data that\r\nwas added to the ffmpeg library is identical to code found in the SigLoader tool. This is a known technique used\r\nby APT#10 in multiple campaigns or intrusion sets.\r\nIn this incident, the decrypted payload is a shellcode containing another embedded DLL file that downloads URLs\r\npointing to C2 infrastructure from a Github repository hosting harmless icon files. The URLs pointing to C2\r\ninfrastructure are encrypted with AES, Base64 encoded and appended to the ends of the legitimate icon files.\r\nFigure 2: Showing the similarity of loader code found in ffmpeg (above) and the SigLoader tool (below).\r\nMetadata clues point to 3CX compromise\r\nThe exact circumstances and early stages of the 3CX breach aren’t known. However, our examination of the\r\nmetadata from the compromised packages provides important insights into the incident and suggest that there\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 4 of 7\n\nwere clues that 3CX may have picked up on that something was amiss with its latest desktop client update.\r\nBased on data from our threat research platform, we can say with confidence that most Electron applications\r\nfound in the ReversingLabs Cloud have identical PE compilation timestamps for the files in the application. That\r\nis because the compile times are predetermined and set by the build system, resulting in compilation stamps that\r\nare identical. There is simply no other way to explain how so many files would be built in the exact same second.\r\nIn the case of compromised 3CXDesktopApp Electron applications, however, these compilation timestamps\r\ndiffered. The first timestamp, which is found on the majority of the DLLs within the compromised installer\r\npackage, is 2022-11-30T15:56:23Z. That correlates with the build version of the Electron used by the 3CX\r\ndevelopment team - Electron v19.1.9.\r\nThe second timestamp we discovered only applied to the ffmpeg file. It was 2022-11-12T04:12:14Z and is\r\nassociated with the build version of the Electron used by malware authors. Furthermore, two of the malicious\r\nffmpeg variants were digitally signed with a legitimate certificate issued to the 3CX company.\r\nWhat can we conclude from this? Based on this information we estimate that the supply chain incident was caused\r\nby the compromise of the repository from which the Electron application binaries were fetched during the build\r\nprocess. As part of the attack, legitimate versions of ffmpeg and d3dcompiler libraries in the compromised\r\nrepository were likely replaced with malicious versions compiled by the attackers after modifying publicly\r\navailable ffmpeg source code.\r\n[ReversingLabs researchers] estimate that the supply chain incident was caused by the compromise of\r\nthe repository from which the Electron application binaries were fetched during the build process.\r\nUnlike legitimate ffmpeg files, the Program Database (PDB) data is stripped from the malicious files in order to\r\nremove any data that could reveal the real build time or link them to attackers' development environment.\r\nOnce that substitution happened, the rest of the attack was easy sailing. 3CX’s build process was likely designed\r\nto automatically sign the latest available components — third-party or otherwise — and include them into the\r\nsoftware release package. That means the malicious ffmpeg library, once fetched from the (compromised)\r\nrepository, was signed without the need for the attackers to steal the digital signing certificates.\r\nThere is no data to indicate whether the compromised repository was deployed locally in 3CX or if it was hosted\r\nelsewhere. Based on public statements from the company, we can infer that the malicious ffmpeg and d3dcompiler\r\nwere hosted somewhere on GitHub. ReversingLabs has, so far, been unable to confirm this with the telemetry data\r\nwe currently have available to us. From what we have seen, there is no evidence that a malicious repository is, or\r\nwas, hosted on GitHub. And there is no evidence that other developers may be at risk from using the same\r\nmalicious code like 3CX did.\r\nConclusion\r\nAs the saying goes, “It is not ‘if’ you will be hacked, but ‘when.’” That’s true even for sophisticated operations\r\nlike software supply chain attacks. Recent history has shown us that malicious actors are growing more and more\r\ninterested in the access provided by development pipelines, open source and third party code and more.\r\nDevelopment organizations can’t keep from being targeted. However, there are ways that they can reduce the\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 5 of 7\n\nimpact of any malicious campaign against them. Doing that requires them to be attuned to the techniques and\r\nmethods that malicious actors use.\r\nIn the case of the compromise of the VOIP provider 3CX, there is a lot that is still unknown about how the attack\r\nwas carried out, or who its intended targets were. However, ReversingLabs analysis of the modifications made to\r\nthe company’s 3CXDesktopApp suggest that there were telltale signs of tampering with the company’s desktop\r\nclient software prior to its release. Had these signs been noticed during development, it should have triggered a\r\ncloser analysis of the software release and, possibly, discovery of the breach and malicious code additions.\r\nAs we have shown, evidence of changes to the 3CXDesktopApp are clearly visible in a comparison of “clean” and\r\ntampered versions of the client software — changes that point to the use of SigFlip and SigLoader, known\r\nsuspicious/malicious off the shelf tools that are in the tool belt of advanced persistent threat (APT) actors.\r\nAs with the compromise of SolarWinds Orion codebase, this incident underscores the need for development\r\norganizations to look beyond the risks posed by software vulnerabilities and insecure code.Threats such as\r\nmalicious open source modules, tampering with software dependencies and attacks on internally developed\r\nmodules and builds are growing. When successful, these attacks not only threaten the security and reputation of\r\nthe affected software firm, but those of all its customers as well. Detecting such threats during development and\r\nbefore software ships is key to preventing the next 3CX-style incident.\r\nIndicators of Compromise (IOC) list\r\nfilename sha1\r\n3cxdesktopapp-18.12.407.msi bea77d1e59cf18dce22ad9a2fad52948fd7a9efa\r\n3cxdesktopapp-18.12.416.msi bfecb8ce89a312d2ef4afc64a63847ae11c6f69e\r\n3CXDesktopApp-18.12.416-full.nupkg f7f1b34c2770d83e2250e19c8425a4bec56617fd\r\n3CXDesktopApp_v18.12.407.0.exe 6285ffb5f98d35cd98e78d48b63a05af6e4e4dea\r\n3CXDesktopApp_v18.12.416.0.exe 8433a94aedb6380ac8d4610af643fb0e5220c5cb\r\nffmpeg.dll bf939c9c261d27ee7bb92325cc588624fca75429\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 6 of 7\n\nffmpeg.dll 188754814b37927badc988b45b7c7f7d6b4c8dd3\r\nffmpeg.dll ff3dd457c0d00d00d396fdf6ebe7c254fed2a91e\r\nd3dcompiler_47_v10.0.20348.1.dll 20d554a80d759c50d6537dd7097fed84dd258b3e\r\ndecrypted shellcode 8b81f6012fd748f0fed53eeef72164435ad618ac\r\nsamcli.dll (embedded in shellcode) 3b88cda62cdd918b62ef5aa8c5a73a46f176d18b\r\n3CXDesktopApp-18.11.1213.dmg 19f4036f5cd91c5fc411afc4359e32f90caddaac\r\n3CXDesktopApp-18.12.416.dmg 3dc840d32ce86cebf657b17cef62814646ba8e98\r\nlibffmpeg.dylib (universal) b2a89eebb5be61939f5458a024c929b169b4dc85\r\nlibffmpeg.dylib (universal) 769383fc65d1386dd141c960c9970114547da0c2\r\nlibffmpeg.dylib (x86-64) 354251ca9476549c391fbd5b87e81a21a95949f4\r\nlibffmpeg.dylib (x86-64) 5b0582632975d230c8f73c768b9ef39669fefa60\r\nSource: https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nhttps://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update" ], "report_names": [ "red-flags-fly-over-supply-chain-compromised-3cx-update" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434403, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4bd0086572a16e8d607480221b5daa24dce24bc3.pdf", "text": "https://archive.orkl.eu/4bd0086572a16e8d607480221b5daa24dce24bc3.txt", "img": "https://archive.orkl.eu/4bd0086572a16e8d607480221b5daa24dce24bc3.jpg" } }