{
	"id": "bf469bb1-6dd5-48b3-b4ec-8e191a1da11c",
	"created_at": "2026-04-06T00:07:27.866752Z",
	"updated_at": "2026-04-10T03:21:13.530435Z",
	"deleted_at": null,
	"sha1_hash": "5bb400ec06abf2c9fd08c35ca0828c5d489a21ec",
	"title": "LightlessCan (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 29928,
	"plain_text": "LightlessCan (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:28:13 UTC\r\nLightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan.\r\nIn Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a\r\ntechnology company in India.\r\nBesides the support for commands already present in BlindingCan, its most significant update is mimicked\r\nfunctionality of many native Windows commands:\r\n• ipconfig\r\n• net\r\n• netsh advfirewall firewall\r\n• netstat\r\n• reg\r\n• sc\r\n• ping (for both IPv4 and IPv6 protocols)\r\n• wmic process call create\r\n• nslookup\r\n• schstasks\r\n• systeminfo\r\n• arp\r\nThese native commands are often abused by the attackers after they have gotten a foothold in the target’s system.\r\nLightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system\r\nconsole. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem\r\ndigital forensic tools.\r\nLightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network\r\ntraffic.\r\n[TLP:WHITE] win_lightlesscan_auto (20251219 | Detects win.lightlesscan.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan"
	],
	"report_names": [
		"win.lightlesscan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434047,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5bb400ec06abf2c9fd08c35ca0828c5d489a21ec.pdf",
		"text": "https://archive.orkl.eu/5bb400ec06abf2c9fd08c35ca0828c5d489a21ec.txt",
		"img": "https://archive.orkl.eu/5bb400ec06abf2c9fd08c35ca0828c5d489a21ec.jpg"
	}
}