{
	"id": "435e2d26-daa0-4786-ac91-ce7152edb5a3",
	"created_at": "2026-04-06T00:22:33.476379Z",
	"updated_at": "2026-04-10T03:38:19.387301Z",
	"deleted_at": null,
	"sha1_hash": "61441439fbdfa37eafd90ced35fbe9acd58b2b4e",
	"title": "Andariel’s “Jupiter” malware and the case of the curious C2",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 691904,
	"plain_text": "Andariel’s “Jupiter” malware and the case of the curious C2\r\nBy DCSO CyTec Blog\r\nPublished: 2023-05-16 · Archived: 2026-04-05 13:48:09 UTC\r\nPress enter or click to view image in full size\r\nImage of code from malware\r\nSince 2020 DCSO has been monitoring a publicly undocumented malware family attributed to the Andariel group,\r\na subgroup of the infamous North Korean Lazarus Group. The malware family has remained largely unchanged\r\nover the years and only made few appearances.\r\nIn early 2023 however, one such appearance seemed particularly noteworthy as the configured Command \u0026\r\nControl suggests that the attackers have managed to compromise the web presence of the National Institute of\r\nVirology in India and possibly used it to control computers infected with the malware family.\r\nIn this blog post, we document the malware and discuss how this finding fits the attacker profile.\r\nBlog authored by Johann Aydinbas, Emilia Neuber, Kritika Roy, Axel Wauer, Jiro Minier and colleagues.\r\nBasic case information\r\nIn 2020, DCSO first came across an unknown malware family uploaded to VirusTotal. During our analysis we\r\ndiscovered that we weren’t the first to notice — we believe it to belong to the malware family dubbed “Jupiter” by\r\nBAE Systems, and attributed to the Andariel group.\r\nInterestingly, the malware is written in PureBasic, a programming language that’s rarely used in malware creation\r\n(however, exceptions do exist). While the choice of programming language is rather exotic, the malware itself\r\nonly offers basic download and shell command execution capabilities.\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 1 of 7\n\nWe then added custom rules for this family to our monitoring. Around a year later the rule produced another hit\r\n(the “OSPREY sample”, based on its code signature by “OSPREY VIDEO, INC.”) which we could attribute to a\r\ntargeted attack attempt against a German medical/pharma company.\r\nPress enter or click to view image in full size\r\nCode signing of the “OSPREY sample”\r\nThe malware family then disappeared from our radar, producing no hits in all of 2022. In the beginning of\r\nFebruary 2023 however, it resurfaced in CISA’s AA23–040A alert (the “CISA sample”) hidden away in the IoCs\r\nrelated to the H0lygh0st ransomware, which is assessed to be of DPRK origin.\r\nPress enter or click to view image in full size\r\nThe “CISA sample” found in the IoCs of CISA’s AA23–040A alert\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 2 of 7\n\nAnalysis of the “CISA sample” revealed it to likely be older, with the timestamps dating it to 2021, the same year\r\nas the “OSPREY sample”. Then, a few weeks later our monitoring finally detected another sample and this time it\r\nappeared to be a fresh catch too, with timestamps indicating a compile time in mid January 2023.\r\nThe new sample, functionally unchanged, contained a very interesting Command \u0026 Control server, suggesting\r\nthat the threat actors behind it might have managed to compromise the web server for the National Institute of\r\nVirology of India, or NIV in short, a designated BSL-4 research center authorized to test highly contagious viruses\r\nimpacting humans.\r\nPress enter or click to view image in full size\r\nSample recorded trying to fetch commands on VirusTotal\r\nAt the time of finding the sample, we were unable to receive actual commands from the configured C2 so it\r\nremains inconclusive if the compromise took place. However, the configured path does closely resemble another\r\npath that we believe was used by the real web page at some point — further indicating that a compromise took\r\nplace and was intentionally chosen to blend in:\r\nPress enter or click to view image in full size\r\nResource path indexed by Google, note the additional “s” in “scientifics”\r\nFor similar attacks it is also documented that commands are closely guarded and only issued to requests coming\r\nfrom expected source IPs, typically returning 404 for anyone else in order to keep a low profile.\r\nBackground\r\nSo while we do not have definite proof of a compromise, DPRK actors targeting the NIV (either as the intended\r\ntarget or in order to attack other targets in the general nexus of the NIV such as other medical companies) would\r\nfit the attacker profile very well.\r\nDPRK actors and India\r\nDPRK actors targeting India is not new either. North Korea-linked threat actors have continued to target public\r\nand private sectors in India with a broad-based victimology including a space agency, a nuclear power plant, as\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 3 of 7\n\nwell as the energy sector and medical research previously. Campaigns against strategically sensitive targets have\r\nmostly been motivated by the need to siphon-off sensitive information.\r\nThe healthcare and medical research sector has been continuously targeted by DPRK threat actors with a\r\nsignificantly increased tempo during the COVID-19 pandemic. In 2020, suspected North Korean hackers tried to\r\nbreak into various healthcare companies, likely for intelligence gathering and espionage purposes, including\r\nOxford’s AstraZeneca. Additionally, Microsoft reported that North Korean ZINC and Cerium have taken aim at\r\nmultiple healthcare entities, including vaccine makers and COVID test developers. Furthermore, South Korean\r\nintelligence suspected that North Korea attempted to steal the COVID-19 vaccine from Pfizer in February 2021.\r\nThe DPRK and COVID-19\r\nThe outbreak of the COVID-19 pandemic isolated the “hermit state” even further from the international\r\ncommunity. Following the rapid spread of COVID-19 infections in China, North Korea shut down any cross-border exchanges in January 2020, which has largely been maintained ever since. In August 2022, Kim Jong-un\r\nannounced that COVID-19 was eradicated. (According to state media reporting, only 74 people died between the\r\nfirst publicly disclosed case in April and August 2022.) However, Pyongyang again saw a rising numbers of\r\n“respiratory illness” in January 2023, leading to a 5-day lockdown in the capital indicating that North Korea still\r\ncontinues to struggle with COVID-19 infections.\r\nSo far, Pyongyang has repeatedly turned down international offers for vaccines such as Russia’s Sputnik V in\r\nApril 2021, offers by South Korea in May 2021, and three million doses of Chinese SINOVAC vaccines as part of\r\na United Nations-backed COVAX initiative in September 2021. One year later, in September 2022, North Korea\r\nstarted its first vaccination campaign in border cities to China and Russia. Media reporting claimed they had\r\nreceived doses from China, probably SINOVAC, alongside other medical supplies to ensure an adequate health\r\ncare provision.\r\nCountry-wide distribution of a vaccine poses a bigger challenge though. mRNA vaccines like Pfizer and Moderna\r\nrequire ultra-cold temperatures but the country’s existing cold chain distribution system is only designed for 2°C\r\n— 8°C. With the refusal of SINOVAC, Sputnik V and AstraZeneca, the state might thus be looking for\r\nalternatives. As such, the Indian vaccine COVAXIN may be of special interest, as COVAXIN is relatively easy to\r\nstore, making it particularly attractive to lower and middle-income countries like North Korea.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe DPRK’s present COVID situation and the country’s vaccine supply restraints as well as previous patterns\r\nprovide strong motive for targeting the NIV as a leading health research center with a focus on COVID. The NIV\r\nhas played a crucial role in India’s fight against COVID-19 for example, being a forerunner in the areas of vaccine\r\ndevelopment, genome sequencing and testing supplies. The NIV has also been recognized by the WHO as “a\r\ncollaborating centre for emerging and re-emerging infectious diseases.”\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 4 of 7\n\nTechnical Details\r\nInvestigating the Command \u0026 Control\r\nThe Command \u0026 Control projectcell.niv[.]co.in resolves to 173.249.33[.]80 , which is allocated to\r\nGerman mass-hosting provider Contabo GmbH. No other FQDNs have been seen on this IP address thus far.\r\nniv[.]co.in , however, resolves to 173.249.44.87 , also allocated to Contabo GmbH, and appears to be used as\r\na mass-hosting web server by an Indian marketing and web development company, I Knowledge Factory (IKF).\r\nPerhaps unsurprisingly, a variety of legitimate domains resolve to it, all seemingly belonging to legitimate Indian\r\nentities. An IKF mail server is also used (through a CNAME) as an MX record for niv[.]co.in.\r\nIt remains unclear at the time of writing why IKF chose to host at least some of their customers’ infrastructure in\r\nGermany, far away (in both geographic and network terms) from their (presumed) main audience in the India\r\nvicinity.\r\nFurther, IKF’s nameserver setup struck us as odd, with the primary nameserver serving niv[.]co.in and others,\r\nns.iknowledgefactory.com, resolving to 103.73.189.76 — allocated to Evoke Digital Solutions in India — while\r\nhaving its PTR DNS record set to email.lkf.in. This domain (note the similarity of “l” and “i”) however is\r\ncurrently available for sale, and does not seem to be under control of IKF anymore.\r\nAccording to niv[.]co.in ’s SPF policy, any IP address projectcell.niv[.]co.in resolves to is explicitly\r\npermitted to emit e-mails for this domain. This includes 173.249.33[.]80 , which DCSO assesses as likely being\r\nunder control by Andariel.\r\nLastly, it has to be noted that the official website of the National Institute of Virology is niv.icmr.org.in , a fact\r\nalso advertised on niv[.]co.in — which appears to have been abandoned by NIV or IKF commencing October\r\n2022. Rather than letting previously used domains orphan or even expire, it is crucial to set up proper redirects to\r\nthe new primary domain, and ensure the respective organization maintains control over its domain set all the time.\r\nMalware analysis\r\nThe malware itself is a basic loader. It can download files, execute shell commands and send back the console\r\noutput.\r\nCommunication happens via HTTP which is manually implemented using socket functions, and as such it is not\r\ncapable of communicating with HTTPS servers.\r\nThe client transfers data via POST requests, in which the data fields are encrypted using a simple rotating xor +\r\nbase64.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 5 of 7\n\nExample request\r\nWe’ve identified the following fields:\r\nid= Xor key\r\npage= Status code (not encrypted)\r\nquery= Basic client info\r\nrep0= Shell command output\r\nThe page field contains basic client info, such as:\r\n10.0.0.1|DESKTOP-BI961TX|batman|110|64\r\nwhere the first field is a collection of local IP addresses, followed by the computer name, username, Windows\r\nversion as well as bitness of the system.\r\nThe server then responds either with HTTP 504, which signals the bot to stop running, or HTTP 500 which may\r\ncontain a command and/or download payload in the HTTP body.\r\nIn case of HTTP 500 (shell command and/or download task) the HTTP body adheres to the following format:\r\n[10 bytes unused]\r\n[8 bytes check string]\r\n[8 bytes xor key]\r\n[1 byte shell command length]\r\n[* shell command]\r\n[1 byte download target path length]\r\n[* download target path]\r\n[* download payload]\r\nAll fields following the xor key are encrypted with it using a simple rolling xor scheme.\r\nThe check string appears to be a magic 8 byte value the client verifies with a simple algorithm, which is satisfied\r\nby the following magic bytes:\r\n0b 15 1f 29 33 3d 47 51\r\nExample code of the check algorithm in Python:\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 6 of 7\n\nfor i in range(8):\r\n assert(check_string[i] == ((i+1)*10+1))\r\nBased on this, we’ve created a Suricata rule which we’re distributing as part of the IoCs.\r\nIf a download target path is specified in the response, the malware will write the payload to the specified path and\r\ncopy Explorer.exe ’s timestamps to it in order to disguise the file. In case the downloaded file is an EXE file it\r\nwill also pad the executable with 40,000,000 (~40MB) random bytes on disk, likely to exceed some security\r\nsoftware’s file limits and/or generate a unique hashsum for downloaded binaries.\r\nIf a shell command is specified, the malware will execute the shell command, capture the output and send the\r\ncontents back to the C2 using the rep0 POST request field.\r\nIoCs\r\nYou can also find the accompanying IoCs in form of a MISP event on our GitHub.\r\nSamples\r\nc28bb61de4a6ad1c5e225ad9ec2eaf4a6c8ccfff40cf45a640499c0adb0d8740\r\n9a5504dcfb7e664259bfa58c46cfd33e554225daf1cedea2ec2a9d83bbbfe238\r\naa29bf4292b68d197f4d8ca026b97ec7785796edcb644db625a8f8b66733ab54\r\n772b06f34facf6a2ce351b8679ff957cf601ef3ad29645935cb050b4184c8d51\r\n664f8d19af3400a325998b332343a9304f03bab9738ddab1530869eff13dae54\r\n34d5a5d8bec893519f204b573c33d54537b093c52df01b3d8c518af08ee94947\r\nC2\r\nhxxp://projectcell.niv.co[.]in/non_scientific/service.php\r\nhxxp://40.121.90[.]194/help.php\r\nhxxp://3.89.226[.]234/login.php\r\nhxxp://sora[.]bz/xoops_root_path/uploads/information/about.php\r\nhxxp://sora[.]bz/xoops_root_path/templates_c/login.php\r\nhxxp://eflow.co[.]kr/member_image/about.php\r\nMutex\r\nP_FLY_H@CK\r\nSuricata\r\nalert http any any -\u003e [$HOME_NET] any (msg: \"DCSO MALWARE Andariel C2\"; flow:to_client; http.response\r\nSource: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nhttps://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499"
	],
	"report_names": [
		"andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499"
	],
	"threat_actors": [
		{
			"id": "838f6ced-12a4-4893-991a-36d231d96efd",
			"created_at": "2022-10-25T15:50:23.347455Z",
			"updated_at": "2026-04-10T02:00:05.295717Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"Andariel",
				"Silent Chollima",
				"PLUTONIUM",
				"Onyx Sleet"
			],
			"source_name": "MITRE:Andariel",
			"tools": [
				"Rifdoor",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "110e7160-a8cc-4a66-8550-f19f7d418117",
			"created_at": "2023-01-06T13:46:38.427592Z",
			"updated_at": "2026-04-10T02:00:02.969896Z",
			"deleted_at": null,
			"main_name": "Silent Chollima",
			"aliases": [
				"Onyx Sleet",
				"PLUTONIUM",
				"OperationTroy",
				"Guardian of Peace",
				"GOP",
				"WHOis Team",
				"Andariel",
				"Subgroup: Andariel"
			],
			"source_name": "MISPGALAXY:Silent Chollima",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "74a1f6b1-6790-44eb-9e31-9bea8ea0192b",
			"created_at": "2024-02-02T02:00:04.04584Z",
			"updated_at": "2026-04-10T02:00:03.539136Z",
			"deleted_at": null,
			"main_name": "Ruby Sleet",
			"aliases": [
				"CERIUM"
			],
			"source_name": "MISPGALAXY:Ruby Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "40ec2da8-7156-4bff-b878-41984eb70df4",
			"created_at": "2024-02-02T02:00:04.080917Z",
			"updated_at": "2026-04-10T02:00:03.555365Z",
			"deleted_at": null,
			"main_name": "Storm-0530",
			"aliases": [
				"DEV-0530",
				"H0lyGh0st"
			],
			"source_name": "MISPGALAXY:Storm-0530",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc6e3644-3249-44f3-a277-354b7966dd1b",
			"created_at": "2022-10-25T16:07:23.760559Z",
			"updated_at": "2026-04-10T02:00:04.741239Z",
			"deleted_at": null,
			"main_name": "Andariel",
			"aliases": [
				"APT 45",
				"Andariel",
				"G0138",
				"Jumpy Pisces",
				"Onyx Sleet",
				"Operation BLACKMINE",
				"Operation BLACKSHEEP/Phase 3.",
				"Operation Blacksmith",
				"Operation DESERTWOLF/Phase 3",
				"Operation GHOSTRAT",
				"Operation GoldenAxe",
				"Operation INITROY/Phase 1",
				"Operation INITROY/Phase 2",
				"Operation Mayday",
				"Operation VANXATM",
				"Operation XEDA",
				"Plutonium",
				"Silent Chollima",
				"Stonefly"
			],
			"source_name": "ETDA:Andariel",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "732597b1-40a8-474c-88cc-eb8a421c29f1",
			"created_at": "2025-08-07T02:03:25.087732Z",
			"updated_at": "2026-04-10T02:00:03.776007Z",
			"deleted_at": null,
			"main_name": "NICKEL GLADSTONE",
			"aliases": [
				"APT38 ",
				"ATK 117 ",
				"Alluring Pisces ",
				"Black Alicanto ",
				"Bluenoroff ",
				"CTG-6459 ",
				"Citrine Sleet ",
				"HIDDEN COBRA ",
				"Lazarus Group",
				"Sapphire Sleet ",
				"Selective Pisces ",
				"Stardust Chollima ",
				"T-APT-15 ",
				"TA444 ",
				"TAG-71 "
			],
			"source_name": "Secureworks:NICKEL GLADSTONE",
			"tools": [
				"AlphaNC",
				"Bankshot",
				"CCGC_Proxy",
				"Ratankba",
				"RustBucket",
				"SUGARLOADER",
				"SwiftLoader",
				"Wcry"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a2b92056-9378-4749-926b-7e10c4500dac",
			"created_at": "2023-01-06T13:46:38.430595Z",
			"updated_at": "2026-04-10T02:00:02.971571Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Operation DarkSeoul",
				"Bureau 121",
				"Group 77",
				"APT38",
				"NICKEL GLADSTONE",
				"G0082",
				"COPERNICIUM",
				"Moonstone Sleet",
				"Operation GhostSecret",
				"APT 38",
				"Appleworm",
				"Unit 121",
				"ATK3",
				"G0032",
				"ATK117",
				"NewRomanic Cyber Army Team",
				"Nickel Academy",
				"Sapphire Sleet",
				"Lazarus group",
				"Hastati Group",
				"Subgroup: Bluenoroff",
				"Operation Troy",
				"Black Artemis",
				"Dark Seoul",
				"Andariel",
				"Labyrinth Chollima",
				"Operation AppleJeus",
				"COVELLITE",
				"Citrine Sleet",
				"DEV-0139",
				"DEV-1222",
				"Hidden Cobra",
				"Bluenoroff",
				"Stardust Chollima",
				"Whois Hacking Team",
				"Diamond Sleet",
				"TA404",
				"BeagleBoyz",
				"APT-C-26"
			],
			"source_name": "MISPGALAXY:Lazarus Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "771d9263-076e-4b6e-bd58-92b6555eb739",
			"created_at": "2025-08-07T02:03:25.092436Z",
			"updated_at": "2026-04-10T02:00:03.758541Z",
			"deleted_at": null,
			"main_name": "NICKEL HYATT",
			"aliases": [
				"APT45 ",
				"Andariel",
				"Dark Seoul",
				"Jumpy Pisces ",
				"Onyx Sleet ",
				"RIFLE Campaign",
				"Silent Chollima ",
				"Stonefly ",
				"UN614 "
			],
			"source_name": "Secureworks:NICKEL HYATT",
			"tools": [
				"ActiveX 0-day",
				"DTrack",
				"HazyLoad",
				"HotCriossant",
				"Rifle",
				"UnitBot",
				"Valefor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "32a223a8-3c79-4146-87c5-8557d38662ae",
			"created_at": "2022-10-25T15:50:23.703698Z",
			"updated_at": "2026-04-10T02:00:05.261989Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"Lazarus Group",
				"Labyrinth Chollima",
				"HIDDEN COBRA",
				"Guardians of Peace",
				"NICKEL ACADEMY",
				"Diamond Sleet"
			],
			"source_name": "MITRE:Lazarus Group",
			"tools": [
				"RawDisk",
				"Proxysvc",
				"BADCALL",
				"FALLCHILL",
				"WannaCry",
				"MagicRAT",
				"HOPLIGHT",
				"TYPEFRAME",
				"Dtrack",
				"HotCroissant",
				"HARDRAIN",
				"Dacls",
				"KEYMARBLE",
				"TAINTEDSCRIBE",
				"AuditCred",
				"netsh",
				"ECCENTRICBANDWAGON",
				"AppleJeus",
				"BLINDINGCAN",
				"ThreatNeedle",
				"Volgmer",
				"Cryptoistic",
				"RATANKBA",
				"Bankshot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f32df445-9fb4-4234-99e0-3561f6498e4e",
			"created_at": "2022-10-25T16:07:23.756373Z",
			"updated_at": "2026-04-10T02:00:04.739611Z",
			"deleted_at": null,
			"main_name": "Lazarus Group",
			"aliases": [
				"APT-C-26",
				"ATK 3",
				"Appleworm",
				"Citrine Sleet",
				"DEV-0139",
				"Diamond Sleet",
				"G0032",
				"Gleaming Pisces",
				"Gods Apostles",
				"Gods Disciples",
				"Group 77",
				"Guardians of Peace",
				"Hastati Group",
				"Hidden Cobra",
				"ITG03",
				"Jade Sleet",
				"Labyrinth Chollima",
				"Lazarus Group",
				"NewRomanic Cyber Army Team",
				"Operation 99",
				"Operation AppleJeus",
				"Operation AppleJeus sequel",
				"Operation Blockbuster: Breach of Sony Pictures Entertainment",
				"Operation CryptoCore",
				"Operation Dream Job",
				"Operation Dream Magic",
				"Operation Flame",
				"Operation GhostSecret",
				"Operation In(ter)caption",
				"Operation LolZarus",
				"Operation Marstech Mayhem",
				"Operation No Pineapple!",
				"Operation North Star",
				"Operation Phantom Circuit",
				"Operation Sharpshooter",
				"Operation SyncHole",
				"Operation Ten Days of Rain / DarkSeoul",
				"Operation Troy",
				"SectorA01",
				"Slow Pisces",
				"TA404",
				"TraderTraitor",
				"UNC2970",
				"UNC4034",
				"UNC4736",
				"UNC4899",
				"UNC577",
				"Whois Hacking Team"
			],
			"source_name": "ETDA:Lazarus Group",
			"tools": [
				"3CX Backdoor",
				"3Rat Client",
				"3proxy",
				"AIRDRY",
				"ARTFULPIE",
				"ATMDtrack",
				"AlphaNC",
				"Alreay",
				"Andaratm",
				"AngryRebel",
				"AppleJeus",
				"Aryan",
				"AuditCred",
				"BADCALL",
				"BISTROMATH",
				"BLINDINGCAN",
				"BTC Changer",
				"BUFFETLINE",
				"BanSwift",
				"Bankshot",
				"Bitrep",
				"Bitsran",
				"BlindToad",
				"Bookcode",
				"BootWreck",
				"BottomLoader",
				"Brambul",
				"BravoNC",
				"Breut",
				"COLDCAT",
				"COPPERHEDGE",
				"CROWDEDFLOUNDER",
				"Castov",
				"CheeseTray",
				"CleanToad",
				"ClientTraficForwarder",
				"CollectionRAT",
				"Concealment Troy",
				"Contopee",
				"CookieTime",
				"Cyruslish",
				"DAVESHELL",
				"DBLL Dropper",
				"DLRAT",
				"DRATzarus",
				"DRATzarus RAT",
				"Dacls",
				"Dacls RAT",
				"DarkComet",
				"DarkKomet",
				"DeltaCharlie",
				"DeltaNC",
				"Dembr",
				"Destover",
				"DoublePulsar",
				"Dozer",
				"Dtrack",
				"Duuzer",
				"DyePack",
				"ECCENTRICBANDWAGON",
				"ELECTRICFISH",
				"Escad",
				"EternalBlue",
				"FALLCHILL",
				"FYNLOS",
				"FallChill RAT",
				"Farfli",
				"Fimlis",
				"FoggyBrass",
				"FudModule",
				"Fynloski",
				"Gh0st RAT",
				"Ghost RAT",
				"Gopuram",
				"HARDRAIN",
				"HIDDEN COBRA RAT/Worm",
				"HLOADER",
				"HOOKSHOT",
				"HOPLIGHT",
				"HOTCROISSANT",
				"HOTWAX",
				"HTTP Troy",
				"Hawup",
				"Hawup RAT",
				"Hermes",
				"HotCroissant",
				"HotelAlfa",
				"Hotwax",
				"HtDnDownLoader",
				"Http Dr0pper",
				"ICONICSTEALER",
				"Joanap",
				"Jokra",
				"KANDYKORN",
				"KEYMARBLE",
				"Kaos",
				"KillDisk",
				"KillMBR",
				"Koredos",
				"Krademok",
				"LIGHTSHIFT",
				"LIGHTSHOW",
				"LOLBAS",
				"LOLBins",
				"Lazarus",
				"LightlessCan",
				"Living off the Land",
				"MATA",
				"MBRkiller",
				"MagicRAT",
				"Manuscrypt",
				"Mimail",
				"Mimikatz",
				"Moudour",
				"Mydoom",
				"Mydoor",
				"Mytob",
				"NACHOCHEESE",
				"NachoCheese",
				"NestEgg",
				"NickelLoader",
				"NineRAT",
				"Novarg",
				"NukeSped",
				"OpBlockBuster",
				"PCRat",
				"PEBBLEDASH",
				"PLANKWALK",
				"POOLRAT",
				"PSLogger",
				"PhanDoor",
				"Plink",
				"PondRAT",
				"PowerBrace",
				"PowerRatankba",
				"PowerShell RAT",
				"PowerSpritz",
				"PowerTask",
				"Preft",
				"ProcDump",
				"Proxysvc",
				"PuTTY Link",
				"QUICKRIDE",
				"QUICKRIDE.POWER",
				"Quickcafe",
				"QuiteRAT",
				"R-C1",
				"ROptimizer",
				"Ratabanka",
				"RatabankaPOS",
				"Ratankba",
				"RatankbaPOS",
				"RawDisk",
				"RedShawl",
				"Rifdoor",
				"Rising Sun",
				"Romeo-CoreOne",
				"RomeoAlfa",
				"RomeoBravo",
				"RomeoCharlie",
				"RomeoCore",
				"RomeoDelta",
				"RomeoEcho",
				"RomeoFoxtrot",
				"RomeoGolf",
				"RomeoHotel",
				"RomeoMike",
				"RomeoNovember",
				"RomeoWhiskey",
				"Romeos",
				"RustBucket",
				"SHADYCAT",
				"SHARPKNOT",
				"SIGFLIP",
				"SIMPLESEA",
				"SLICKSHOES",
				"SORRYBRUTE",
				"SUDDENICON",
				"SUGARLOADER",
				"SheepRAT",
				"SierraAlfa",
				"SierraBravo",
				"SierraCharlie",
				"SierraJuliett-MikeOne",
				"SierraJuliett-MikeTwo",
				"SimpleTea",
				"SimplexTea",
				"SmallTiger",
				"Stunnel",
				"TAINTEDSCRIBE",
				"TAXHAUL",
				"TFlower",
				"TOUCHKEY",
				"TOUCHMOVE",
				"TOUCHSHIFT",
				"TOUCHSHOT",
				"TWOPENCE",
				"TYPEFRAME",
				"Tdrop",
				"Tdrop2",
				"ThreatNeedle",
				"Tiger RAT",
				"TigerRAT",
				"Trojan Manuscript",
				"Troy",
				"TroyRAT",
				"VEILEDSIGNAL",
				"VHD",
				"VHD Ransomware",
				"VIVACIOUSGIFT",
				"VSingle",
				"ValeforBeta",
				"Volgmer",
				"Vyveva",
				"W1_RAT",
				"Wana Decrypt0r",
				"WanaCry",
				"WanaCrypt",
				"WanaCrypt0r",
				"WannaCry",
				"WannaCrypt",
				"WannaCryptor",
				"WbBot",
				"Wcry",
				"Win32/KillDisk.NBB",
				"Win32/KillDisk.NBC",
				"Win32/KillDisk.NBD",
				"Win32/KillDisk.NBH",
				"Win32/KillDisk.NBI",
				"WinorDLL64",
				"Winsec",
				"WolfRAT",
				"Wormhole",
				"YamaBot",
				"Yort",
				"ZetaNile",
				"concealment_troy",
				"http_troy",
				"httpdr0pper",
				"httpdropper",
				"klovbot",
				"sRDI"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434953,
	"ts_updated_at": 1775792299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61441439fbdfa37eafd90ced35fbe9acd58b2b4e.pdf",
		"text": "https://archive.orkl.eu/61441439fbdfa37eafd90ced35fbe9acd58b2b4e.txt",
		"img": "https://archive.orkl.eu/61441439fbdfa37eafd90ced35fbe9acd58b2b4e.jpg"
	}
}