{ "id": "607292c7-7348-48da-a6e8-ef3b790be757", "created_at": "2026-04-06T00:16:28.78029Z", "updated_at": "2026-04-10T03:38:19.624062Z", "deleted_at": null, "sha1_hash": "63f76d448d4a2755c314a7bc50dba79c7ae0fad0", "title": "Lazarus APT Group (APT38) - Brandefense", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73852, "plain_text": "Lazarus APT Group (APT38) - Brandefense\r\nPublished: 2022-08-15 · Archived: 2026-04-05 17:55:32 UTC\r\nDownload IoC, YARA and SIGMA Rules\r\nThis post analyzes Lazarus APT group findings that can be used by people who work in the information\r\ntechnology departments, part of the cyber security team, or have gained competence in areas such as security\r\nresearchers and system administrators. The following topics are included and shared:\r\nGroup’s Mission and Vision\r\nGroup’s Country of Origin and Known Aliases\r\nTargeted Countries and Industries\r\nActivities/Operations/Cyber Attacks by Year (Historical Background)\r\nCyber Attack Lifecycles and MITRE ATT\u0026CK TTPs\r\nGroup’s Toolset and Related Malware\r\nIndicator of Compromises\r\nYARA and Sigma Rules\r\nRecommendations/Mitigations\r\nGroup’s Mission and Vision\r\nIn general, the motivations of apt groups are mostly based on ideological reasons, and they are state-supported.\r\nThe Lazarus Group has strong links to North Korea. The United States Federal Bureau of Investigation says that\r\nthe Lazarus Group is a North Korean “state-sponsored hacking organization”.\r\nThe known main goals of this group :\r\nExtortion of Money\r\nInformation Theft\r\nSabotage\r\nEspionage\r\nGroup’s Country of Origin and Known Aliases (Names)\r\nLazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009.\r\nAlso known by other monikers such as Guardians of Peace or Whois Team. The names HIDDEN and COBRA\r\nare generally used by the United States intelligence community to refer to the malicious cyber activities of the\r\nNorth Korean government. Also, the name Zinc is used by Microsoft.\r\nLazarus’s Aliases:\r\nAndariel,\r\nhttps://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nPage 1 of 6\n\nAppleworm,\r\nAPT-C-26,\r\nAPT38,\r\nBluenoroff,\r\nBureau 121,\r\nCOVELLITE,\r\nDark Seoul,\r\nGOP,\r\nGroup 77,\r\nGuardian of Peace,\r\nHastati Group,\r\nHIDDEN COBRA,\r\nLabyrinth\r\nChollima,\r\nLazarus,\r\nNewRomantic Cyber Army Team,\r\nNICKEL ACADEMY,\r\nOperation AppleJesus,\r\nOperation DarkSeoul,\r\nOperation GhostSecret,\r\nOperation Troy,\r\nSilent Chollima,\r\nSubgroup: Andariel,\r\nSubgroup: Bluenoroff,\r\nUnit 121,\r\nWhois Hacking Team,\r\nWHOis Team,\r\nZINC\r\nTargeted Countries and Industries\r\nThe Lazarus APT Group targets;\r\nBanks,\r\nDefense Industries,\r\nSoftware Business,\r\nPharmaceutical Companies,\r\nCryptocurrency Platforms,\r\nManufacturing and,\r\nElectrical Industries.\r\nMalware known to belong to this group has been spotted in 18 countries worldwide. The list of the countries are\r\nbelow;\r\nhttps://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nPage 2 of 6\n\nBrazil\r\nChina,\r\nIndia,\r\nIndonesia,\r\nIran,\r\nIraq,\r\nMalaysia,\r\nMexico,\r\nPoland,\r\nRussia,\r\nSaudi Arabia,\r\nSouth Korea,\r\nTaiwan,\r\nThailand,\r\nTurkey,\r\nUSA,\r\nVietnam.\r\nOperations by Year (Historic Background)\r\nNorth Korean group definitions are known to have significant overlap and some security researchers report all\r\nNorth Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or\r\nsubgroups.\r\n2009 – Operation Troy\r\nThis attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS\r\nattack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed\r\nthe text “Memory of Independence Day” in the master boot record (MBR).\r\n2014 – Sony Breach\r\nThe Lazarus Group attacks culminated on November 24, 2014. On that day, a Reddit post appeared stating that\r\nSony Pictures had been hacked via unknown means; the perpetrators identified themselves as the “Guardians of\r\nPeace.” Large amounts of data were stolen and slowly leaked in the days following the attack. An interview with\r\nsomeone claiming to be part of the group stated that they had been stealing Sony’s data for over a year. The\r\nhackers were able to access previously unreleased films, emails, and personal information about 4,000 employees.\r\n2016 – Bangladesh Bank Heist\r\nBangladesh Bank cyber heist was a theft that took place in February 2016. Thirty-five fraudulent instructions were\r\nissued by security hackers via the SWIFT network to illegally transfer nearly $1B from the Federal Reserve Bank\r\nof New York account belonging to Bangladesh Bank. Five of the thirty-five fraudulent instructions were\r\nsuccessful in transferring $101M, with $20M traced to Sri Lanka and $81M to the Philippines. The Federal\r\nhttps://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nPage 3 of 6\n\nReserve Bank of New York blocked the remaining thirty transactions, amounting to $850M, due to suspicions\r\nraised by a misspelled instruction. Cybersecurity experts claimed that the North Korea-based Lazarus Group was\r\nbehind the attack.\r\n2017 – WannaCry Ransomware Attack\r\nThe WannaCry attack was a massive ransomware cyber attack that hit institutions across the globe ranging all the\r\nway from the NHS in Britain to Boeing and even to Universities in China on the 12th of May, 2017.\r\nThe attack lasted 7 hours and 19 minutes. Europol estimates it affected nearly 200,000 computers in 150 countries,\r\nprimarily affecting Russia, India, Ukraine, and Taiwan. This was one of the first attacks to spread via a\r\ncryptoworm.\r\nThe US Department of Justice and British authorities later attributed the WannaCry attack to the North Korean\r\nhackers the Lazarus group.\r\n2020 – Pharmaceutical Company Attacks\r\nDue to the ongoing COVID-19 pandemic, pharmaceutical companies became major targets for the Lazarus Group.\r\nUsing spear-phishing techniques, Lazarus Group members posed as health officials and contacted pharmaceutical\r\ncompany employees with malicious links. It is thought that multiple major pharma organizations were targeted,\r\nbut the only one that has been confirmed was the Anglo-Swedish-owned AstraZeneca.\r\nAccording to a report by Reuters, a wide range of employees were targeted, including many involved in COVID-19 vaccine research.\r\n2022 – Crypto Stealer Malware Attack\r\nLazarus group targets cryptocurrency companies with trojanized malicious Windows and macOS applications.\r\nThose apps are used to steal private keys and exploit security vulnerabilities to fraudulent cryptocurrency\r\ntransactions. Cyber security authorities linked Lazarus to Ronin’s $625M worth of Ethereum and USDC theft.\r\nNorth Korean hackers have stolen at least $1.7B in cryptocurrency in the past few years.\r\nAlmost 200 malicious cryptocurrency apps related to these attacks on the Google Play Store were discovered.\r\nMost of these applications advertised themselves as mining services in order to entice users to download them.\r\nCyber Attack Lifecycle and TTPs\r\nWhen cyber threat actors strategize a way to infiltrate an organization’s network, they follow a series of stages that\r\ncomprise the cyber attack lifecycle. Here is an example of Lazarus APT’s related WannaCry ransomware attack\r\nlifecycle;\r\nMITRE ATT\u0026CK is an open knowledge base of threat actors’ techniques, tactics, and procedures. By observing\r\nthe attacks that occur in the real world, the behavior of threat actors is systematically categorized.\r\nhttps://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nPage 4 of 6\n\nMITRE ATT\u0026CK aims to determine the risks against the actions that the threat actors can take in line with their\r\ntargets and make the necessary improvements and plans.\r\nThe following MITRE ATT\u0026CK Threat Matrix has been created to provide information on the techniques, tactics,\r\nand procedures used by Lazarus APT.\r\nFor more details about the group, MITRE ATT\u0026CK link\r\nGroup’s Toolset and Related Malware\r\nLazarus uses specialized toolsets to control their victims. The group tries to hide their activity and complicate\r\nmalware detection and analysis. Lazarus’s infection process provides additional flexibility and anonymity\r\nthroughout the cyber attacks. Here are some tools and related malware from Lazarus APT;\r\nTools Used for Lateral Movement:\r\nAdFind: Command line tool to collect information from Active Directory\r\nSMBMap: Tool to list accessible shared SMB resources and access those files\r\nResponder-Windows : Tool to lead clients with spoof LLMNR, NBT-NS, and WPAD\r\nMimikatz: Dumping in-memory credentials using mimikatz is a popular attack method and a common\r\ntool.\r\nTools Used for Stealing Sensitive Data:\r\nXenrmor Email Password Recovery Pro: Tool to extract credentials from email clients and services\r\nXenArmor Browser Password Recovery Pro: Tool to extract credentials from web browsers\r\nTools for Process Listing and Network Packet Capture\r\nTightVNC Viewer: VNC client\r\nProcDump: Common Microsoft tool to get a process memory dump\r\ntcpdump: Packet capturing tool\r\nAppleJeus\r\nBADCALL\r\nBankshot\r\nBLINDINGCAN\r\nCryptoistic\r\nDtrack\r\nKEYMARBLE\r\nKiloAlfa\r\nSierraAlfa\r\nThreatNeedle\r\nTorisma\r\nWannaCry\r\nhttps://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nPage 5 of 6\n\nRecommendations and Mitigations\r\nAfter the encountered cases have been examined, it shows that the group mostly uses phishing attacks and known\r\nsecurity vulnerabilities to gain initial access to their victims. Therefore, precautions should be taken by\r\nconsidering attack vectors used by the Lazarus APT may carry out.\r\nImportant recommendations that should be implemented to protect valuable assets and minimize the risk of\r\ncompromises caused by security vulnerabilities and misconfigurations are shared below.\r\nAn integrated cyber defense platform should be used that shares threat data from email, web, cloud\r\napplications, and infrastructure.\r\nMake sure that multi-factor authentication is enabled for all accounts using your network.\r\nInternet dependency should be minimized for all critical systems, and control system devices should not be\r\nconnected directly to the Internet.\r\nAll unused legacy applications should be removed from all machines on the network to avoid abuse.\r\nCritical networks, such as control system networks behind firewalls, must be isolated from the external\r\nnetwork.\r\nSecure methods such as VPN should be used if remote access is required.\r\nUnused system accounts should be removed, disabled, or renamed.\r\nTo avoid being affected by known security vulnerabilities, updates that patch the vulnerabilities should be\r\napplied as soon as possible.\r\nPolicies that require the use of strong passwords should be implemented.\r\nOrganizations should keep backups of important data, systems, and configurations.\r\nThe restoring capacity should be tested. Ensure that the restore capabilities support the needs of the\r\nbusiness.\r\nInstitution/Organization personnel should be trained to understand cybersecurity principles and not engage\r\nin behavior that could compromise network security.\r\nDownload IoC, YARA and SIGMA Rules\r\nSource: https://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nhttps://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/\r\nPage 6 of 6\n\nissued by security of New York account hackers via the SWIFT belonging to network to Bangladesh Bank. illegally transfer Five of the thirty-five nearly $1B from fraudulent instructions the Federal Reserve were Bank\nsuccessful in transferring $101M, with $20M traced to Sri Lanka and $81M to the Philippines. The Federal\n Page 3 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/" ], "report_names": [ "lazarus-apt-group-apt38" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434588, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63f76d448d4a2755c314a7bc50dba79c7ae0fad0.pdf", "text": "https://archive.orkl.eu/63f76d448d4a2755c314a7bc50dba79c7ae0fad0.txt", "img": "https://archive.orkl.eu/63f76d448d4a2755c314a7bc50dba79c7ae0fad0.jpg" } }