{ "id": "0ac5f11e-1e6b-485d-9df5-a69cbf7e4a53", "created_at": "2026-04-06T00:16:10.045062Z", "updated_at": "2026-04-10T13:13:04.922828Z", "deleted_at": null, "sha1_hash": "7243f1d5983053337fe7a378ea42318b7e221653", "title": "GitHub - 649/APT38-DYEPACK: Reverse engineered APT38 DYEPACK samples used to empty SWIFT banking servers. Use caution when handling live binaries.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 265143, "plain_text": "GitHub - 649/APT38-DYEPACK: Reverse engineered APT38\r\nDYEPACK samples used to empty SWIFT banking servers. Use\r\ncaution when handling live binaries.\r\nBy 649\r\nArchived: 2026-04-05 22:52:07 UTC\r\nSkip to content\r\nNavigation Menu\r\nAI CODE CREATION\r\nGitHub CopilotWrite better code with AI\r\nGitHub SparkBuild and deploy intelligent apps\r\nGitHub ModelsManage and compare prompts\r\nMCP RegistryNewIntegrate external tools\r\nView all features\r\nPricing\r\nSign up\r\nNotifications\r\nFork 9\r\nStar 23\r\nCode\r\nIssues\r\nPull requests\r\nhttps://github.com/649/APT38-DYEPACK\r\nPage 1 of 8\n\nActions\r\nProjects\r\nSecurity and quality\r\nInsights\r\nFolders and files\r\nName Name Last commit message Last commit date\r\nLatest commit\r\n649\r\ninit\r\nMar 20, 2019\r\naf3f469 · Mar 20, 2019\r\nHistory\r\n7 Commits\r\nimg img init Mar 20, 2019\r\nsample sample init Mar 20, 2019\r\n.gitattributes .gitattributes 🎉 Added .gitattributes Jan 4, 2019\r\n.gitignore .gitignore init Jan 4, 2019\r\nREADME.md README.md init Mar 20, 2019\r\nRepository files navigation\r\nREADME\r\nhttps://github.com/649/APT38-DYEPACK\r\nPage 2 of 8\n\nAPT38 DYEPACK FRAMEWORK\r\nReverse engineered using IDA Pro + Ghidra. Live binaries are in /sample/binaries.zip\r\nPassword: infected\r\nDISCLAIMER\r\nSamples are for malware research ONLY. Do not use decompiled versions of the framework to cause harm, I am\r\nnot responsible for any damages caused. Handle live binaries with care, and use a VM for any dynamic analysis.\r\nhttps://github.com/649/APT38-DYEPACK\r\nPage 3 of 8\n\nhttps://github.com/649/APT38-DYEPACK\r\nPage 4 of 8\n\nhttps://github.com/649/APT38-DYEPACK\r\nPage 5 of 8\n\nhttps://github.com/649/APT38-DYEPACK\r\nPage 6 of 8\n\nAbout\r\nReverse engineered APT38 DYEPACK samples used to empty SWIFT banking servers. Use caution when\r\nhandling live binaries.\r\nResources\r\nReadme\r\nhttps://github.com/649/APT38-DYEPACK\r\nPage 7 of 8\n\nActivity\r\nStars\r\n23 stars\r\nWatchers\r\n2 watching\r\nForks\r\n9 forks\r\nSource: https://github.com/649/APT38-DYEPACK\r\nhttps://github.com/649/APT38-DYEPACK\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/649/APT38-DYEPACK" ], "report_names": [ "APT38-DYEPACK" ], "threat_actors": [ { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434570, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7243f1d5983053337fe7a378ea42318b7e221653.pdf", "text": "https://archive.orkl.eu/7243f1d5983053337fe7a378ea42318b7e221653.txt", "img": "https://archive.orkl.eu/7243f1d5983053337fe7a378ea42318b7e221653.jpg" } }