{ "id": "cdd63b29-0027-499a-9c15-592012db3cb2", "created_at": "2026-04-06T00:12:58.006392Z", "updated_at": "2026-04-10T03:38:19.240613Z", "deleted_at": null, "sha1_hash": "7b46cd0b5e151a6b1659c1692cfbd8cc63892cfb", "title": "Threat Brief: 3CXDesktopApp Supply Chain Attack (Updated)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 416147, "plain_text": "Threat Brief: 3CXDesktopApp Supply Chain Attack (Updated)\r\nBy Robert Falcone, Josh Grunzweig\r\nPublished: 2023-03-30 · Archived: 2026-04-05 18:53:07 UTC\r\nExecutive Summary\r\nOn March 29, 2023, there was a supply chain attack involving a software-based phone application called 3CXDesktopApp.\r\nAs of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two\r\nmalicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that\r\nallows actors to install additional malware on the victim machine.\r\nOn March 31, 2023, we updated this blog to include a Next-Generation Firewall protections summary.\r\nOn April 3, 2023, we updated this blog to include an XSOAR protections summary. For Cortex XDR and XSIAM, we\r\nspecified the content version for MacOS coverage. All XDR customers are and were protected with no upgrade required.\r\nAt this time, we cannot determine exactly how these malicious libraries were included in the 3CXDesktopApp installer. We\r\nspeculate that threat actors might have introduced these malicious libraries during the build process of the 3CXDesktopApp\r\napplication. Because malicious content was added to this legitimate application in order to compromise the users of\r\n3CXDesktopApp, it could suggest that this is intended to be a supply chain attack.\r\n3CX products are widely used across the globe. Our Cortex Xpanse product was able to fingerprint 247,277 distinct IP\r\naddresses in 199 countries that are using 3CX applications.\r\nBetween March 9-30, 2023, we observed activity at 127 Cortex XDR customers that involved the 3CXDesktopApp process\r\nattempting to run shellcode, which was blocked by the XDR Agent’s In-process Shellcode Protection Module. Due to\r\nblocking the shellcode, we were unable to obtain the secondary payload used in this attack, so we cannot determine its\r\ncapabilities or any post-exploitation activities carried out by the threat actor.\r\nDetails of the Incident\r\nThe 3CXDesktopApp supply chain attack began with threat actors introducing malicious libraries into the legitimate\r\n3CXDesktopApp installation application, likely by including these libraries during the build process of 3CXDesktopApp.\r\nWith the malicious libraries included in the legitimate installer, individuals fall victim by downloading and running the\r\n3CXDesktopApp installer from the developer’s website.\r\nAt the time of publishing this threat brief, the Unit 42 team is aware of malicious 3CXDesktopApp installers meant to run on\r\nboth Windows and macOS. The former comes as a Windows Installer File (.msi) and the latter comes as an Apple Disk\r\nImage file (.dmg). Figure 1 shows a diagram of the overall process.\r\nFigure 1. Installation process for malicious 3CXDesktopApp installer for Windows.\r\nOn a Windows system, the MSI installer extracts several files and runs 3CXDesktopApp.exe, which loads a malicious\r\nlibrary file named ffmpeg.dll. This DLL was originally compiled on Nov. 12, 2022, based on compiler metadata.\r\nThe ffmpeg.dll library reads in a second extracted library with a file name of d3dcompiler_47.dll, decrypts a portion of it\r\nusing RC4 and a key of 3jB(2bsG#@c7, and runs the decrypted contents as shellcode. The shellcode loads an embedded\r\nDLL and calls the DllGetClassObject function exported by the DLL.\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 1 of 7\n\nOnce initially executed, the malware will generate a randomly selected date that is between 1-4 weeks in the future. This\r\ntimestamp is then checked against the current time of the compromised machine, and the malware will sleep until that time\r\nis encountered. In doing so, this prevents the malware from executing for a significant amount of time, to prevent victims\r\nsuspecting that the program was backdoored.\r\nThe DLL attempts to obtain its command and control (C2) server by downloading an icon file from the following URL\r\nwhose filename includes a randomly generated number between 1 and 15:\r\nhxxps://raw.githubusercontent[.]com/IconStorages/images/main/icon[1-15].ico\r\nThis request looks similar to the one below.\r\nGET /IconStorages/images/main/icon1.ico HTTP/1.1\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\naccept-encoding: gzip, deflate, br\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\n3CXDesktopApp/18.11.1197 Chrome/102.0.5005.167 Electron/19.1.9 Safari/537.36\r\nHost: raw.githubusercontent.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nThe GitHub account above no longer exists; however, we were able to obtain the icon files that were hosted at the above\r\nURLs. Table 1 includes the hash of the icon file, the filename and the C2 URL extracted from within the file.\r\nSHA256\r\nIcon\r\nFilename\r\nC2 URL Extracted\r\na541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c icon1.ico hxxps://msstorageazure[.]com/window\r\nd459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090\r\nicon10.ico\r\nand\r\nicon11.ico\r\nhxxps://akamaitechcloudservices[.]com/v2/storage\r\nd51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a icon12.ico hxxps://azureonlinestorage[.]com/azure/storage\r\n4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f icon13.ico hxxps://msedgepackageinfo[.]com/microsoft-edge\r\n8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d icon14.ico hxxps://glcloudservice[.]com/v1/console\r\nf47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3 icon15.ico hxxps://pbxsources[.]com/exchange\r\n2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f icon2.ico hxxps://officestoragebox[.]com/api/session\r\n268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca icon3.ico hxxps://visualstudiofactory[.]com/workload\r\nc62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd icon4.ico hxxps://azuredeploystore[.]com/cloud/services\r\nc13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396 icon5.ico hxxps://msstorageboxes[.]com/office\r\nf1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182 icon6.ico hxxps://officeaddons[.]com/technologies\r\n2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de icon7.ico hxxps://sourceslabs[.]com/downloads\r\ne059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c icon8.ico hxxps://zacharryblogs[.]com/feed\r\nd0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e icon9.ico hxxps://pbxcloudeservices[.]com/phonesystem\r\nTable 1. Icon files hosted at GitHub account used by payload to locate C2 URL.\r\nIt should also be noted that the .ico files originally appeared on this GitHub repository Dec. 7, 2022, as shown in the git logs\r\nin Figure 2 below. This provides additional insight into the timeline as to when this attack originated.\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 2 of 7\n\nFigure 2. Logs indicating earliest modifications to GitHub repository.\r\nAfter the .ico files are downloaded, parsed and subsequently decrypted to extract the next stage URL, the malware will\r\nperform an HTTPS request to it. The requests are similar to the following:\r\nGET /api/session HTTP/1.1\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\naccept-encoding: gzip, deflate, br\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\n3CXDesktopApp/18.11.1197 Chrome/102.0.5005.167 Electron/19.1.9 Safari/537.36\r\nHost: officestoragebox.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nWhile the remote C2 servers are no longer available, we can understand what the malware expects based on its own control\r\nflow. The C2 server is expected to respond with a JSON blob, containing the following keys.\r\n{\r\n“url” : [data],\r\n“meta” : [data],\r\n“description” : [data]\r\n}\r\nThe “meta” field is parsed, and the data contained within this field is subsequently decrypted using the same routine that was\r\npreviously leveraged. Finally, this decrypted data is directly executed on the victim machine.\r\nBoth of the known macOS variants involve DMG installers that contain a malicious FFmpeg library, specifically at the\r\nfollowing path:\r\n3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib\r\nThis malicious library is similar in functionality but simpler than the Windows variant, as libffmpeg.dylib library does not\r\nattempt to obtain its C2 URL by extracting the URL from within an icon file hosted in a GitHub account. Instead, the Mac\r\nvariant contains a list of 16 hardcoded URLs that it will communicate with as its C2 server, as seen in the following list:\r\nmsstorageazure[.]com/analysis\r\nofficestoragebox[.]com/api/biosync\r\nvisualstudiofactory[.]com/groupcore\r\nazuredeploystore[.]com/cloud/images\r\nmsstorageboxes[.]com/xbox\r\nofficeaddons[.]com/quality\r\nsourceslabs[.]com/status\r\nzacharryblogs[.]com/xmlquery\r\npbxcloudeservices[.]com/network\r\npbxphonenetwork[.]com/phone\r\nakamaitechcloudservices[.]com/v2/fileapi\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 3 of 7\n\nazureonlinestorage[.]com/google/storage\r\nmsedgepackageinfo[.]com/ms-webview\r\nglcloudservice[.]com/v1/status\r\npbxsources[.]com/queue\r\nwww.3cx[.]com/blog/event-trainings/\r\nNote that the www.3cx[.]com URL above is a legitimate website owned by the 3CX vendor, which is not believed to be used\r\nfor C2 communication at the time of writing.\r\nThe URLs found in the macOS variant use the same domains as the Windows variant, with the exception of the\r\npbxphonenetwork[.]com domain. However, the URL paths differ between the macOS and Windows variants when\r\ninteracting with the same domain.\r\nCrowdStrike has publicly attributed this activity to a threat actor they track as Labyrinth Chollima. While we cannot confirm\r\nthe overlap that led to this attribution, we believe the use of the RC4 key of 3jB(2bsG#@c7 in this attack was seen in\r\nprevious activity associated with Labyrinth Chollima. Huntress Labs mentioned this key has been used in the past by DPRK\r\nthreat actors, which suggests it could be the linkage to Labyrinth Chollima. At this time, we cannot confirm or deny this\r\noverlap and will continue to look for attributable evidence.\r\nCurrent Scope of the Attack\r\nAccording to 3CX’s announcement, the supply chain attack involved the 3CX Electron Windows App shipped in Update 7,\r\nversion numbers 18.12.407 and 18.12.416, and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 and\r\n18.12.416.\r\nAccording to XDR and XSIAM telemetry, we observed activity on 127 customers' systems that involved the\r\n3CXDesktopApp process attempting to run shellcode, which was blocked by XDR Agent’s In-process Shellcode Protection\r\nModule. We observed 5,796 of these events across 1,832 unique systems between March 9-30, 2023. Note all XDR\r\ncustomers were protected from zero-day with no upgrade needed.\r\nDue to the blocking of the execution of the shellcode, we were unable to obtain the secondary payload of this attack that\r\nwould contain the functionality needed by the threat actor to carry out any additional activities.\r\nTo determine the prevalence of 3CX products, we created a fingerprint of their publicly accessible applications and scanned\r\nthe internet with our Xpanse product. The scan results showed 247,277 unique IP addresses in 199 countries that match this\r\nfingerprint, which suggests 3CX products are widely used at organizations across the globe.\r\nFigure 3 shows a heatmap of the countries with IP address and TCP port combinations matching our fingerprint for 3CX\r\nproducts.\r\nFigure 3. Heatmap of countries with 3CX applications.\r\nInterim Guidance\r\nAccording to 3CX’s announcement, the vendor suggests customers use the company’s PWA product instead of the desktop\r\napplication while the vendor updates the application. As of March 30, all of the C2 domain names and the GitHub repository\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 4 of 7\n\nhosting the icon files have been taken down. However, we suggest any system running the known malicious versions of\r\n3CXDesktopApp investigate for compromise.\r\nUnit 42 Managed Threat Hunting Queries\r\n// Description: Detect execution of 3cx application \"3CXDesktopApp.exe\"\r\nconfig case_sensitive = false\r\n| dataset = xdr_data\r\n| filter event_type = PROCESS and action_process_signature_vendor contains \"3cx\" and action_process_image_name = \"3CXDesktopApp.exe\"\r\n| fields agent_hostname, action_process_image_name, action_process_signature_vendor\r\n| dedup agent_hostname, action_process_image_name, action_process_signature_vendor\r\n// Description: Detect network connections to known c2 domains:\r\ndataset = xdr_data | filter\r\ndst_action_external_hostname\r\n~=\".*akamaicontainer.com|.*akamaitechcloudservices.com|.*azuredeploystore.com|.*azureonlinecloud.com|.*azureonlinestorage.com|.*dunamistrd.\r\nOR\r\ndns_query_name\r\n~=\".*akamaicontainer.com|.*akamaitechcloudservices.com|.*azuredeploystore.com|.*azureonlinecloud.com|.*azureonlinestorage.com|.*dunamistrd.\r\nOR\r\naction_external_hostname\r\n~=\".*akamaicontainer.com|.*akamaitechcloudservices.com|.*azuredeploystore.com|.*azureonlinecloud.com|.*azureonlinestorage.com|.*dunamistrd.\r\n| fields agent_hostname, agent_version,causality_actor_process_image_path, actor_process_image_path, action_file_path, action_file_sha256, action\r\nConclusion\r\nThe 3CXDesktopApp supply chain attack has received significant attention, as these products are widely used, with at least\r\n247,000 systems across the globe according to our Xpanse product. The compromised 3CXDesktopApp application was\r\nseen in the environments of 127 of our customers, and we blocked the execution of the malicious shellcode executed by the\r\napplication via the XDR Agent’s In-process Shellcode Protection Module.\r\nAt this time, the malicious 3CXDesktopApp installers do not have any active C2 domains to communicate with. However,\r\nsystems that have run the known compromised 3CXDesktopApp versions or communicated with any of the C2 URLs\r\nshould be investigated for potential compromise.\r\nPalo Alto Networks Product Protections for 3CXDesktopApp Supply Chain Attack\r\nPalo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this\r\nthreat.\r\nNext-Generation Firewalls with a Threat Prevention security subscription can help block the C2 traffic with Best Practices\r\nvia Threat Prevention signature 86729.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nCortex XSOAR\r\nThe 3CXDesktopApp Supply Chain Attack pack includes an automated playbook that helps collect indicators and run\r\nadvanced queries in the organization SIEM and XDR, furthermore signatures to deploy in 3rd party integration. The\r\nplaybook also provides remediation for the possible compromised endpoints.\r\nCortex XDR and XSIAM\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 5 of 7\n\nIn-process Shellcode Protection Module and Behavioral Threat Protection help protect against these attacks and they have\r\nblocked multiple attacks in-the-wild prior to any malicious execution. For macOS coverage, please make sure you are\r\nrunning content version 910-49625. All customers remain protected. \r\nIndicators of Compromise\r\nSHA256 Description\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983\r\n3CXDesktopApp-18.12.416.msi\r\nInstaller\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868\r\n3CXDesktopApp-18.12.407.msi\r\nInstaller\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290\r\n3CXDesktopApp-18.11.1213.dmg\r\nInstaller\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec\r\n3CXDesktopApp-18.12.416.dmg\r\nInstaller\r\n7c55c3dfa373b6b342390938029cb76ef31f609d9a07780772c6010a4297e321\r\n3CXDesktopApp-18.12.416-full.nupkg\r\nInstaller\r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 Malicious ffmpeg.dll\r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 Malicious d3dcompiler_47.dll\r\nc485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 Malicious ffmpeg.dll\r\naa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 Malicious DLL in d3dcompiler_47.dll\r\nfee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 Malicious libffmpeg.dylib\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 Malicious libffmpeg.dylib\r\nURL Description\r\nmsstorageazure[.]com/analysis C2 for macOS variant\r\nofficestoragebox[.]com/api/biosync C2 for macOS variant\r\nvisualstudiofactory[.]com/groupcore C2 for macOS variant\r\nazuredeploystore[.]com/cloud/images C2 for macOS variant\r\nmsstorageboxes[.]com/xbox C2 for macOS variant\r\nofficeaddons[.]com/quality C2 for macOS variant\r\nsourceslabs[.]com/status C2 for macOS variant\r\nzacharryblogs[.]com/xmlquery C2 for macOS variant\r\npbxcloudeservices[.]com/network C2 for macOS variant\r\npbxphonenetwork[.]com/phone C2 for macOS variant\r\nakamaitechcloudservices[.]com/v2/fileapi C2 for macOS variant\r\nazureonlinestorage[.]com/google/storage C2 for macOS variant\r\nmsedgepackageinfo[.]com/ms-webview C2 for macOS variant\r\nglcloudservice[.]com/v1/status C2 for macOS variant\r\npbxsources[.]com/queue C2 for macOS variant\r\nmsstorageazure[.]com/window C2 for Windows variant\r\nakamaitechcloudservices[.]com/v2/storage C2 for Windows variant\r\nazureonlinestorage[.]com/azure/storage C2 for Windows variant\r\nmsedgepackageinfo[.]com/microsoft-edge C2 for Windows variant\r\nglcloudservice[.]com/v1/console C2 for Windows variant\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 6 of 7\n\npbxsources[.]com/exchange C2 for Windows variant\r\nofficestoragebox[.]com/api/session C2 for Windows variant\r\nvisualstudiofactory[.]com/workload C2 for Windows variant\r\nazuredeploystore[.]com/cloud/services C2 for Windows variant\r\nmsstorageboxes[.]com/office C2 for Windows variant\r\nofficeaddons[.]com/technologies C2 for Windows variant\r\nsourceslabs[.]com/downloads C2 for Windows variant\r\nzacharryblogs[.]com/feed C2 for Windows variant\r\npbxcloudeservices[.]com/phonesystem C2 for Windows variant\r\nDomains\r\nmsstorageazure[.]com\r\nofficestoragebox[.]com\r\nvisualstudiofactory[.]com\r\nazuredeploystore[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nsourceslabs[.]com\r\nzacharryblogs[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\nakamaitechcloudservices[.]com\r\nazureonlinestorage[.]com\r\nmsedgepackageinfo[.]com\r\nglcloudservice[.]com\r\npbxsources[.]com\r\nUpdated April 3, 2023, at 4:45 p.m. PT. \r\nSource: https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nhttps://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/3cxdesktopapp-supply-chain-attack/" ], "report_names": [ "3cxdesktopapp-supply-chain-attack" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b46cd0b5e151a6b1659c1692cfbd8cc63892cfb.pdf", "text": "https://archive.orkl.eu/7b46cd0b5e151a6b1659c1692cfbd8cc63892cfb.txt", "img": "https://archive.orkl.eu/7b46cd0b5e151a6b1659c1692cfbd8cc63892cfb.jpg" } }