{
	"id": "5c1b8af5-d122-474e-9901-eaf2416dc580",
	"created_at": "2026-04-06T00:20:54.063016Z",
	"updated_at": "2026-04-10T03:29:44.359739Z",
	"deleted_at": null,
	"sha1_hash": "7df439c233699689a19f34e25c821b2c8bce9502",
	"title": "Blogpost/LazyScripter at main · SrujanKumar-K/Blogpost",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 455675,
	"plain_text": "Blogpost/LazyScripter at main · SrujanKumar-K/Blogpost\r\nBy SrujanKumar-K\r\nArchived: 2026-04-05 22:26:34 UTC\r\nMalicious PDF Document Analysis - Lazyscripter\r\nFile-information\r\nLazyScripter is a threat group that has mainly targeted the airlines industry since at least 2018, primarily using\r\nopen-source toolsets 1 \r\n2\r\n. The threat actor gained initial access using malicious PDF, here are the details.\r\nMd5: 62610680349de97db658a7d41fc9a9b8 available in Any Run\r\nFile Type: PDF\r\nWork-flow\r\ngraph TD;\r\n PDF --\u003e Downloads_ZIP --\u003e BatchScript --\u003e Powershell --\u003e CnC;\r\nAnalysis\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 1 of 7\n\nStage1\r\nWe can extract PDF properties using \"PDFID\" tool and below snip shows that it has \"embedded /URI\" content.\r\nWith the help of \"pdf-parser\" these URL can be extracted. The Malicious PDF file pretends to be a fake patch\r\ninstallation. The embedded link downloads password protected ZIP file and the password is hardcoded in PDF\r\nfile.\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 2 of 7\n\nStage2\r\nThe unzipped file containing two batch scripts named it as \"SecurityDsp.bat \u0026 SSLCertificate.bat\", both having\r\nidentical contents with MD5 as \"20e9e2e20425f5b89106f6bbace5381d\"\r\nThe code is heavily obfuscated to evade the AV detection as below.\r\nEncoded\r\nAfter replacing the each \"SET\" variables with the corresponding char and doing one more replacement in\r\nCyberchef results a clean and readable code. The entire code is available in below dropdown section.\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 3 of 7\n\nDecoded\r\nThe decoded payload has capable of disabling multiple security features built in Defender, setting persistence\r\nusing Registry Keys and Scheduled Taks and also downloading next stage payload from mentioned URLs.\r\n1. hxxp[://]hpsj[.]firewall-gateway[.]net:80/hpjs[.]php\r\n2. hxxp[://]hpsj[.]firewall-gateway[.]net:443/uddiexplorer\r\nFinal-Stage\r\nThe final payload downloaded from above 1st URL is scripted in Powershell and steals user's info such as\r\n(HostName, UserName, OS Architecture (32/64) \u0026 Verion, AD-Domain, System IP, Admin-check, enumerating\r\nall running process etc..) All these data are encrypted with AES-CBC and sent over to C2 server.\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 4 of 7\n\nThe response from C2 server is also an AES encrypted content and for reference the returned value\r\n\"LquqiDE9NWlWMN6NCrXeJg==\" (extracted from Anyrun) is decoded to be \"False\". Following CyberChef\r\nrecipe can be used to decode the commands.\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 5 of 7\n\nBased on decoded value, the corresponding code block is going to be executed.\r\n2nd URL is also acting as a dropper and downloads payload using powershell cmdlet.After de-obfuscating several\r\nstages, the final payload has also similar behaviour of stealing functionalities as mentioned earlier.\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 6 of 7\n\nIOC\r\nDescription URL/Hash\r\nPDF 62610680349de97db658a7d41fc9a9b8\r\nZIP (Dropper) hxxp[://]128[.]199[.]7[.]40/PATCH%20CVE00456-2022[.]zip\r\nBatch Script 20e9e2e20425f5b89106f6bbace5381d\r\nURL_Dropper_1 hxxp[://]hpsj[.]firewall-gateway[.]net:80/hpjs[.]php\r\nURL_Dropper_2 hxxp[://]hpsj[.]firewall-gateway[.]net:443/uddiexplorer\r\nC2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/operation\r\nC2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/proxy\r\nC2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/publish\r\nC2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:443/publishing\r\nC2 Server hxxp[://]hpsj[.]firewall-gateway[.]net:80/messages\r\nReferences\r\nFootnotes\r\n1. https://attack.mitre.org/groups/G0140/ ↩\r\n2. https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf ↩\r\nSource: https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nhttps://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter\r\nPage 7 of 7\n\n  https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter    \nThe response from C2 server is also an AES encrypted content and for reference the returned value\n\"LquqiDE9NWlWMN6NCrXeJg==\"  (extracted from Anyrun) is decoded to be \"False\". Following CyberChef\nrecipe can be used to decode the commands.    \n   Page 5 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/SrujanKumar-K/Blogpost/tree/main/LazyScripter"
	],
	"report_names": [
		"LazyScripter"
	],
	"threat_actors": [
		{
			"id": "b20281dd-8cc4-4284-b85c-f98c7e09ae48",
			"created_at": "2022-10-25T15:50:23.642844Z",
			"updated_at": "2026-04-10T02:00:05.392724Z",
			"deleted_at": null,
			"main_name": "LazyScripter",
			"aliases": [
				"LazyScripter"
			],
			"source_name": "MITRE:LazyScripter",
			"tools": [
				"Remcos",
				"QuasarRAT",
				"njRAT",
				"ngrok",
				"Koadic",
				"KOCTOPUS"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "712fc9fa-4283-431b-882c-5e0de9c12452",
			"created_at": "2022-10-25T16:07:23.770209Z",
			"updated_at": "2026-04-10T02:00:04.745132Z",
			"deleted_at": null,
			"main_name": "LazyScripter",
			"aliases": [
				"G0140"
			],
			"source_name": "ETDA:LazyScripter",
			"tools": [
				"Adwind",
				"Adwind RAT",
				"Alien Spy",
				"AlienSpy",
				"Bladabindi",
				"CinaRAT",
				"EmPyre",
				"EmpireProject",
				"Empoder",
				"Frutas",
				"Gussdoor",
				"Invoke-Ngrok",
				"JBifrost RAT",
				"JSocket",
				"Jorik",
				"KOCTOPUS",
				"Koadic",
				"Luminosity RAT",
				"LuminosityLink",
				"Nishang",
				"PowerShell Empire",
				"Quasar RAT",
				"QuasarRAT",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"RuRAT",
				"Sockrat",
				"Socmer",
				"Trojan.Maljava",
				"UnReCoM",
				"Unknown RAT",
				"Unrecom",
				"Yggdrasil",
				"jBiFrost",
				"jConnectPro RAT",
				"jFrutas",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434854,
	"ts_updated_at": 1775791784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7df439c233699689a19f34e25c821b2c8bce9502.pdf",
		"text": "https://archive.orkl.eu/7df439c233699689a19f34e25c821b2c8bce9502.txt",
		"img": "https://archive.orkl.eu/7df439c233699689a19f34e25c821b2c8bce9502.jpg"
	}
}