{ "id": "e19ae651-9016-4e35-9042-faa4b7808145", "created_at": "2026-04-06T00:18:39.403184Z", "updated_at": "2026-04-10T13:13:05.621794Z", "deleted_at": null, "sha1_hash": "7f124ced5727f5311a3ec61438ed9926556ce38e", "title": "Lazarus group evolves its infection chain with old and new malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 385874, "plain_text": "Lazarus group evolves its infection chain with old and new\r\nmalware\r\nBy Vasily Berdnikov\r\nPublished: 2024-12-19 · Archived: 2026-04-05 18:07:18 UTC\r\nOver the past few years, the Lazarus group has been distributing its malicious software by exploiting fake job\r\nopportunities targeting employees in various industries, including defense, aerospace, cryptocurrency, and other\r\nglobal sectors. This attack campaign is called the DeathNote campaign and is also referred to as “Operation\r\nDreamJob”. We have previously published the history of this campaign.\r\nRecently, we observed a similar attack in which the Lazarus group delivered archive files containing malicious\r\nfiles to at least two employees associated with the same nuclear-related organization over the course of one month.\r\nAfter looking into the attack, we were able to uncover a complex infection chain that included multiple types of\r\nmalware, such as a downloader, loader, and backdoor, demonstrating the group’s evolved delivery and improved\r\npersistence methods.\r\nIn this blog, we provide an overview of the significant changes in their infection chain and show how they\r\ncombined the use of new and old malware samples to tailor their attacks.\r\nNever giving up on their goals\r\nOur past research has shown that Lazarus is interested in carrying out supply chain attacks as part of the\r\nDeathNote campaign, but this is mostly limited to two methods: the first is by sending a malicious document or\r\ntrojanized PDF viewer that displays the tailored job descriptions to the target. The second is by distributing\r\ntrojanized remote access tools such as VNC or PuTTY to convince the targets to connect to a specific server for a\r\nskills assessment. Both approaches have been well documented by other security vendors, but the group continues\r\nto adapt its methodology each time.\r\nThe recently discovered case falls under the latter approach. However, except for the initial vector, the infection\r\nchain has completely changed. In the case we discovered, the targets each received at least three archive files\r\nallegedly related to skills assessments for IT positions at prominent aerospace and defense companies. We were\r\nable to determine that two of the instances involved a trojanized VNC utility. Lazarus delivered the first archive\r\nfile to at least two people within the same organization (we’ll call them Host A and Host B). After a month, they\r\nattempted more intensive attacks against the first target.\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 1 of 8\n\nMalicious files created on the victims’ hosts\r\nAppearing with state-of-the-art weapons\r\nIn the first case, in order to go undetected, Lazarus delivered malicious compressed ISO files to its targets, since\r\nZIP archives are easily detected by many services. Although we only saw ZIP archives in other cases, we believe\r\nthe initial file was also an ISO. It is unclear exactly how the files were downloaded by the victims. However, we\r\ncan assess with medium confidence that the ISO file was downloaded using a Chromium-based browser. The first\r\nVNC-related archive contained a malicious VNC, and the second contained a legitimate UltraVNC Viewer and a\r\nmalicious DLL.\r\nMalicious AmazonVNC.exe (left) / Legitimate vncviewer.exe (right)\r\nThe first ISO image contains a ZIP file that contains two files: AmazonVNC.exe and readme.txt. The\r\nAmazonVNC.exe file is a trojanized version of TightVNC – a free and open source VNC software that allows\r\nanyone to edit the original source code. When the target executes AmazonVNC.exe, a window like the one in the\r\nimage above pops up. The IP address to enter in the ‘Remote Host’ field is stored in the readme.txt file along with\r\na password. It is likely that the victim was instructed to use this IP via a messenger, as Lazarus tends to pose as\r\nrecruiters and contact targets on LinkedIn, Telegram, WhatsApp, etc. Once the IP is entered, an XOR key is\r\ngenerated based on it. This key is used to decrypt internal resources of the VNC executable and unzip the\r\ndecrypted data. The unzipped data is in fact a downloader we dubbed Ranid Downloader, which is loaded into\r\nmemory by AmazonVNC.exe to execute further malicious operations.\r\nThe [Company name]_Skill_Assessment_new.zip file embeds UltraVNC’s legitimate vncviewer.exe, which is\r\nopen source VNC software like TightVNC. The ZIP file also contains the malicious file vnclang.dll, which is\r\nloaded using side-loading. Although we have not been able to obtain the malicious vnclang.dll, we classified it as\r\na loader of the MISTPEN malware described by Mandiant in a recent report, based on its communication with the\r\nC2 – namely the payloads, which use the same format as payloads on the MISTPEN server we were able to\r\nobtain. According to our telemetry, in our particular case, MISTPEN ultimately fetched an additional payload\r\nunder the name [Random ID]_media.dat from the C2 server twice. The first payload turned out to be RollMid,\r\nwhich was described in detail in an Avast report published in April 2024. The second was identified as a new\r\nLPEClient variant. MISTPEN and RollMid are both relatively new malicious programs from the Lazarus group\r\nthat were unveiled this year, but were still undocumented at the time of the actual attack.\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 2 of 8\n\nCookieTime still in use\r\nAnother piece of malware found on the infected hosts was CookieTime. We couldn’t quite figure out how the\r\nCookieTime malware was delivered to Host A, but according to our telemetry, it was executed as the SQLExplorer\r\nservice after the installation of LPEClient. In the early stages, CookieTime functioned by directly receiving and\r\nexecuting commands from the C2 server, but more recently it has been used to download payloads.\r\nThe actor moved laterally from Host A to Host C, where CookieTime was used to download several malware\r\nstrains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus, which\r\nwe’ll discuss later in this post. Charamel Loader is a loader that takes a key as a parameter and decrypts and loads\r\ninternal resources using the ChaCha20 algorithm. To date, we have identified three malware families delivered\r\nand executed by this loader: CookieTime, CookiePlus, and ForestTiger, the latter of which was seen in an attack\r\nunrelated to those discussed in the article.\r\nThe ServiceChanger malware stops a targeted legitimate service and then stores malicious files from its resource\r\nsection to disk so that when the legitimate service is restarted, it loads the created malicious DLL via DLL side-loading. In this case, the targeted service was ssh-agent and the DLL file was libcrypto.dll. Lazarus’s\r\nServiceChanger behaves differently than the similarly named malware used by Kimsuky. While Kimsuky registers\r\na new malicious service, Lazarus exploits an existing legitimate service for DLL side-loading.\r\nThere were several cases where CookieTime was loaded by DLL side-loading and executed as a service.\r\nInterestingly, CookieTime supports many different ways of loading, which also results in different entry points, as\r\ncan be seen below:\r\n  Path Legitimate file\r\nMalicious\r\nDLL\r\nMain\r\nfunction\r\nExecution\r\ntype\r\nHost\r\ninstalled\r\n1\r\nC:\\ProgramData\r\n\\Adobe\r\nCameraSettingsUIH\r\nost.exe\r\nDUI70.dll InitThread\r\nDLL Side-Loading\r\nA, C\r\n2\r\nC:\\Windows\\\r\nSystem32\r\n–\r\nf_xnsqlexp.\r\ndll\r\nServiceMain\r\nAs a\r\nService\r\nA, C\r\n3 %startup%\r\nCameraSettingsUIH\r\nost.exe\r\nDUI70.dll InitThread\r\nDLL Side-Loading\r\nC\r\n4\r\nC:\\ProgramData\r\n\\Intel\r\nDxpserver.exe dwmapi.dll DllMain\r\nDLL Side-Loading\r\nC\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 3 of 8\n\nOverall malware-to-malware flowchart\r\nCookiePlus capable of downloading both DLL and shellcode\r\nCookiePlus is a new plugin-based malicious program that we discovered during the investigation on Host C. It\r\nwas initially loaded by both ServiceChanger and Charamel Loader. The difference between each CookiePlus\r\nloaded by Charamel Loader and by ServiceChanger is the way it is executed. The former runs as a DLL alone and\r\nincludes the C2 information in its resources section, while the latter fetches what is stored in a separate external\r\nfile like msado.inc, meaning that CookiePlus has the capability to get a C2 list from both an internal resource and\r\nan external file. Otherwise, the behavior is the same.\r\nWhen we first discovered CookiePlus, it was disguised as ComparePlus, an open source Notepad++ plugin. Over\r\nthe past few years, the group has consistently impersonated similar types of plugins. However, the most recent\r\nCookiePlus sample, discovered in an infection case unrelated to those discussed in the article, is based on another\r\nopen source project, DirectX-Wrappers, which was developed for the purpose of wrapping DirectX and Direct3D\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 4 of 8\n\nDLLs. This suggests that the group has shifted its focus to other themes in order to evade defenses by\r\nmasquerading as public utilities.\r\nBecause CookiePlus acts as a downloader, it has limited functionality and transmits minimal information from the\r\ninfected host to the C2 server. During its initial communication with the C2, CookiePlus generates a 32-byte data\r\narray that includes an ID from its configuration file, a specific offset, and calculated step flag data (see table\r\nbelow). One notable aspect is the inclusion of a specific offset that points to the last four bytes of the configuration\r\nfile path. While this offset appears random due to ASLR, it could potentially allow the group to determine if the\r\noffset remains fixed. This could help distinguish whether the payload is being analyzed by an analyst or security\r\nproducts.\r\nOffset Description Value (example)\r\n0x00~0x04 ID from config file 0x0D625D16\r\n0x04~0x0C Specific offset 0x0000000180080100\r\n0x0C~0x0F Random value (Random)\r\n0x0F~0x10 Calculation of step flag 0x28 (0x10 * flag(0x2) | 0x8)\r\n0x10~0x20 Random value (Random)\r\nThe array is then encrypted using a hardcoded RSA public key. Next, CookiePlus encodes the RSA-encrypted data\r\nusing Base64. It is set as the cookie value in the HTTP header and passed to the C2. This cookie data is used in the\r\nfollow up communication, possibly for authentication. CookiePlus then retrieves an additional encrypted payload\r\nreceived from the C2 along with cookie data. Unfortunately, during our investigating of this campaign, it was not\r\npossible to set up a connection to the C2, so the exact data returned is unknown.\r\nCookiePlus then decodes the payload using Base64. The result is a data structure containing the ChaCha20-\r\nencrypted payload, as shown below. It is possible that the entire payload is not received at once. To know when to\r\nstop requesting more data, CookiePlus looks at the value of the offset located at 0x07 and continues to request\r\nmore data until the value is set to 1.\r\nOffset Description\r\n0x00~0x04 Specific flag\r\n0x04~0x06\r\nType value of the payload\r\n(PE: 0xBEF0, Shellcode: 0xBEEF)\r\n0x06~0x07 Unknown\r\n0x07~0x08\r\nFlag indicating whether there is additional data to receive\r\n(0: There’s more data, 1: No more data)\r\n0x08~0x0C Unknown\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 5 of 8\n\n0x0C~0x10 Size of ChaCha20-encrypted payload\r\n0x10~0x1C ChaCha20 nonce\r\n0x1C~ ChaCha20-encrypted payload\r\nNext, the payload is decrypted using the previously generated 32-byte data array as a key and the delivered nonce.\r\nThe type of payload is determined by the flag at offset 0x04, which can be either a DLL or shellcode.\r\nIf the value of the flag is 0xBEF0, the encrypted payload is a DLL file that is loaded into memory. The payload\r\ncan also contain a parameter that is passed to the DLL when loaded.\r\nIf the value is 0xBEEF, CookiePlus checks whether the first four bytes of the payload are smaller than\r\n0x80000000. If so, the shellcode in the payload is loaded after being granted execute permission. After the\r\nshellcode is executed, the ChaCha20-encrypted result is sent to the C2. For the encryption, the same 32-byte data\r\narray is again used as the key, and a 12-byte nonce is randomly generated. As a result, the following structure is\r\nsent to the C2.\r\nOffset Description\r\n0x00~0x04 Unknown\r\n0x04~0x06 Unknown\r\n0x06~0x07 Unknown\r\n0x07~0x08\r\nFlag indicating whether there is additional data to receive\r\n(0: There’s more data, 1: No more data)\r\n0x08~0x0C Unknown\r\n0x0C~0x10 Size of ChaCha20-encrypted results\r\n0x10~0x1C ChaCha20 nonce\r\n0x1C~ ChaCha20-encrypted results\r\nThis process of continuously downloading additional payloads persists until the C2 stops responding.\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 6 of 8\n\nCookiePlus C2 communication process\r\nWe managed to obtain three different shellcodes loaded by CookiePlus. The shellcodes are actually DLLs that are\r\nconverted to shellcode using the sRDI open source shellcode generation tool. These DLLs then act as plugins. The\r\nfunctionality of each of the three plugins is as follows and the execution result of the plugin is encrypted and sent\r\nto the C2.\r\n  Description\r\nOriginal\r\nfilename\r\nParameters\r\n1 Collects computer name, PID, current file path, current work path TBaseInfo.dll None\r\n2\r\nMakes the main CookiePlus module sleep for the given number of\r\nminutes, but it resumes if one session state or the number of local\r\ndrives changes\r\nsleep.dll Number\r\n3\r\nWrites the given number to set the execution time to the\r\nconfiguration file specified by the second parameter (e.g.,\r\nmsado.inc). The CookiePlus version with the configuration in the\r\ninternal resources sleeps for the given number of minutes.\r\nhiber.dll\r\nNumber,\r\nConfig file\r\npath\r\nBased on all of the above, we assess with medium confidence that CookiePlus is the successor to MISTPEN.\r\nDespite there being no notable code overlap, there are several similarities. For example, both disguise themselves\r\nas Notepad++ plugins.\r\nIn addition, the CookiePlus samples were compiled and used in June 2024, while the latest MISTPEN samples we\r\nwere able to find were compiled in January and February 2024, although we suspect that MISTPEN was also used\r\nin the discussed campaign. MISTPEN also used similar plugins such as TBaseInfo.dll and hiber.dll just like\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 7 of 8\n\nCookiePlus. The fact that CookiePlus is more complete than MISTPEN and supports more execution options also\r\nsupports our claim.\r\nInfrastructure\r\nThe Lazarus group used compromised web servers running WordPress as C2s for the majority of this campaign.\r\nSamples such as MISTPEN, LPEClient, CookiePlus and RollMid used such servers as their C2. For CookieTime,\r\nhowever, only one of the C2 servers we identified ran a website based on WordPress. Additionally, all the C2\r\nservers seen in this campaign run PHP-based web services not bounded to a specific country.\r\nConclusion\r\nThroughout its history, the Lazarus group has used only a small number of modular malware frameworks such as\r\nMata and Gopuram Loader. Introducing this type of malware is an unusual strategy for them. The fact that they do\r\nintroduce new modular malware, such as CookiePlus, suggests that the group is constantly working to improve\r\ntheir arsenal and infection chains to evade detection by security products.\r\nThe problem for defenders is that CookiePlus can behave just like a downloader. This makes it difficult to\r\ninvestigate whether CookiePlus downloaded just a small plugin or the next meaningful payload. From our\r\nanalysis, it appears to be still under active development, meaning Lazarus may add more plugins in the future.\r\nIndicators of compromise\r\nTrojanized VNC utility\r\nRanid Downloader\r\nCookieTime\r\nCharamel Loader\r\nServiceChanger\r\nCookiePlus Loader\r\nCookiePlus\r\nCookiePlus plugins\r\nMISTPEN\r\nSource: https://securelist.com/lazarus-new-malware/115059/\r\nhttps://securelist.com/lazarus-new-malware/115059/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securelist.com/lazarus-new-malware/115059/" ], "report_names": [ "115059" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434719, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f124ced5727f5311a3ec61438ed9926556ce38e.pdf", "text": "https://archive.orkl.eu/7f124ced5727f5311a3ec61438ed9926556ce38e.txt", "img": "https://archive.orkl.eu/7f124ced5727f5311a3ec61438ed9926556ce38e.jpg" } }