{ "id": "171b3020-6fa4-4344-b016-717164fc1836", "created_at": "2026-04-06T00:22:17.364753Z", "updated_at": "2026-04-10T13:13:07.732143Z", "deleted_at": null, "sha1_hash": "7f45e54add6bd4761b59949cc86197d5f0957707", "title": "The BLINDINGCAN RAT and Malicious North Korean Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1683106, "plain_text": "The BLINDINGCAN RAT and Malicious North Korean Activity\r\nBy Jim Walter\r\nPublished: 2020-08-31 · Archived: 2026-04-02 12:08:46 UTC\r\nThere has been a great deal of coverage lately around malicious activities attributed to North Korea (and/or\r\nadjacent entities). Most recently, this has culminated in the release of MAR (Malware Analysis Report) AR20-\r\n232A, which covers activities associated with the BLINDINGCAN RAT. This tool is the latest in a very long line\r\nof tools which allow attackers to maintain access to target environments as well as establish ongoing control of\r\ninfected hosts. In this post, we give an overview of this campaign in context of other related campaigns,\r\ndescribing its infection vector, execution and high-level behavior.\r\nInfection Vector\r\nAs we know, email phishing attacks are still the dominant method of delivering malware when it comes to these\r\ntypes of attacks. The BLINDINGCAN campaigns are no different, but their phishing lure comes with an\r\ninteresting twist: malicious documents utilized in the campaign masquerade as job offers and postings from high-value defense contractors such as Boeing.\r\nThis isn’t the first time such a lure has been used. Sophisticated attackers have sought to mimic entities in the\r\ndefense, military, and government space in the past. This is especially true, historically, with campaigns tied to\r\nNorth Korea. Even early on in 2020, Operation North Star followed a very similar modus operandi, and by some\r\naccounts these campaigns may be related.\r\nhttps://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nPage 1 of 6\n\nCISA maintains a running repository of North Korean / Hidden Cobra related advisories and details. Their alerts\r\ncover campaigns from 2017 to present, including (but not limited to):\r\nWannaCry – Massively destructive “ransomware” with SMB spreading capabilities.\r\nDelta Charlie – Backdoor and Denial-of-Service tool set\r\nVolgmer – Backdoor\r\nFALLCHILL – Full-function RAT\r\nBANKSHOT – RAT and proxy/tunneling tool set\r\nHARDRAIN – RAT and proxy tool set w/ Android support\r\nSHARPKNOT – MBR Wiper\r\nTYPEFRAME – RAT and proxy/tunneling tool set\r\nKEYMARBLE – Full-function RAT\r\nFASTCash – RAT and proxy/tunneling tool set (Financial attacks)\r\nBADCALL – RAT and proxy tool set w/ Android support\r\nELECTRICFISH – proxy/tunneling tool set\r\nHOPLIGHT – proxy/tunneling tool set with pseudo-SSL spoofing\r\nARTFULPIE – Downloader and launcher tool set\r\nCROWDEDFLOUNDER – Full-function RAT\r\nTAINTEDSCRIBE – Downloader and launcher with LFSR (LInear Feedback Shift Register) support\r\nCOPPERHEDGE – Full-function RAT, cryptocurrency and crypto-exchange focused.\r\nIn short, the DPRK has a long history of these types of campaigns and it does not appear to be letting up in\r\nfrequency or aggressiveness. Moreover, North Korea is no stranger to playing the ‘long-game’. Reflecting back on\r\nearlier attacks from the region (e.g., Operation Troy, Ten Days of Rain, Dark Seoul, and the Sony attack) we see\r\nsimilar tactics and aggressiveness.\r\nhttps://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nPage 2 of 6\n\nThe BLINDINGCAN campaign has been specifically focused on defense and aerospace targets, primarily based\r\nin Europe and the United States. According to AR20-232a: “The FBI has high confidence that HIDDEN COBRA\r\nactors are using malware variants in conjunction with proxy servers” along with “compromised infrastructure\r\nfrom multiple countries to host its command and control (C2) infrastructure”.\r\nThe objective of these attacks is to gain intelligence and to understand the key technologies that fall under the\r\numbrella of the targeted entity, as well as those adjacent to them (contactors, partners, etc.)\r\nBLINDINGCAN RAT: Execution and Behavior\r\nThe malicious documents themselves, upon launch, attempt to exploit CVE-2017-0199. This particular flaw\r\nallows for remote code execution via maliciously crafted documents. More specifically, CVE-2017-0199 is a\r\nresult of the flawed processing of RTF files and elements by way of a potent combination of object links and HTA\r\npayloads.\r\nThis vulnerability is a common vector of attack for malicious actors, and despite the flaw being patched long ago,\r\nattackers bet on the fact (often successfully) that at least some of their targets will still be exposed to the flaw,\r\nhttps://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nPage 3 of 6\n\nallowing them to achieve their foothold.\r\nYou can see this behavior immediately upon launching one of the malicious documents.\r\nThe samples we analyzed reach out to a remote server (C2) for additional components. Once established, a\r\nkeylogging and clipboard monitoring component is dropped, and additional information is extracted from the\r\ntargeted hosts. WMI commands are utilized to gleen basic system details:\r\nstart iwbemservices::execquery - select * from win32_computersystemproduct\r\nThe RAT component (e.g., 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d ) can be\r\nfound in both 32 and 64 bit varieties. The executable payloads employ multiple levels of obfuscation.\r\nConfiguration data for the RAT is embedded in the payloads and is both encrypted and encoded. Embedded\r\nconfiguration artifacts are AES-encrypted with a hard-coded key. Upon decrypting, the resulting data is then\r\ndecoded via XOR. Strings in the malware are RC4 encrypted.\r\nThe RAT module will initially pull basic system data. The aforementioned WMI command is part of this system\r\nreconnaissance process. In this stage, the malware will pull local network data, system name, OS version details,\r\nprocessor/platform details and MAC address details, and then push this data to the C2.\r\nThe core RAT feature set boils down to the following:\r\nGather and transmit defined set of System features\r\nCreate, terminate and manipulate processes\r\nCreate, terminate and manipulate files\r\nSelf-updating / self-deletion (cleaning of malicious code from the system when necessary)\r\nConclusion\r\nWhile the malware and implants discussed here are specific to operations attributed to North Korea, the delivery\r\nand weaponization states are common to most other APT groups and non-nation-state backed campaigns.\r\nhttps://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nPage 4 of 6\n\nThe key takeaways here are 1) it is important to keep abreast of the evolution of malicious attacks generated from\r\nthis region, but also 2) we can apply what we have learned from other past attacks to improve our posture and\r\nreduce overall exposure, along with the potential negative repercussions of suffering from such an attack.\r\nPrevention, as always, is key. The SentinelOne Singularity Platform is fully capable of detecting and preventing\r\nmalicious activity associated with HIDDEN COBRA and BLINDINGCAN.\r\nIndicators of Compromise\r\nSHA256\r\n6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1\r\n8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050\r\n58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d\r\n7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971\r\nSHA1\r\n0ecc687d741c7b009c648ef0de0a5d47213f37ff\r\n3f6ef29b86bf1687013ae7638f66502bcf883bfd\r\n9feef1eed2a8a5cbfe1c6478f2740d8fe63305e2\r\nC70edfaf2c33647d531f7df76cd4e5bb4e79ea2e\r\nDomains\r\nagarwalpropertyconsultants[.]com\r\ncuriofirenze[.]com\r\nautomercado.co[.]cr\r\nMITRE ATT\u0026CK\r\nPhishing: Spearphishing Attachment [T1566]\r\nCommand and Scripting Interpreter: PowerShell [T1059]\r\nExploitation for Client Execution [T1203]\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547]\r\nProcess Injection [T1055]\r\nDeobfuscate/Decode Files or Information [T1140]\r\nSystem Time Discovery [T1124]\r\nAccount Discovery [T1087]\r\nQuery Registry [T1012]\r\nProcess Discovery [T1424]\r\nSystem Owner/User Discovery [T1033]\r\nAutomated Collection [T1119\r\nData from Local System [T1533]]\r\nRemote File Copy [T1544\r\nAutomated Exfiltration [T1020]]\r\nExfiltration Over C2 Channel [T1041]\r\nhttps://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nPage 5 of 6\n\nSource: https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nhttps://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/" ], "report_names": [ "the-blindingcan-rat-and-malicious-north-korean-activity" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f45e54add6bd4761b59949cc86197d5f0957707.pdf", "text": "https://archive.orkl.eu/7f45e54add6bd4761b59949cc86197d5f0957707.txt", "img": "https://archive.orkl.eu/7f45e54add6bd4761b59949cc86197d5f0957707.jpg" } }