{ "id": "222f0011-fc4e-463a-8bc7-45391351da0a", "created_at": "2026-04-06T00:19:02.580313Z", "updated_at": "2026-04-10T13:12:37.257821Z", "deleted_at": null, "sha1_hash": "803ef0222532423cce241e2ad9e7dc8c1212cf11", "title": "Hunting for Unsigned DLLs to Find APTs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 620395, "plain_text": "Hunting for Unsigned DLLs to Find APTs\r\nBy Daniela Shalev, Itay Gamliel\r\nPublished: 2022-09-26 · Archived: 2026-04-05 13:17:40 UTC\r\nExecutive Summary\r\nMalware authors regularly evolve their techniques to evade detection and execute more sophisticated attacks.\r\nWe’ve commonly observed one method over the past few years: unsigned DLL loading.\r\nAssuming that this method might be used by advanced persistent threats (APTs), we hunted for it. The hunt\r\nrevealed sophisticated payloads and APT groups in the wild, including the Chinese cyberespionage group Stately\r\nTaurus (formerly known as PKPLUG, aka Mustang Panda) and the North Korean Selective Pisces (aka Lazarus\r\nGroup).\r\nBelow, we show how hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in\r\nyour environment.\r\nPalo Alto Networks customers receive protections and detections against malicious DLL loading through the\r\nCortex XDR agent.\r\nThreat Actor Groups Discussed\r\nUnit 42 tracks group\r\nas…\r\nGroup also known as…\r\nStately Taurus\r\nMustang Panda, PKPLUG, BRONZE PRESIDENT, HoneyMyte, Red Lich,\r\nBaijiu\r\nSelective Pisces Lazarus Group, ZINC, APT - C - 26\r\nMalicious DLLs: A Common Method Attackers Use for Executing Malicious\r\nPayloads on Infected Systems\r\nBased on our observations over years of proactive threat-hunting experience, we hypothesize that one of the main\r\nmethods for executing malicious payloads on infected systems is loading a malicious DLL. As both individual\r\nhackers and APT groups use this method, we decided to conduct research based on this hypothesis.\r\nMost of the malicious DLLs we observe in the wild share three common characteristics:\r\nThe DLLs are mostly written to unprivileged paths.\r\nThe DLLs are unsigned.\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 1 of 8\n\nTo evade detection, the DLLs are loaded by a signed process, whether a utility dedicated to loading DLLs\r\n(such as rundll32.exe) or an executable that loads DLLs as part of its activity.\r\nWith that in mind, we found that the most common techniques that are being used by threat actors in the wild are\r\nthe following:\r\n1. DLL loading by rundll32.exe/regsvr32.exe – While those processes are signed and known binaries, threat\r\nactors abuse them to achieve code execution in an attempt to evade detection.\r\n2. DLL order hijacking – This refers to loading a malicious DLL by abusing the search order of a legitimate\r\nprocess. This way, a benign application will load a malicious payload with the name of a known DLL.\r\nReviewing the results of the above techniques in the wild revealed that the most common unprivileged paths to\r\nload malicious unsigned DLLs are the folders and sub-folders of ProgramData, AppData and the users’ home\r\ndirectories.\r\nThe next section will introduce several findings based on the above hypothesis.\r\nAttack Trends in the Wild Related to Unsigned DLLs\r\nTo start hunting based on the hypothesis we described, we created two XQL queries. The first one looks for\r\nunsigned DLLs that were loaded by rundll32.exe/regsvr32.exe, while the other looks for signed software that\r\nloads an unsigned DLL.\r\nThe hunting activity revealed various malware families that used unsigned DLL loading. Figure 1 presents the\r\nmalware we detected using these methods over the past six months (February-August 2022).\r\nFigure 1. Malware observed using DLL loading.\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 2 of 8\n\nAnalyzing the execution techniques used by the above threats showed that banking trojans and individual threat\r\nactors typically used rundll32.exe or regsvr32.exe to load a malicious DLL, while APT groups used the DLL side-loading technique most of the time.\r\nDiving Into Selected Payloads\r\nStately Taurus\r\nWe decided to highlight an investigation around Stately Taurus activity that we detected in the environment of one\r\norganization. Stately Taurus is a Chinese APT group that usually targets non-governmental organizations and is\r\nknown for abusing legitimate software to load payloads.\r\nIn this case, we observed the usage of the DLL search order hijacking technique that enabled the attacker’s\r\nmalicious DLL to load into the memory space of a legitimate process. The threat actor used multiple pieces of\r\nthird party software for the DLL side-loading, such as antivirus software and a PDF reader.\r\nFigure 2. AvastSvc.exe uses side-loading to load a malicious DLL.\r\nTo achieve DLL side-loading, the group dropped the payload into the ProgramData folder, which contained three\r\nfiles – a benign EXE file for DLL hijacking (AvastSvc.exe), a DLL file (wsc.dll) and an encrypted payload\r\n(AvastAuth.dat). The loaded DLL appeared to be the PlugX RAT, which loads the encrypted payload from the .dat\r\nfile.\r\nFigure 3. PlugX files: benign executable, DLL loader and encrypted .dat file.\r\nSelective Pisces\r\nAmong the results of our hunting queries, we also identified several high-entropy malicious modules within the\r\nProgramData directories shown in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 3 of 8\n\nFigure 4. DLL side-loading by Selective Pisces.\r\nInvestigating the execution chain of the unsigned modules shown in Figure 4 revealed that they were dropped to\r\nthe disk by the signed DreamSecurity MagicLine4NX process (MagicLine4NX.exe).\r\nMagicLine4NX.exe executed a second-stage payload that we observed utilizing DLL side-loading in order to\r\nevade detection. The second-stage payload wrote a new DLL named mi.dll, and copied wsmprovhost.exe (host\r\nprocess for WinRM) to a random directory in ProgramData. Wsmprovhost.exe is a native Windows binary that\r\nattempts to load mi.dll from the same directory. The attackers abused this mechanism in order to achieve DLL\r\nside-loading (T1574.002) with this process.\r\nThe mi.dll payload was observed dropping a new payload named ualapi.dll to the System32 directory\r\n(C:\\Windows\\System32\\ualapi.dll). As ualapi.dll is in this case a missing DLL on the System32 directory, the\r\nattackers used this fact to achieve persistence by giving their malicious payload the name ualapi.dll. That way,\r\nspoolsv.exe will load it upon startup.\r\nAfter analyzing the payloads above, we attributed them to the North Korean APT group that Unit 42 tracks as\r\nSelective Pisces. This group’s utilization of legitimate third party-software such as MagicLine4NX was described\r\nearlier this year in a blog post by Symantec.\r\nRaspberry Robin\r\nThe last attack we would like to elaborate on is the most common one we observed in the wild.\r\nSome of the results that our query yields share several common characteristics:\r\nDLLs with scrambled names reside in random sub-folders of the ProgramData or AppData folders.\r\nThose DLLs have a similar range of entropy (~0.66).\r\nAll of them were loaded by rundll32.exe or regsvr32.exe\r\nFor example: RUNDLL32.EXE C:\\ProgramData\\\u003crandom_folder\u003e\\fhcplow_Tudjdm.dll,iarws_sbv\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 4 of 8\n\nFigure 5. DLLs loaded by Raspberry Robin.\r\nThe DLL loading activities that take place in those attacks were attributed to a campaign called Raspberry Robin,\r\nwhich was recently described by Red Canary.\r\nThose attacks begin from a shortcut file on an infected USB device. This spawns msiexec.exe to retrieve the\r\nmalicious DLL from a remote C2 server. Over installation, a scheduled task is created in order to achieve\r\npersistence, loading the DLL using rundll32.exe/regsvr32.exe on system start up.\r\nUsing Unsigned DLLs to Hunt for Attacks in Your Environment\r\nYou can hunt for the loading of unsigned DLLs using XQL Search in Cortex XDR.\r\nTo narrow down the results, we suggest focusing on the following:\r\nFor DLL side-loading, we recommend paying attention to known third-party software placed in non-standard directories.\r\nFocus on the file’s entropy – binaries that have a high value of entropy may contain a packed section that\r\nwill be extracted during execution.\r\nFocus on the frequency of execution – high-frequency results may indicate a legitimate activity that occurs\r\nperiodically, while low-frequency results may be a lead for an investigation.\r\nFocus on the file’s path – results that contain folders or files with scrambled names are more suspicious\r\nthan others.\r\nFigure 6. Query results sorted by the module’s entropy.\r\nFigure 6 contains partial results of the queries that are mentioned in the next section, sorted by the module’s\r\nentropy. While the first two rows are an example of Emotet execution, the others are benign DLLs.\r\nHunting Queries\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 5 of 8\n\n// Rundll32.exe / Regsvr32.exe loads an unsigned module from uncommon folders over the past 30 days.\r\nconfig case_sensitive = false timeframe = 30d\r\n| dataset = xdr_data\r\n| filter event_type = ENUM.LOAD_IMAGE and (action_module_path contains \"C:\\ProgramData\" or\r\naction_module_path contains \"\\public\" or action_module_path contains \"\\documents\" or\r\naction_module_path contains \"\\pictures\" or action_module_path contains \"\\videos\" or action_module_path\r\ncontains \"appdata\") and action_module_signature_status = 3 and (actor_process_image_name contains\r\n\"rundll32.exe\" or actor_process_image_name contains \"regsvr32.exe\") and (actor_process_command_line\r\ncontains \"programdata\" or actor_process_command_line contains \"\\public\" or\r\nactor_process_command_line contains \"\\documents\" or actor_process_command_line contains \"\\pictures\"\r\nor actor_process_command_line contains \"\\videos\" or actor_process_command_line contains \"appdata\")\r\n| alter module_entropy = json_extract_scalar(action_module_file_info, \"$.entropy\")\r\n| fields agent_hostname , action_module_sha256  , action_module_path  , actor_process_image_name,\r\nactor_process_command_line, module_entropy\r\n| comp count (action_module_path) as counter by action_module_path , action_module_sha256 ,\r\nmodule_entropy\r\n// Possible DLL side-loading - a signed process loaded an unsigned DLL from\r\nAppData\\ProgramData\\Public folder over the past 30 days\r\nconfig case_sensitive = false timeframe = 30d\r\n| dataset = xdr_data\r\n| filter event_type = ENUM.LOAD_IMAGE and (action_module_path contains \"C:\\ProgramData\" or\r\naction_module_path contains \"\\public\" or action_module_path contains \"appdata\") and\r\naction_module_signature_status = 3 and (actor_process_image_name not contains \"rundll32.exe\" or\r\nactor_process_image_name not contains \"regsvr32.exe\") and actor_process_signature_status = 1 and\r\n(actor_process_image_path contains \"appdata\" or actor_process_image_path contains \"programdata\" or\r\nactor_process_image_path contains \"public\" )\r\n| alter module_entropy = json_extract_scalar(action_module_file_info, \"$.entropy\")\r\n| fields agent_hostname , action_module_sha256  , action_module_path  , actor_process_image_name,\r\nactor_process_command_line, module_entropy, actor_process_image_path\r\n| comp count (action_module_path) as counter by action_module_path , action_module_sha256 ,\r\nmodule_entropy, actor_process_image_path\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 6 of 8\n\nConclusion\r\nMost detection techniques for blocking malicious DLLs rely on the module's behavior after it has been loaded into\r\nmemory. This can limit the ability to block all malicious modules.\r\nThat said, you can proactively hunt for malicious unsigned DLLs using hunting approaches such as the ones\r\npresented in this blog.\r\nKnowing the baseline of your network in terms of legitimate software or behavior can reduce the number of\r\nresults generated by the above queries, allowing you to focus on results that might be suspicious.\r\nCortex XDR alerts on and blocks malicious DLLs loaded by known hijacking techniques, and can also prevent\r\npost-exploitation activities, through the Behavioral Threat Protection and Analytics modules.\r\nIndicators of compromise and TTPs associated with Stately Taurus can be found in the Stately Taurus ATOM.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nIndicators of Compromise\r\nThreat Actor SHA256\r\nSelective Pisces 779a6772d4d35e1b0018a03b75cc6f992d79511321def35956f485debedf1493\r\nSelective Pisces d9b1ad70c0a043d034f8eecd55a8290160227ea66780ccc65d0ffb2ebc2fb787\r\nSelective Pisces 3131985fa7394fa9dbd9c9b26e15ac478a438a57617f1567dc32c35b388c2f60\r\nSelective Pisces 5be717dc9eda4df099e090f2a59c25372d6775e7d6551b21f385cf372247c2fd\r\nSelective Pisces 18cc18d02742da3fa88fc8c45fe915d58abb52d3183b270c0f84ae5ff68cf8a2\r\nSelective Pisces 7aa62af5a55022fd89b3f0c025ea508128a03aab5bc7f92787b30a3e9bc5c6e4\r\nSelective Pisces 79b7964bde948b70a7c3869d34fe5d5205e6259d77d9ac7451727d68a751aa7d\r\nSelective Pisces cf9ccba037f807c5be523528ed25cee7fbe4733ec19189e393d17f92e76ffccc\r\nSelective Pisces 32449fd81cc4f85213ed791478ec941075ff95bb544ba64fa08550dd8af77b69\r\nSelective Pisces 5a8b1f003ae566a8e443623a18c1f1027ec46463c5c5b413c48d91ca1181dbf7\r\nSelective Pisces 5bb4950a05a46f7d377a3a8483484222a8ff59eafdf34460c4b1186984354cf9\r\nStately Taurus 352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a\r\nStately Taurus 6491c646397025bf02709f1bd3025f1622abdc89b550ac38ce6fac938353b954\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 7 of 8\n\nStately Taurus e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d\r\nRaspberry Robin 06f11ea2d7d566e33ed414993da00ac205793af6851a2d6f809ff845a2b39f57\r\nRaspberry Robin 202dab603585f600dbd884cb5bd5bf010d66cab9133b323c50b050cc1d6a1795\r\nRaspberry Robin f9e4627733e034cfc1c589afd2f6558a158a349290c9ea772d338c38d5a02f0e\r\nRaspberry Robin 9fad2f59737721c26fc2a125e18dd67b92493a1220a8bbda91e073c0441437a9\r\nRaspberry Robin 9973045c0489a0382db84aef6356414ef29814334ecbf6639f55c3bec4f8738f\r\nTable 1. Hashes of samples.\r\nSource: https://unit42.paloaltonetworks.com/unsigned-dlls/\r\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unsigned-dlls/" ], "report_names": [ "unsigned-dlls" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434742, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/803ef0222532423cce241e2ad9e7dc8c1212cf11.pdf", "text": "https://archive.orkl.eu/803ef0222532423cce241e2ad9e7dc8c1212cf11.txt", "img": "https://archive.orkl.eu/803ef0222532423cce241e2ad9e7dc8c1212cf11.jpg" } }