{ "id": "1f6b2ca9-afc3-4e41-8fc4-cd29494a570b", "created_at": "2026-04-06T00:09:56.500512Z", "updated_at": "2026-04-10T03:38:20.257719Z", "deleted_at": null, "sha1_hash": "857fb2e694096decec45ab244250e52ac3017cf1", "title": "Lazarus Group APT Targeting South Korean Users | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1022246, "plain_text": "Lazarus Group APT Targeting South Korean Users | Zscaler\r\nBy Sahil Antil, Sudeep Singh\r\nPublished: 2022-04-26 · Archived: 2026-04-05 16:06:33 UTC\r\nZscaler’s ThreatLabz research team has been closely monitoring a campaign targeting users in South Korea.  This\r\nthreat actor has been active for more than a year and continues to evolve its tactics, techniques, and procedures\r\n(TTPs); we believe with high confidence that the threat actor is associated with Lazarus Group, a sophisticated\r\nNorth Korean advanced persistent threat (APT) group.\r\nIn 2021, the main attack vector used by this threat actor was credential phishing attacks through emails, posing as\r\nNaver, the popular South Korean search engine and web portal. \r\nIn 2022, the same threat actor started spoofing various important entities in South Korea, including KRNIC\r\n(Korea Internet Information Center), Korean security vendors such as Ahnlab, cryptocurrency exchanges such as\r\nBinance, and others. Some details about this campaign were published in this Korean blog, however they did not\r\nperform the threat attribution.\r\nEven though the TTPs of this threat actor evolved over time, there were critical parts of their infrastructure that\r\nwere reused, allowing ThreatLabz to correlate the attacks and do the threat attribution with a high-confidence\r\nlevel. Our research led us to the discovery of command-and-control (C2) domains even before they were used in\r\nactive attacks by the threat actor. This proactive discovery of attacker infrastructure helps us in preempting the\r\nattacks.\r\nIn this blog, we will share the technical details of the attack chains, and will explain how we correlated this threat\r\nactor to Lazarus.\r\nWe would like to thank Dropbox for their quick action in taking down the malicious accounts used by the threat\r\nactor, and for also sharing valuable threat intelligence that helped us with threat attribution.\r\n \r\nAttack chains\r\nThis threat actor has frequently updated its attack chains over the last two months. We identified three unique\r\nattack chains used by the threat actor to distribute the malware in emails:\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 1 of 13\n\nFigure 1: Attack flow\r\nSpear phishing emails distribution\r\nDuring our analysis, we discovered that at least one of the IP addresses (222.112.127[.]9) used by the threat actor\r\nto log in to the attacker-controlled Dropbox accounts was also used to send spear phishing emails to the victims in\r\nSouth Korea.\r\nBelow are examples of two such emails that were sent from the IP address 222.112.127[.]9. \r\nNote: This IP address is related to KT Corporation, a Korean telecom provider. Multiple IP addresses related to\r\nKT Corporation were abused by this threat actor during the current attack.\r\nEmail #1\r\nIn this email, a macro-based document was sent to the victim.\r\nFigure 2: Email sent to the victim\r\nFigure 3 below shows that the decoy content of the document is related to Menlo Security company. This is\r\nconsistent with other decoy contents used by the threat actor. For instance, in the document with MD5 hash:\r\n1a536709554860fcc2c147374556205d, the decoy content used was related to Ahnlab - a Korea-based computer\r\nsecurity company. This is done for the purpose of social engineering.\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 2 of 13\n\nFigure 3: Decoy content\r\nEmail #2\r\nIn this email, a password protected macro-based XLS file was sent to the victim. The password for the file was\r\nmentioned in the email body.\r\nThe theme of the file is related to cryptocurrency investments. This theme is consistent with other documents sent\r\nin this campaign as well. Lazarus Group is known to have a keen interest in attacking cryptocurrency users, asset\r\nmanagers, and companies.\r\nFigure 4: Email sent to the victim\r\nFigure 5 below shows the sender's IP address in the email headers as indicated by the X-Originating-IP field.\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 3 of 13\n\nFigure 5: Email header showing originating IP, Sender and Recipient\r\nThreat attribution\r\nIn order to perform the threat actor attribution, we did a correlation of the below data points.\r\n1. C2 IP addresses\r\n2. Attacker-controlled Dropbox accounts’ registrant email addresses\r\n3. C2 domains’ registrant email addresses\r\n4. Passive DNS data\r\n5. Sender's email address in credential phishing attacks\r\n6. Sender's IP address in credential phishing attacks \r\nNote: OSINT information related to the above data points was also used in correlation analysis.\r\n# Correlating different attacks to same threat actor\r\nAs described in the network communication section later in the blog, the Stage-3 binary initially connects to an\r\nattacker-controlled Dropbox account to fetch a C2 domain which is used to perform further network\r\ncommunication.\r\nIn collaboration with Dropbox, we were able to discover the email addresses associated with the attacker-controlled Dropbox accounts used during this attack. One such email addresses was:\r\npeterstewart0326@gmail[.]com\r\nThis same email address was recently mentioned in Prevailion's blog. It was linked to several domains which were\r\nused during Naver-themed phishing activity.\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 4 of 13\n\nAlso, according to this blog from 2021, this same email address was also used to send Naver-themed credential\r\nphishing attack emails to users in South Korea.\r\nCorrelating the above data points, we can say with a high confidence level that the attack chains we have\r\ndescribed in this blog are also related to the same threat actor.\r\n# Attribution to Lazarus APT\r\nAccording to the threat infrastructure mapping done in Prevailion blog, the IP address 23.81.246[.]131 belongs to\r\none of the critical nodes used by the threat actor during Naver-themed phishing activity. One of the domains\r\nlinked to this IP address was navercorpservice[.]com. If we check the passive DNS data for this domain, we find\r\ntwo other IP address resolutions: 172.93.201[.]253 in November 2021 and 45.147.231[.]213 in September 2021.  \r\nThe IP address 172.93.201[.]253 was recently used to host the domain - disneycareers[.]net which was attributed\r\nto Lazarus APT in Google TAG blog. \r\nFurther, what caught our attention was the IP address 45.147.231[.]213. This IP address was earlier used by North\r\nKorea-based APT threat actor. Recently, we also had a new domain resolution alert for this IP address as part of\r\nour C2 infrastructure tracking. If we pivot on the passive DNS data for this IP address, we can see that the domain:\r\nwww.devguardmap[.]org was hosted on this IP address in Jan 2021 which was attributed to Lazarus APT as per\r\nthis tweet from ESET and Google TAG blog.\r\nCorrelating all the above data points, we reached the conclusion that the attack-chains we discovered are related to\r\nLazarus threat actor. To the best of our knowledge, at the time of writing, this threat actor attribution has not been\r\npublicly documented yet.\r\nTechnical analysis\r\nFor the purpose of technical analysis we will consider the attack chain starting with a Compiled HTML file having\r\nMD5 210db61d1b11c1d233fd8a0645946074.\r\n[+] Stage 1: Compiled HTML file\r\nThe CHM file contains a malicious binary embedded inside it. At runtime, this will be dropped on the filesystem\r\nin the path: C:\\\\programdata\\\\chmtemp\\\\chmext.exe and executed.\r\nThe code responsible for extracting, dropping and executing the binary is present inside 1hh.html as shown below.\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 5 of 13\n\nFigure 6: HTML code dropping and executing the binary\r\n[+] Stage 2: Dropper\r\nThe dropper on execution performs the following operations:\r\n1. Detects sleep patching to identify controlled execution environment such as Sandbox execution\r\n2. Checks the name of all the running processes and terminates if it finds a process running with the name\r\n\"v3l4sp.exe\". This process name corresponds to the security software developed by Ahnlab (a popular and\r\nfrequently used security vendor in South Korea).\r\n3. Creates file in the path \"C:\\ProgramData\\Intel\\IntelRST.exe\"\r\n4. XOR decodes the embedded PE from a hardcoded address\r\n5. Writes the decoded PE to the file created in Step-3\r\n6. Modifies PEB to masquerade itself as explorer.exe\r\n7. Executes IntelRST.exe\r\n8. Creates RUN registry entry for persistence\r\nValue: IntelCUI\r\nData: C:\\ProgramData\\Intel\\IntelRST.exe\r\n[+] Stage 3: Dropped binary\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 6 of 13\n\nThe file IntelRST.exe dropped by the Stage-2 dropper is an ASpacked binary. On execution it performs the\r\nfollowing operations:\r\n1. Similar to the dropper binary it tries to detect sleep patching to identify controlled execution environment\r\n2. Collects machine information and stores using the specified format which is later exfiltrated and used as\r\nmachine identifier.\r\nString format: \r\n[decoded_string]_[username]_[volume_serial_number_post_8_bytes]\r\ndecoded_string: (encoded string) ^ (key) [encoded_string_byte_offset%keySize]\r\nusername: GetUserName()\r\nvolume_serial _number: Using DeviceIoControl with IOCTL_STORAGE_QUERY_PROPERTY (0x2d1400)\r\n3. Checks name of all the running processes and terminates if there is some process running with the name\r\n\"v3l4sp.exe\" or \"AYAgent.aye\" or \"IntelRST.exe\"\r\n4. If running with administrator privileges then it executes a PowerShell command using cmd.exe to add\r\nWindowsDefender exclusion.\r\nPowerShell command: Powershell -Command Add-MpPreference -ExclusionPath\r\n\"C:\\ProgramData\\Intel\\IntelRST.exe\r\n5.  Finally it starts the network communication\r\n[+] Network communication\r\nThe network communication occurs in the following sequence:\r\n1. Send a GET request to the URL \"https://dl.dropboxusercontent.com/s/k288s9tu2o53v41/zs_url.txt?dl=0\". \r\n2. Query the file size and send another network request to read the file content.\r\nNote: The file content points to the C2 domain to be used for rest of the network communication.\r\n3. Using the extracted C2 domain, send a POST request to the path \"/post.php\" and exfiltrate collected user\r\ninformation.\r\nExfiltrated user information format:\r\nuid={string_generated_in_Step-2_of_Stage-3_binary}\u0026avtype=%d\u0026majorv=%d\u0026minorv=%d\r\n4. Finally send a GET request to the path \"/{decoded_string_from_step-2_of_Stage-3_binary}/{formated_string_from_step-2_of_Stage-3_binary}/fecommand.acm\"\r\nNote: At the time of analysis we didn't get any active response from the C2 server for the above network request.\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 7 of 13\n\nZscaler Cloud Sandbox detection\r\n# Document detection\r\n# Dropper detection\r\n \r\nIndicators of compromise\r\n[+] Hashes\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 8 of 13\n\nMD5 Description\r\n37505b6ff02a679e70885ccd60c13f3b\r\nc156572dd81c3b0072f62484e90e47a0\r\nDocument\r\nd7f6b09775b8d90d79404eda715461b7\r\na0f565f7f579f0d397a42db5a95d4ae8\r\ne2e5644e77e75e422bde075f409d882e\r\n37b7415442ab8ca01e08b2d7bfe809e2\r\nd19dd02cf375d0d03f557556d5207061\r\ne3ffda448df223b240a20dae41e20cef\r\ne732bc87033a935bd2d3d56c7772641b\r\n825730d9dd22dbae7f2bd89131466415\r\nc32f40f304777df7cfab428a54bb818b\r\nb587851d8a42fc8c23f638bbc2eb866b\r\n4382384feb5ad6b574f68e431006905e\r\n493f59b6933e59029bf3106fd4a2998d\r\nbdfb5071f5374f5c0a3714464b1fa5e6\r\n1769a818548a0b52c7be2a0a213a9384\r\n7b07cd6bb6b5d4ed6a2892a738fe892b\r\n9775ef6514916977d73e39a6b09029bc\r\n44be20c67a80af8066f9401c5bee43cb\r\n15a7125fe9e629122e1d1389062af712\r\n1fd8fef169bf48cfdcf506151264128c\r\n9ad00e513364e9f44f1b6712907cba9b\r\n1a536709554860fcc2c147374556205d\r\na2aca7b66f678b85fc7b4015af21c5ee\r\nDocument (Template based)\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 9 of 13\n\nbd416ea51f94d815b5b5b66861cbdcc5\r\necb2d07ede5a401c83a5fca8e00fa37a\r\ndb0483aced77a7db130a6100aef67967\r\nc0b24dc8f53227ce0c64439b302ca930\r\nbb9ee3a6504fbf6a5486af04dbbb5da5\r\nce00749c908de017010055a83ac0654f\r\n2677f9871cb340750e582cb677d40e81\r\n90f2b7845c203035f0d7096aa28dda83\r\n044e701e8d288075b0fb6cd118aa94db\r\n556abc167348fe96abfbf5079c3ad488\r\n0ef32b48f6ca3a1a22ab87058b3d8aa0\r\n4548c7f157d300ec39b1821db4daa970\r\n430d944786e05042cdbe1d795ded2199\r\n96d86472ff283f6959b7a779f004dfba\r\n137910039cb94c0301154f3d1ec9ba29\r\n728b908e90930c73edeb1bf58b6a3a64\r\n1559aeb8e464759247e4588cb6a09877\r\n6df608342938f0d30a058c48bb9d8d4d\r\n78aa7e785a96f2826ee09a1aa9ab776e\r\n0c2dde41d508941cf215fe8f1f7e03a7\r\n783e7c3ba39daa28301b841785794d76\r\na225b7aff737dea737cd969fb307df23\r\nTemplate\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 10 of 13\n\n210db61d1b11c1d233fd8a0645946074\r\ne25ac08833416b8c7191639b60edfa21\r\n114f22f3dd6928bed5c779fa918a8f11\r\nCompiled HTML (CHM)\r\n[+] File names\r\n \r\nOriginal Name Translated Name\r\n확진자 및 동거인 안내문 (50).chm\r\n메타콩즈가이드_1900002.chm\r\nNFT Metakongz Minting.chm\r\n202204_암호화폐_투자기획.docx\r\n사건 경위서.docx\r\n마산합포구 400억 대출요청.docx\r\n40억_자금투자계약서.docx\r\n긴급재난지원금신청서양식.docx\r\n대한광산개발(주).docx\r\n크립토스_로그인.docx\r\nGuide to confirmed cases and living with them (50).chm\r\nMeta Kong's Guide_190002.chm\r\nNFT Metakongz Minting.chm\r\n202204_Cryptocurrency_Investment Planning.docx\r\nincident report.docx\r\nMasanhappo-gu 40 billion loan request.docx\r\n4 billion_fund investment contract.docx\r\nEmergency Disaster Subsidy Application Form.docx\r\nDaehan Mine Development Co., Ltd. docx\r\ncryptos_login.docx\r\n[+] C2 domains\r\nnaveicoipg[.]online\r\nnaveicoipf[.]online\r\nnaveicoipc[.]tech\r\nnaveicoipa[.]tech\r\nnaveicoipe[.]tech\r\nnaveicoipd[.]tech\r\nnaveicoipep[.]tech\r\nnaveicoiph[.]online\r\nnaveicoipg[.]tech\r\nnaveicoipf[.]tech\r\nnaveicoipb[.]tech\r\nnaveicoipj[.]online\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 11 of 13\n\nnaveicoipi[.]online\r\nnaveicoipe[.]online\r\nnaveicoipd[.]online\r\nnaveicoipc[.]online\r\nnaveicoipb[.]online\r\nnaveicoipa[.]online\r\nnaveicoipc[.]com\r\nnaveicoipa[.]com\r\nnaveicoip[.]com\r\nnaveicoiph[.]tech\r\nnaveicoip[.]tech\r\nnaveicorp[.]com\r\ncopycatfrag[.]store\r\nknightsfrag[.]store\r\nparfumeparlour[.]store\r\n# New domain resolutions for the IP 23.81.246[.]131\r\nnavernidb[.]link\r\nnavermailteam[.]online\r\nnavermailservice[.]com\r\nmailservicecorp[.]online\r\nmailhelp[.]online\r\nmailcustomerservice[.]site\r\ncloudcentre[.]xyz\r\nnaverservice[.]host\r\nmailserviceteam[.]email\r\nnavermcorp[.]com\r\nnaverserviceteam[.]com\r\nnaversecurityteam[.]com\r\nnavermanageteam[.]com\r\nnavermailmanage[.]com\r\nnavercorpservice[.]com\r\nnavermailcorp[.]com\r\nnaversecurityservice[.]online\r\nnavermailservice[.]online\r\nnavercorp[.]live\r\nnavercscorp[.]com\r\nnavermanage[.]live\r\nnavermanage[.]com\r\nnavernidmail[.]com\r\nnoreplya[.]xyz\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 12 of 13\n\n[+] Emails\r\n# Dropbox accounts associated email addresses\r\npeterstewart0326@gmail[.]com\r\nkimkl0222@hotmail[.]com\r\nlaris081007@hotmail[.]com\r\n[+] PDB path\r\nD:\\Works\\PC_2022\\ACKS_2012\\fengine\\Release\\fengine.pdb\r\nAbout us\r\nZscaler ThreatLabz is a global threat research team with a mission to protect customers from advanced\r\ncyberthreats. Made up of more than 100 security experts with decades of experience in tracking threat actors,\r\nmalware reverse engineering, behavior analytics, and data science, the team operates 24/7 to identify and prevent\r\nemerging threats using insights from 300 trillion daily signals from the Zscaler Zero Trust Exchange.\r\nSince its inception, ThreatLabz has been tracking the evolution of emerging threat vectors, campaigns, and groups,\r\ncontributing critical findings and insights on zero-day vulnerabilities, —including active IOCs and TTPs for threat\r\nactors, malware, and ransomware families, phishing campaigns, and more.\r\nThreatLabz supports industry information sharing and plays an integral role in the development of world-class\r\nsecurity solutions at Zscaler. See the latest ThreatLabz threat research on the Zscaler blog.\r\nSource: https://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nhttps://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.jp/blogs/security-research/naver-ending-game-lazarus-apt" ], "report_names": [ "naver-ending-game-lazarus-apt" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434196, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/857fb2e694096decec45ab244250e52ac3017cf1.pdf", "text": "https://archive.orkl.eu/857fb2e694096decec45ab244250e52ac3017cf1.txt", "img": "https://archive.orkl.eu/857fb2e694096decec45ab244250e52ac3017cf1.jpg" } }