{ "id": "2b4d0219-a429-4096-bda0-a7d82c8f5dea", "created_at": "2026-04-06T00:12:49.718374Z", "updated_at": "2026-04-10T13:12:27.465598Z", "deleted_at": null, "sha1_hash": "89cc28094a8036116922ec261c548d199520aa8b", "title": "Anchor and Lazarus together again?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 278637, "plain_text": "Anchor and Lazarus together again?\r\nBy Jason Reaves\r\nPublished: 2021-01-20 · Archived: 2026-04-05 16:07:38 UTC\r\nPress enter or click to view image in full size\r\nOn 6 July 2020 SanSec reported that North Korea APT group dubbed Lazarus/HIDDEN COBRA, was performing\r\nMageCart style attacks against websites[1].\r\nTwo mentions in their report are interesting, PaperSource and FocusCamera[1].\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nPage 1 of 6\n\nPhoto Credit: SanSec\r\nThe entire North Korea link appears to hinge on a IP reuse for an IP in LeaseWeb which is a weak link for\r\nattribution but sometimes there could be non public details about the incident. The more interesting aspect to this\r\nis some context that we can provide to the story, namely the connection to TrickBot/Anchor. You may recall that\r\nthis would not be the first time this CyberCrime crew has been caught working with Lazarus.\r\nAlso interesting from the article “The malware was removed within 24 hours but a week later, the very same\r\nmalware resurfaced on the same store.”[1] which would suggest the attackers had a foothold or “Anchor” into the\r\nenvironment.\r\nFocusCamera\r\nThis name immediately stood out after reading the SanSec report, it came up during our previous work revolving\r\naround PowerTrick[4] which is the powershell framework developed and utilized by TrickBot/Anchor actors. The\r\ncompany appears to of been initially breached by TrickBot around October 2019 and actors then began using\r\nPowerTrick to pivot around.\r\n3|C:\\WINDOWS\\system32|NYIT581|FC\\NYIT581$|NT AUTHORITY\\SYSTEM|4C4C4544-004C-4310-8031-CAC04F575231|Mi\r\nPowerTrick bot listing network devices:\r\n\\\\101718-1628\r\n\\\\101718-1900\r\n\\\\11012018-1018\r\nhttps://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nPage 2 of 6\n\n\\\\111218-1913\r\n\\\\ABE-NEW\r\n\\\\CONNCESHIPSRV\r\n\\\\CONNECTSHIP\r\n\\\\DES-0001\r\n\\\\FBARETURN\r\n\\\\FCNYAV1 fcnyav1\r\n\\\\FCNYMAIL1\r\n\\\\FOCUSCA-782GU8N\r\n\\\\FOCUSCA-9146562\r\n\\\\FOCUSCA-MGL6SO0\r\n\\\\FOCUSCA-QHRB0KS\r\n\\\\FOCUSCA-UIHGRK3\r\n\\\\LKWD-20\r\n\\\\MICHAELBACK\r\n\\\\MONSOONSERVER\r\n\\\\NAS-BF-27-4E nas-BF-27-4E\r\n\\\\NASBACKUP nasbackup\r\n\\\\NEW01\r\n\\\\NY-061418-1757\r\n\\\\NY-062918-1421\r\n\\\\NY-100318-1432\r\n\\\\NY-AMZ-002\r\n\\\\NY-AMZN-060618 Hudy kryman\r\n\\\\NY-BUY-003\r\n\\\\NY-BUYER-AA yoni Baum\r\n\\\\NY-CONF-01\r\n\\\\NY-CONF-02\r\n\\\\NY-CONF-03\r\n\\\\NY-ER-CCTV-SCRN\r\n\\\\NY-KIT-070318 miriam mozyrskiy\r\n\\\\NY-KIT-BILECKI\r\n\\\\NY-LGSTC-PHILIP\r\n\\\\NY-MARKETING Isaac Shalev\r\n\\\\NY-MINCHA\r\n\\\\NY-REFURB-0001\r\n\\\\NYACCT-0001\r\n\\\\NYACCT162\r\n\\\\NYACT004\r\n\\\\NYACT179\r\n\\\\NYACT180\r\n\\\\NYACT183\r\n\\\\NYACT188\r\n\\\\NYACT189\r\n\\\\NYASS178A\r\n\\\\NYASST159\r\n\\\\NYASST193\r\nhttps://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nPage 3 of 6\n\n\\\\NYBUY0001 Robert Silberman - Buyer\r\n\\\\NYBUY078\r\n\\\\NYBUY102\r\n\\\\NYBUY148\r\n\\\\NYBUY149\r\n\\\\NYBUY151\r\n\\\\NYBUY151A\r\n\\\\NYBUY153\r\n\\\\NYBUY165\r\n\\\\NYBUY209\r\n\\\\NYBUY210\r\n\\\\NYBUY303\r\n\\\\NYBUY306\r\n\\\\NYBUY307\r\n\\\\NYBUY331\r\n\\\\NYBUY333\r\n\\\\NYBUY343\r\n\\\\NYBYD151A\r\n\\\\NYCAMERA01\r\n\\\\NYCUSV049A\r\n\\\\NYCUSV065\r\n\\\\NYCUSV071\r\n\\\\NYCUSV084\r\n\\\\NYDC\r\n\\\\NYDOMAINCTRL\r\n\\\\NYEBAY002\r\n\\\\NYEBAY128\r\n\\\\NYEBAY345\r\n\\\\NYFBA349\r\n\\\\NYFBA351\r\n\\\\NYGOV101\r\n\\\\NYHR007\r\n\\\\NYIT054 Chaim Geller\r\n\\\\NYIT087\r\n\\\\NYIT097\r\n\\\\NYIT335\r\n\\\\NYIT350\r\n\\\\NYIT353\r\n\\\\NYIT355\r\n\\\\NYIT355A\r\n\\\\NYIT581\r\n\\\\NYKEYACCESS NYKEYACCESS.FC.LOCAL\r\n\\\\NYKIT-001\r\n\\\\NYMAN164A\r\n\\\\NYMGMT-RBERG\r\n\\\\NYMGMT243BBB\r\n\\\\NYOVER007\r\nhttps://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nPage 4 of 6\n\n\\\\NYRCV001\r\n\\\\NYRTNS141\r\n\\\\NYRTNS281\r\n\\\\NYRTNS285\r\n\\\\NYSALES349\r\n\\\\NYVIRTUALPC05\r\n\\\\NYWAL347\r\n\\\\NYWARE282A\r\n\\\\NYWEB0001 car byers\r\n\\\\REFURDBASE\r\n\\\\SCRAPER-PC\r\n\\\\STORE-01 Cashier-01\r\n\\\\STORE-02 Cashier-02\r\n\\\\STR-CCTV\r\n\\\\VIEWPOINT\r\n\\\\VMWAREVC\r\n\\\\WHSE1\r\n\\\\WINDOWS-0SD9E3K\r\n\\\\WINDOWS-16M2FRN\r\n\\\\WINDOWS-1O2SBEG\r\n\\\\WINDOWS-851OD2Q\r\n\\\\WINDOWS-HSDST7A\r\n\\\\WINDOWS-I2SBFRI\r\n\\\\WINDOWS-JNI13EQ\r\n\\\\WINDOWS-Q88PP4L\r\n\\\\WINDOWS-SQFPH6T\r\nThe command completed successfully.\r\nPaperSource\r\nWe have reason to believe that PaperSource was also initially TrickBot and later Anchor and MemScraper which\r\nis their POS component of the Anchor Framework previously detailed[5].\r\nPress enter or click to view image in full size\r\nPaperSource MemScraper infection\r\nGiven these revelations we have two possibilities:\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nPage 5 of 6\n\n— The SanSec NK attribution is incorrect and TrickBot actors are also interested in leveraging jsSniffers against\r\nvictim websites in MageCart style attacks.\r\n— The SanSec NK attribution is correct and this is one more example of Lazarus being involved in TrickBot\r\ninfected institutions.\r\nBy: Jason Reaves and Joshua Platt\r\nReferences\r\n1. https://www.zdnet.com/article/trickbot-gang-is-now-a-malware-supplier-for-north-korean-hackers/\r\n2. https://sansec.io/research/north-korea-magecart\r\n3. https://intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/\r\n4. https://www.darkreading.com/vulnerabilities---threats/trickbot-group-adds-new-powershell-based-backdoor-to-arsenal/d/d-id/1336769\r\n5. https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nSource: https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nhttps://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607" ], "report_names": [ "anchor-and-lazarus-together-again-24744e516607" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434369, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89cc28094a8036116922ec261c548d199520aa8b.pdf", "text": "https://archive.orkl.eu/89cc28094a8036116922ec261c548d199520aa8b.txt", "img": "https://archive.orkl.eu/89cc28094a8036116922ec261c548d199520aa8b.jpg" } }