{ "id": "8b9a5d57-f2b1-4562-b8a5-2031350f3abd", "created_at": "2026-04-06T00:12:10.289123Z", "updated_at": "2026-04-10T03:38:19.34753Z", "deleted_at": null, "sha1_hash": "8a9a3f3891bcc164a7d246d3655d0f3779e721b2", "title": "WinorDLL64: A backdoor from the vast Lazarus arsenal?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1054843, "plain_text": "WinorDLL64: A backdoor from the vast Lazarus arsenal?\r\nBy Vladislav Hrčka\r\nArchived: 2026-04-05 20:04:55 UTC\r\nESET researchers have discovered one of the payloads of the Wslink downloader that we uncovered back in 2021.\r\nWe named this payload WinorDLL64 based on its filename WinorDLL64.dll. Wslink, which had the filename\r\nWinorLoaderDLL64.dll, is a loader for Windows binaries that, unlike other such loaders, runs as a server and\r\nexecutes received modules in memory. As the wording suggests, a loader serves as a tool to load a payload, or the\r\nactual malware, onto the already compromised system. The initial Wslink compromise vector has not been\r\nidentified.\r\nThe initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after the publication\r\nof our blogpost, and hit one of our YARA rules based on Wslink’s unique name WinorDLL64. Regarding Wslink,\r\nESET telemetry has seen only a few detections - in Central Europe, North America, and the Middle East.\r\nThe WinorDLL64 payload serves as a backdoor that most notably acquires extensive system information, provides\r\nmeans for file manipulation, such as exfiltrating, overwriting, and removing files, and executes additional\r\ncommands. Interestingly, it communicates over a connection that was already established by the Wslink loader.\r\nIn 2021, we did not find any data that would suggest Wslink is a tool from a known threat actor. However, after an\r\nextensive analysis of the payload, we have attributed WinorDLL64 to the Lazarus APT group with low confidence\r\nbased on the targeted region and an overlap in both behavior and code with known Lazarus samples.\r\nActive since at least 2009, this infamous North-Korea aligned group is responsible for high-profile incidents such\r\nas both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the\r\nWannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean\r\npublic and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA.\r\nBased on our extensive knowledge of the activities and operations of this group, we believe that Lazarus consists\r\nof a large team that is systematically organized, well prepared, and is made up of several subgroups that utilize a\r\nlarge toolset. Last year, we discovered a Lazarus tool that took advantage of the CVE‑2021‑21551 vulnerability to\r\ntarget an employee of an aerospace company in the Netherlands, and a political journalist in Belgium. It was the\r\nfirst recorded abuse of the vulnerability; in combination, the tool and the vulnerability led to the blinding of the\r\nmonitoring of all security solutions on compromised machines. We also provided an extensive description of the\r\nstructure of the virtual machine used in samples of Wslink.\r\nThis blogpost explains the attribution of WinorDLL64 to Lazarus and provides an analysis of the payload.\r\nLinks to Lazarus\r\nWe have discovered overlaps in both behavior and code with Lazarus samples from Operation GhostSecret and\r\nthe Bankshot implant described by McAfee. The description of the implants in both GhostSecret and Bankshot\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 1 of 12\n\narticles contains overlaps in the functionality with WinorDLL64 and we found some code overlap in the samples.\r\nIn this blogpost we will only use the FE887FCAB66D7D7F79F05E0266C0649F0114BA7C sample from\r\nGhostSecret for comparison against WinorDLL64 (1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F),\r\nunless specified otherwise.\r\nThe following details summarize the supporting facts for our low confidence attribution to Lazarus:\r\n1. Victimology\r\nFellow researchers from AhnLab confirmed South Korean victims of Wslink in their telemetry, which is a\r\nrelevant indicator considering the traditional Lazarus targets and that we have observed only a few hits.\r\nFigure 1. Reported South Korean victim, where mstoned7 is the researcher from Ahnlab\r\n2. Malware\r\nThe latest GhostSecret sample reported by McAfee\r\n(FE887FCAB66D7D7F79F05E0266C0649F0114BA7C) is from February 2018; we spotted the first\r\nsample of Wslink in late 2018 and fellow researchers reported hits in August 2018, which they disclosed\r\nafter our publication. Hence, these samples were spotted a relatively short period of time apart.\r\nThe PE rich headers indicate that the same development environment and projects of similar size were used\r\nin several other known Lazarus samples (e.g., 70DE783E5D48C6FBB576BC494BAF0634BC304FD6;\r\n8EC9219303953396E1CB7105CDB18ED6C568E962). We found this overlap using the following rules\r\nthat cover only these Wslink and Lazarus samples, which is an indicator with a low weight. We tested them\r\non VirusTotal’s retrohunt and our internal file corpus.\r\nrich_signature.length == 80 and\r\npe.rich_signature.toolid(175, 30319) == 7 and\r\npe.rich_signature.toolid(155, 30319) == 1 and\r\npe.rich_signature.toolid(158, 30319) == 10 and\r\npe.rich_signature.toolid(170, 30319) \u003e= 90 and\r\npe.rich_signature.toolid(170, 30319) \u003c= 108\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 2 of 12\n\nThis rule can be translated to the following notation that is more readable and used by VirusTotal, where one can\r\nsee the product version and build ID (VS2010 build 30319), number and type of source/object files used ([LTCG\r\nC++] where LTCG stands for Link Time Code Generation, [ASM], [ C ]), and number of exports ([EXP]) in the\r\nrule:\r\n[LTCG C++] VS2010 build 30319 count=7\r\n[EXP] VS2010 build 30319 count=1\r\n[ASM] VS2010 build 30319 count=10\r\n[ C ] VS2010 build 30319 count in [ 90 .. 108 ]\r\nThe GhostSecret article described “a unique data-gathering and implant-installation component that listens\r\non port 443 for inbound control server connections” that additionally ran as a service. This is an accurate\r\ndescription of Wslink downloader behavior, apart from the port number, which can vary based on the\r\nconfiguration. To sum it up, even though the implementation is different, both serve the same purpose.\r\nThe loader is virtualized by Oreans’ Code Virtualizer, which is a commercial protector that is used\r\nfrequently by Lazarus.\r\nThe loader uses the MemoryModule library to load modules directly from memory. The library is not\r\ncommonly used by malware, but it is quite popular among North Korea-aligned groups such as Lazarus\r\nand Kimsuky.\r\nOverlap in the code between WinorDLL64 and GhostSecret that we found during our analysis. The results\r\nand the significance in attribution are listed in Table 1.\r\nTable 1. Similarities between WinorDLL64 and GhostSecret and their significance in attributing both to the same\r\nthreat actor\r\nOther similarities between WinorDLL64 and GhostSecret Impact\r\nCode overlap in code responsible to get processor architecture Low\r\nCode overlap in current directory manipulation Low\r\nCode overlap in getting the process list Low\r\nCode overlap in file sending Low\r\nBehavior overlap in listing processes Low\r\nBehavior overlap in current directory manipulation Low\r\nBehavior overlap in file and directory listing Low\r\nBehavior overlap in listing volumes Low\r\nBehavior overlap in reading/writing files Low\r\nBehavior overlap in creating processes Low\r\nConsiderable behavior overlap in secure removal of files Low\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 3 of 12\n\nOther similarities between WinorDLL64 and GhostSecret Impact\r\nConsiderable behavior overlap in termination of processes Low\r\nConsiderable behavior overlap in collecting system information Low\r\nCode overlap in the file sending functionality is highlighted in Figure 2 and Figure 3.\r\nFigure 2. GhostSecret sending a file\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 4 of 12\n\nFigure 3. Wslink sending a file\r\nTechnical analysis\r\nWinorDLL64 serves as a backdoor that most notably acquires extensive system information, provides means for\r\nfile manipulation, and executes additional commands. Interestingly, it communicates over a TCP connection that\r\nwas already established by its loader and uses some of the loader’s functions.\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 5 of 12\n\nFigure 4. Visualization of Wslink's communication\r\nThe backdoor is a DLL with a single unnamed export that accepts one parameter – a structure for communication\r\nthat was already described in our previous blogpost. The structure contains a TLS-context – socket, key, IV – and\r\ncallbacks for sending and receiving messages encrypted with 256-bit AES-CBC that enable WinorDLL64 to\r\nexchange data securely with the operator over an already established connection.\r\nThe following facts lead us to believe with high confidence that the library is indeed part of Wslink:\r\nThe unique structure is used everywhere in the expected way, e.g., the TLS-context and other meaningful\r\nparameters are supplied in the anticipated order to the correct callbacks.\r\nThe name of the DLL is WinorDLL64.dll and Wslink’s name was WinorLoaderDLL64.dll.\r\nWinorDLL64 accepts several commands. Figure 5 displays the loop that receives and handles commands. Each\r\ncommand is bound to a unique ID and accepts a configuration that contains additional parameters.\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 6 of 12\n\nFigure 5. The main part of the backdoor’s command-receiving loop\r\nThe command list, with our labels, is in Figure 6.\r\nFigure 6. The command list\r\nTable 2 contains a summary of the WinorDLL64 commands, where modified, and old categories refer to the\r\nrelationship to the previously documented GhostSecret functionality. We highlight only significant changes in the\r\nmodified category.\r\nTable 2. Overview of backdoor commands\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 7 of 12\n\nCategory\r\nCommand\r\nID\r\nFunctionality Description\r\nNew\r\n0x03 Execute a PowerShell command\r\nWinorDLL64 instructs the PowerShell\r\ninterpreter to run unrestricted and to read\r\ncommands from standard input.\r\nAfterwards, the backdoor passes the\r\nspecified command to the interpreter and\r\nsends the output to the operator.\r\n0x09\r\nCompress and download a\r\ndirectory\r\nWinorDLL64 recursively iterates over a\r\nspecified directory. The content of each\r\nfile and directory is compressed\r\nseparately and written to a temporary file\r\nthat is afterwards sent to the operator and\r\nthen removed securely.\r\n0x0D Disconnect a session\r\nDisconnects a specified logged-on user\r\nfrom the user’s Remote Desktop Services\r\nsession. The command can also perform\r\ndifferent functionality based on the\r\nparameter.\r\n0x0D List sessions\r\nAcquires various details about all\r\nsessions on the victim’s device and sends\r\nthem to the operator. The command can\r\nalso perform different functionality based\r\non the parameter.\r\n0x0E Measure connection time\r\nUses the Windows API GetTickCount to\r\nmeasure the time required to connect to a\r\nspecified host.\r\nModified\r\n0x01 Get system info\r\nAcquires comprehensive details about the\r\nvictim’s system and sends them to the\r\noperator.\r\n0x0A Remove files securely\r\nOverwrites specified files with a block of\r\nrandom data, renames each file to a\r\nrandom name, and finally securely\r\nremoves them one by one.\r\n0x0C Kill processes\r\nTerminates all processes whose names\r\nmatch a supplied pattern and/or with a\r\nspecific PID.\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 8 of 12\n\nCategory\r\nCommand\r\nID\r\nFunctionality Description\r\nOld 0x02/0x0B Create a process\r\nCreates a process either as the current or\r\nspecified user and optionally sends its\r\noutput to the operator.\r\n0x05\r\nSet/Get\r\ncurrent\r\ndirectory\r\nAttempts to set and subsequently\r\nacquire the path of the current\r\nworking directory.\r\n0x06 List volumes\r\nIterates over drives from C: to Z:\r\nand acquires the drive type and\r\nvolume name. The command can\r\nalso perform different\r\nfunctionality based on the\r\nparameter.\r\n0x06\r\nList files in\r\na directory\r\nIterates over files in specified\r\ndirectory and acquires information\r\nsuch as names, attributes, etc. The\r\ncommand can also perform\r\ndifferent functionality based on\r\nthe parameter.\r\n0x07\r\nWrite to a\r\nfile\r\nDownloads and appends the stated\r\namount of data to specified file.\r\n0x08\r\nRead from a\r\nfile\r\nThe specified file is read and sent\r\nto the operator.\r\n0x0C\r\nList\r\nprocesses\r\nAcquires details about all running\r\nprocesses on the victim’s device\r\nand additionally sends ID of the\r\ncurrent process.\r\nConclusion\r\nWslink’s payload is dedicated to providing means for file manipulation, execution of further code, and obtaining\r\nextensive information about the underlying system that possibly can be leveraged later for lateral movement, due\r\nto specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can\r\nserve additional connecting clients, and even load various payloads.\r\nWinorDLL64 contains an overlap in the development environment, behavior, and code with several Lazarus\r\nsamples, which indicates that it might be a tool from the vast arsenal of this North-Korea aligned APT group.\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 9 of 12\n\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nSHA-1 ESET detection name Description\r\n1BA443FDE984CEE85EBD4D4FA7EB1263A6F1257F Win64/Wslink.A\r\nMemory dump of\r\ndiscovered Wslink\r\npayload WinorDll64.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the ATT\u0026CK framework. We do not mention techniques from the loader\r\nagain, only the payload.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nWinorDLL64 is a custom tool.\r\nExecution\r\nT1059.001\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nWinorDLL64 can execute arbitrary PowerShell\r\ncommands.\r\nT1106 Native API\r\nWinorDLL64 can execute further processes using\r\nthe CreateProcessW and CreateProcessAsUserW\r\nAPIs.\r\nDefense\r\nEvasion\r\nT1134.002\r\nAccess Token\r\nManipulation: Create\r\nProcess with Token\r\nWinorDLL64 can call APIs WTSQueryUserToken\r\nand CreateProcessAsUserW to create a process\r\nunder an impersonated user.\r\nT1070.004\r\nIndicator Removal:\r\nFile Deletion\r\nWinorDLL64 can securely remove arbitrary files.\r\nDiscovery\r\nT1087.001\r\nAccount Discovery:\r\nLocal Account\r\nWinorDLL64 can enumerate sessions and list\r\nassociated user, and client names, among other\r\ndetails.\r\nT1087.002\r\nAccount Discovery:\r\nDomain Account\r\nWinorDLL64 can enumerate sessions and list\r\nassociated domain names –among other details.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nWinorDLL64 can obtain file and directory listings.\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 10 of 12\n\nTactic ID Name Description\r\nT1135\r\nNetwork Share\r\nDiscovery\r\nWinorDLL64 can discover shared network drives.\r\nT1057 Process Discovery\r\nWinorDLL64 can collect information about\r\nrunning processes.\r\nT1012 Query Registry\r\nWinorDLL64 can query the Windows registry to\r\ngather system information.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nWinorDLL64 can obtain information such as\r\ncomputer name, OS and latest service pack\r\nversion, processor architecture, processor name,\r\nand amount of space on fixed drives.\r\nT1614\r\nSystem Location\r\nDiscovery\r\nWinorDLL64 can obtain the victim’s default\r\ncountry name using the GetLocaleInfoW API.\r\nT1614.001\r\nSystem Location\r\nDiscovery: System\r\nLanguage Discovery\r\nWinorDLL64 can obtain the victim’s default\r\nlanguage using the GetLocaleInfoW API.\r\nT1016\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nWinorDLL64 can enumerate network adapter\r\ninformation.\r\nT1049\r\nSystem Network\r\nConnections\r\nDiscovery\r\nWinorDLL64 can collect a list of listening ports.\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nWinorDLL64 can enumerate sessions and list\r\nassociated user, domain, and client names –among\r\nother details.\r\nCollection\r\nT1560.002\r\nArchive Collected\r\nData: Archive via\r\nLibrary\r\nWinorDLL64 can compress and exfiltrate\r\ndirectories using the quicklz library.\r\nT1005\r\nData from Local\r\nSystem\r\nWinorDLL64 can collect data on the victim’s\r\ndevice.\r\nImpact T1531\r\nAccount Access\r\nRemoval\r\nWinorDLL64 can disconnect a logged-on user\r\nfrom specified sessions.\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 11 of 12\n\nSource: https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nhttps://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/" ], "report_names": [ "winordll64-backdoor-vast-lazarus-arsenal" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434330, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a9a3f3891bcc164a7d246d3655d0f3779e721b2.pdf", "text": "https://archive.orkl.eu/8a9a3f3891bcc164a7d246d3655d0f3779e721b2.txt", "img": "https://archive.orkl.eu/8a9a3f3891bcc164a7d246d3655d0f3779e721b2.jpg" } }