{
	"id": "d6bd2ccb-3ade-4274-8f31-1d7215e7cbd0",
	"created_at": "2026-04-06T00:10:04.886137Z",
	"updated_at": "2026-04-10T13:12:50.584083Z",
	"deleted_at": null,
	"sha1_hash": "8df3be4a6ad5145dbb1036c03e08fe5a91193572",
	"title": "Further Updates in LODEINFO Malware - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1153831,
	"plain_text": "Further Updates in LODEINFO Malware - JPCERT/CC Eyes\r\nBy 喜野 孝太(Kota Kino)\r\nPublished: 2021-02-17 · Archived: 2026-04-05 23:06:55 UTC\r\nFebruary 18, 2021\r\nLODEINFO\r\nThe functions and evolution of malware LODEINFO have been described in our past articles in February 2020\r\nand June 2020. Yet in 2021, JPCERT/CC continues to observe activities related to this malware. Its functions have\r\nbeen expanding with some new commands implemented or actually used in attacks. This article introduces the\r\ndetails of the updated functions and recent attack trends.\r\nLODEINFO versions\r\nAt the time of the last blog update, the latest version of LODEINFO was v.0.3.6, and currently v0.4.8 is being\r\nused. Figure 1 shows the transition of LODEINFO versions based on JPCERT/CC’s observation.\r\nFigure 1：LODEINFO versions\r\nDecoy document\r\nAs we previously explained, LODEINFO infection spreads once a user enables the macro in a Word or Excel file\r\nattached to a spear phishing email. In some recent cases, these document files are protected with a password,\r\nwhich is specified in the email body. The Word document convinces the user to enable the macro as in Figure 2.\r\n(The statement in the yellow box is roughly translated as follows: In case Word application cannot open the\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 1 of 9\n\ndocument properly, you may be able to open it with Word premium mode. To proceed, please click the button in\r\nthe yellow message bar above.)\r\nFigure 2： Word document content sample\r\nThe document appears to be empty, however, there are hidden letters in small and white fonts, containing macro\r\nconfiguration values and BASE64-encoded strings of a zip file which stores LODEINFO.\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 2 of 9\n\nFigure 3： Word document contents sample (after changing the font)\r\nThe macro uses a method called LOLBAS to execute LODEINFO. Below is the command for executing a file\r\ncreated.\r\nrundll32.exe advpack.dll,RegisterOCX\r\nFigure 4： Process after enabling macro\r\nThe code of the macro contained in the documents shows sentences in public articles related to the diplomatic\r\nrelations between South Korea and Japan or North Korea in the comments.\r\nFigure 5： Comments in the macro\r\nNew commands\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 3 of 9\n\nThe latest LODEINFO v0.4.8 has the following additional commands compared to v.0.3.6. (See Appendix A for\r\ndetails.)\r\nransom (implemented)\r\nkeylog (implemented)\r\nmv\r\ncp\r\nmkdir\r\nps\r\npkill\r\nThe following sections describe some of the new features that are available in the newer versions.\r\nRansomware function\r\n“ransom” command has been implemented in v.0.3.8 and after. The encryption algorithm is a combination of AES\r\nand RSA. The files are first encrypted with an AES key generated for each fille. The key is then encrypted with\r\nthe RSA public key embedded in the malware. After that, the message “WOW! THIS FILE HAS BEEN\r\nENCRYPTED...” is inserted in the beginning of the file.\r\nFigure 6： Structure of the encrypted file\r\nThis process makes it difficult to decrypt the files. Files and folders to encrypt can be specified with the ransom\r\ncommand, however, those with file extensions and paths in Figure 7 are excluded.\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 4 of 9\n\nFigure 7： Files excluded from encryption\r\nIn case a folder is selected, its path name is checked against the list, but not the individual files inside the folder.\r\nTherefore, files including these names listed above are encrypted in this case. Unlike other types of common\r\nransomware, alteration of file extension, creation of ransom notes and/or change of background image do not\r\noccur. JPCERT/CC has not yet observed these features in actual attack cases, but they may be used for the purpose\r\nof deleting evidence or exfiltrating data.\r\nKeylog function\r\n“keylog” command has been implemented in v.0.4.6 and after. This command checks the following registry value\r\nto see if the option is enabled.\r\nFigure 8： Keylog checks if it is enabled\r\nIf it is enabled, a file named “\u003cNetBIOS name\u003e.tmp” is created in %TEMP% folder, and stolen key strings are\r\nencoded and stored there. An XOR key is used for encoding, which contains the first 1 byte of the SHA512 value\r\nof the device’s NetBIOS name. The following is an example of code to decode the keylog file.\r\nimport os\r\nimport hashlib\r\nname = os.getenv(\"COMPUTERNAME\")\r\nkeylog_file = os.getenv(\"TEMP\") + \"//\" + name + \".tmp\"\r\nhash_of_name = hashlib.sha512(name.encode(\"UTF-8\")).hexdigest()\r\nxor_key = int(hash_of_name[0:2], 16)\r\ndecode_data = bytes()\r\nwith open(keylog_file, \"rb\") as f:\r\n for ch in f.read():\r\n decode_data += (ch ^ xor_key).to_bytes(1, byteorder=\"big\", signed=False)\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 5 of 9\n\nprint(decode_data.decode('shift_jis'))\r\nOne of the distinctive features of this function is that it checks if the device’s keyboard layout is set to Japanese\r\naccording to the following criteria:\r\n“OverrideKeyboardIdentifier” value in HKLM\\SYSTEM\\CurrentControlSet\\Service\\i8042prt\\Parameters\r\nis set to “PCAT_106KEY”\r\n“GetKeyboardLayout” function returns “1041”\r\nIf the device uses the Japanese keyboard layout, the key strings are converted accordingly. This fact implies that\r\nthe attackers using LODEINFO malware target Japanese language users.\r\nFigure 9： Checking keyboard layout\r\nIn closing\r\nAttacks using LODEINFO has been continuously observed, and it is considered as a severe threat. We will keep\r\nan eye on this activity as it is yet likely to continue.\r\nThe hash value of the sample described in the article is listed in Appendix B, together with some newly confirmed\r\nC\u0026C servers in Appendix C. Please make sure that none of your devices is communicating with such hosts.\r\n- Kota Kino\r\n(Translated by Yukako Uchida)\r\nReference\r\nAppendix A New commands\r\nValue Contents\r\nransom Encrypt files\r\nkeylog Control keylogger\r\nmv Move files\r\ncp Copy files\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 6 of 9\n\nValue Contents\r\nmkdir Create directory\r\nps List process\r\npkill Kill process\r\nAppendix B SHA-256 has value of a sample\r\n3fda6fd600b4892bda1d28c1835811a139615db41c99a37747954dcccaebff6e （v0.4.6）\r\nAppendix C C\u0026C servers\r\nwww.evonzae.com\r\n45.76.216.40\r\n103.140.45.71\r\n139.180.192.19\r\n167.179.84.162\r\n167.179.65.11\r\n喜野 孝太(Kota Kino)\r\nKota Kino is Malware/Forensic Analyst at Incident Response Group, JPCERT/CC since August 2019.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 7 of 9\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 8 of 9\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nhttps://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html\r\nPage 9 of 9\n\n  https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html \nUpdate on Attacks by Threat Group APT-C-60 \nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\n  Page 8 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html"
	],
	"report_names": [
		"LODEINFO-3.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434204,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8df3be4a6ad5145dbb1036c03e08fe5a91193572.pdf",
		"text": "https://archive.orkl.eu/8df3be4a6ad5145dbb1036c03e08fe5a91193572.txt",
		"img": "https://archive.orkl.eu/8df3be4a6ad5145dbb1036c03e08fe5a91193572.jpg"
	}
}