{
	"id": "ea4a35a9-c089-4498-9036-164117bf4bc3",
	"created_at": "2026-04-06T00:16:04.0471Z",
	"updated_at": "2026-04-10T03:20:24.809939Z",
	"deleted_at": null,
	"sha1_hash": "8e3f9a0a9d00a02d6ab5355acad7c8d152673316",
	"title": "A detailed analysis of Lazarus APT malware disguised as Notepad++ Shell Extension – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5795204,
	"plain_text": "A detailed analysis of Lazarus APT malware disguised as Notepad++\r\nShell Extension – CYBER GEEKS\r\nPublished: 2022-01-31 · Archived: 2026-04-05 15:53:08 UTC\r\nSummary\r\nLazarus has targeted its victims using job opportunities documents for companies such as LockHeed Martin, BAE Systems,\r\nand Boeing. In this case, the threat actor has targeted people that are looking for jobs at Boeing using a document called\r\nBoeing BDS MSE.docx (https://twitter.com/ShadowChasing1/status/1455489336850325519). The malware extracts the\r\nhostname, username, network information, a list of processes, and other information that will be exfiltrated to one out of the\r\nfour C2 servers. The data targeted for exfiltration is compressed, XOR-encrypted and then Base64-encoded before being\r\ntransmitted to the C2 server. The Trojan implements four actions that include downloading and executing a .exe or .dll file,\r\nloading a PE (Portable Executable) into the process memory, and executing shellcode.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nSHA256: 803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269\r\nThe file is a DLL that has 7 exports. Only one of these functions implements malicious activity (DllGetFirstChild):\r\nFigure 1\r\nThe malware retrieves the User Agent by calling the ObtainUserAgentString function. There is also a User Agent that is\r\nhardcoded in the binary “Mozilla / 5.0 (Windows NT 10.0; WOW64; Trident / 7.0; rv:11.0) li”, which is Internet Explorer on\r\nWindows 10:\r\nFigure 2\r\nThe binary extracts the current system date and time using the GetSystemTimeAsFileTime API:\r\nFigure 3\r\nGetModuleHandleW is utilized to retrieve a module handle for ntdll.dll:\r\nFigure 4\r\nThe process gets the address of the following export functions using the GetProcAddress routine:\r\n“RtlGetCompressionWorkSpaceSize”, “RtlCompressBuffer”, “RtlDecompressBuffer”, “RtlGetVersion”. An example of a\r\nfunction call is shown in figure 5:\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 1 of 14\n\nFigure 5\r\nThe NetBIOS name of the local computer is extracted via a function call to GetComputerNameW:\r\nFigure 6\r\nThe GetAdaptersInfo API is used to retrieve adapter information for the local machine:\r\nFigure 7\r\nThe MAC address extracted above is written to a buffer:\r\nFigure 8\r\nThe file extracts the command-line string for the current process:\r\nFigure 9\r\nCommandLineToArgvW is utilized to extract an array of pointers to the command-line arguments, along with a count of\r\narguments (similar to argv and argc):\r\nFigure 10\r\nAccording to an article published at https[:]//zhuanlan.zhihu.com/p/453894016, the malware is supposed to run with the\r\nfollowing parameters:\r\n“NTPR\r\nP6k+pR6iIKwJpU6oR6ZilgKPL7IxsitJAnpIYSx2KldSSRFFyUIzTBVFAwgzBkI2PS/+EgASBik/GgYBwBbRNy7pP+Xq4uTsxOXU6NPmudaEz7Xy5fL\r\nThe binary decrypts the above parameter using a custom algorithm displayed in figure 11. The list of resulting strings\r\ncontains multiple C2 servers:\r\nFigure 11\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 2 of 14\n\nFigure 12\r\nThe following URLs have been decrypted:\r\nhttps[:]//mante.li/images/draw.php\r\nhttps[:]//bmanal.com/images/draw.php\r\nhttps[:]//shopandtravelusa.com/vendor/monolog/monolog/src/Monolog/monolog.php\r\nhttps[:]//industryinfostructure.com/templates/worldgroup/view.php\r\nThe GetNetworkParams routine is used to retrieve network parameters for the local computer:\r\nFigure 13\r\nThe malicious process extracts the name of the DNS domain assigned to the local host (0x2 =\r\nComputerNameDnsDomain):\r\nFigure 14\r\nThe following network information is written to a temporary buffer:\r\nFigure 15\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 3 of 14\n\nFigure 16\r\nThe process gets the username associated with the current thread by calling the GetUserNameW function:\r\nFigure 17\r\nThe binary takes a snapshot of all processes in the system using the CreateToolhelp32Snapshot API (0x2 =\r\nTH32CS_SNAPPROCESS):\r\nFigure 18\r\nThe file extracts information about the first process from the snapshot via a call to Process32FirstW:\r\nFigure 19\r\nThe malicious binary opens the process object using the OpenProcess routine (0x410 =\r\nPROCESS_QUERY_INFORMATION | PROCESS_VM_READ):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 4 of 14\n\nFigure 20\r\nWhether the file doesn’t have enough rights to open a process, it copies “Unknown” along with the process name to a\r\ntemporary buffer.\r\nThe binary takes a snapshot of the current process along with all its modules using the CreateToolhelp32Snapshot API (0x8\r\n= TH32CS_SNAPMODULE):\r\nFigure 21\r\nModule32FirstW is utilized to retrieve information about the first module associated with the current process:\r\nFigure 22\r\nThe malicious DLL gets information about the next process recorded in the snapshot:\r\nFigure 23\r\nThe OpenProcessToken routine is used to open the access token associated with a process (0x8 = TOKEN_QUERY):\r\nFigure 24\r\nGetTokenInformation is utilized to extract the user account of the token (0x1 = TokenUser):\r\nFigure 25\r\nThe process retrieves the name of the account for a SID and the name of the first domain on which the SID is found via a\r\nfunction call to LookupAccountSidW:\r\nFigure 26\r\nGetTokenInformation is utilized to extract the Terminal Services session identifier associated with the token (0xC =\r\nTokenSessionId):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 5 of 14\n\nFigure 27\r\nThe RtlGetCompressionWorkSpaceSize API is used to determine the correct size of the WorkSpace buffer for the\r\nRtlCompressBuffer function (0x102 = COMPRESSION_FORMAT_LZNT1 |\r\nCOMPRESSION_ENGINE_MAXIMUM):\r\nFigure 28\r\nThe process compresses the buffers from figures 15 and 16 using the RtlCompressBuffer function (0x102 =\r\nCOMPRESSION_FORMAT_LZNT1 | COMPRESSION_ENGINE_MAXIMUM):\r\nFigure 29\r\nThe DLL randomly chooses a C2 server from the list of four. It initializes the application’s use of the WinINet functions via\r\na call to InternetOpenW:\r\nFigure 30\r\nInternetCanonicalizeUrlW is used to canonicalize the URL:\r\nFigure 31\r\nThe malware cracks the URL into its component parts by calling the InternetCrackUrlW API:\r\nFigure 32\r\nThe connect, send and receive timeouts are set to 150s using the InternetSetOptionW routine (0x2 =\r\nINTERNET_OPTION_CONNECT_TIMEOUT, 0x5 = INTERNET_OPTION_SEND_TIMEOUT, 0x6 =\r\nINTERNET_OPTION_RECEIVE_TIMEOUT):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 6 of 14\n\nFigure 33\r\nFigure 34\r\nFigure 35\r\nThe DLL opens an HTTP session to the C2 server on port 443 (0x3 = INTERNET_SERVICE_HTTP):\r\nFigure 36\r\nThe binary creates a POST request handle to the URI extracted from the specified URL:\r\nFigure 37\r\nThe security flags for the handle are set using the InternetSetOptionW API (0x1F =\r\nINTERNET_OPTION_SECURITY_FLAGS, 0xF180 = SECURITY_FLAG_IGNORE_REVOCATION |\r\nSECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID |\r\nSECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_REDIRECT_TO_HTTP |\r\nSECURITY_FLAG_IGNORE_REDIRECT_TO_HTTPS):\r\nFigure 38\r\nThe buffer (concatenation of two buffers) that was compressed earlier is encrypted using XOR (key = 32-byte array):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 7 of 14\n\nFigure 39\r\nFigure 40\r\nThe encrypted buffer from above is encoded using Base64:\r\nFigure 41\r\nFigure 42\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 8 of 14\n\nThe binary constructs the following parameters “search=YOIPOUP\u0026ei=6128\u0026oq=”:\nFigure 43\nThe User Agent extracted earlier is added to the HTTP request handle using the HttpAddRequestHeadersW routine\n(0xA0000000 = HTTP_ADDREQ_FLAG_REPLACE | HTTP_ADDREQ_FLAG_ADD):\nFigure 44\nHttpSendRequestW is used to exfiltrate data to the C2 server:\nFigure 45\nIt’s worth mentioning that all C2 servers were down during our analysis. We’ve emulated network connections using\nFakeNet.\nThe size of the C2 response is retrieved by calling the HttpQueryInfoW routine (0x5 =\nHTTP_QUERY_CONTENT_LENGTH):\nFigure 46\nThe binary copies the C2 response to a buffer via a function call to InternetReadFile:\nFigure 47\nThe malicious process parses the data between the “” and “\n\n” tags:\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\nPage 9 of 14\n\nFigure 48\r\nThe malware performs a similar POST request with different parameter values “search=DOWPANY\u0026ei=6128”:\r\nFigure 49\r\nThe C2 response is decoded using Base64, and then XOR decrypted. The malware implements 4 different actions that will\r\nbe explained based on the EAX register value:\r\nFigure 50\r\nEAX = 0 – load a PE into the current process memory\r\nGetNativeSystemInfo is utilized to retrieve information about the current system:\r\nFigure 51\r\nThe DLL performs multiple VirtualAlloc function calls that will allocate memory for the new executable (0x3000 =\r\nMEM_COMMIT | MEM_RESERVE, 0x4 = PAGE_READWRITE):\r\nFigure 52\r\nThe malware changes the memory protection depending on the segment (for example, the code segment’s memory\r\nprotection is set to 0x20 = PAGE_EXECUTE_READ):\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 10 of 14\n\nFigure 53\r\nAfter a few more operations, the process passes the control flow to the new PE.\r\nEAX = 1 – download and execute a .exe file\r\nThe binary gets the AppData folder path by calling the SHGetFolderPathW routine (0x1c = CSIDL_LOCAL_APPDATA):\r\nFigure 54\r\nGetTickCount is used to extract the number of milliseconds that have elapsed since the system was started:\r\nFigure 55\r\nThe malware creates a file based on the above value (0x40000000 = GENERIC_WRITE, 0x1 = FILE_SHARE_READ,\r\n0x2 = CREATE_ALWAYS, 0x80 = FILE_ATTRIBUTE_NORMAL):\r\nFigure 56\r\nThe newly created file is populated with content that is supposed to be transmitted by the C2 server:\r\nFigure 57\r\nThe malicious binary executes the file by calling the CreateProcessW API:\r\nFigure 58\r\nEAX = 2 – download and execute a .dll file\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 11 of 14\n\nThe execution flow is similar to the above case, and we only highlight the difference. Rundll32.exe is used to execute the\r\nDLL file (an export function can also be specified in the command line):\r\nFigure 59\r\nEAX = 3 – copy and execute shellcode\r\nThe process allocates memory using the VirtualAlloc routine (0x1000 = MEM_COMMIT, 0x40 =\r\nPAGE_EXECUTE_READWRITE):\r\nFigure 60\r\nThe DLL implements an anti-analysis check. It calls the isProcessorFeaturePresent API in order to determine whether\r\n_fastfail() is available. If this feature is not supported, the current process is terminated by calling the GetCurrentProcess and\r\nTerminateProcess functions (0x17 = PF_FASTFAIL_AVAILABLE):\r\nFigure 61\r\nThe malware jumps to the shellcode and then frees the memory area allocated earlier:\r\nFigure 62\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 12 of 14\n\nAs we mentioned at the beginning of the analysis, the threat actor only added the export function explained above, and the\r\nothers are legitimate.\r\nWe’ve studied a legitimate Notepad++ shell extension (SHA256:\r\nf3e2e6f9e7aa065e89040a0c16d1f948489b3751e5eb5efac8106d5f7d65d98d 64-bit) and compared the export functions\r\nbetween the 2 files. As we can see below, the functions are very similar:\r\nFigure 63\r\nFigure 64\r\nReferences\r\nMSDN: https://docs.microsoft.com/en-us/windows/win32/api/\r\nFakenet: https://github.com/fireeye/flare-fakenet-ng\r\nVirusTotal: https://www.virustotal.com/gui/file/803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269\r\nMalwareBazaar:\r\nhttps://bazaar.abuse.ch/sample/803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269/\r\nINDICATORS OF COMPROMISE\r\nC2 domains:\r\nmante.li\r\nbmanal.com\r\nshopandtravelusa.com\r\nindustryinfostructure.com\r\nSHA256: 803dda6c8dc426f1005acdf765d9ef897dd502cd8a80632eef4738d1d7947269\r\nURLs:\r\nhttps[:]//mante.li/images/draw.php\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 13 of 14\n\nhttps[:]//bmanal.com/images/draw.php\r\nhttps[:]//shopandtravelusa.com/vendor/monolog/monolog/src/Monolog/monolog.php\r\nhttps[:]//industryinfostructure.com/templates/worldgroup/view.php\r\nSource: https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nhttps://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/"
	],
	"report_names": [
		"a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension"
	],
	"threat_actors": [],
	"ts_created_at": 1775434564,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e3f9a0a9d00a02d6ab5355acad7c8d152673316.pdf",
		"text": "https://archive.orkl.eu/8e3f9a0a9d00a02d6ab5355acad7c8d152673316.txt",
		"img": "https://archive.orkl.eu/8e3f9a0a9d00a02d6ab5355acad7c8d152673316.jpg"
	}
}