{ "id": "3c6f1da1-a2d6-4011-8a89-baf69aae23a0", "created_at": "2026-04-06T00:19:27.425471Z", "updated_at": "2026-04-10T13:12:34.794261Z", "deleted_at": null, "sha1_hash": "8e45ace6b47019c13c76b9a68cc5e86a2127fff6", "title": "Lazarus Group targets Aerospace and Defense with new Comebacker variant | Enki White Hat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4653508, "plain_text": "Lazarus Group targets Aerospace and Defense with new\r\nComebacker variant | Enki White Hat\r\nPublished: 2025-11-07 · Archived: 2026-04-05 13:05:09 UTC\r\nExecutive Summary\r\nENKI identified a new variant of Comebacker, initially identified following public reporting of a malicious\r\ndomain.\r\nThe malware is delivered via lure documents themed around prominent aerospace and defense\r\norganizations, indicating a targeted espionage campaign against this sector.\r\nPivoting from the initial C\u0026C infrastructure, we uncovered an additional C\u0026C domain and a related\r\nComebacker sample, suggesting the campaign has been active since at least March 2025.\r\n1. Overview\r\nIn 2025-06, ENKI initiated an investigation based on ThreatBookLabs' reporting of a malicious domain, office-theme[.]com , attributed to Lazarus Group. Analysis of .docx files hosted on this domain revealed a multi-stage\r\nmalware infection chain deploying a new variant of the Comebacker backdoor.\r\nBy pivoting on the malware's C\u0026C infrastructure, we identified an additional C\u0026C domain and a related\r\nComebacker sample that suggests the campaign has been active since at least March 2025.\r\nThis report provides an analysis of this new Comebacker variant, details the associated infrastructure, and tracks\r\nthe malware's evolution over time.\r\n1.1. Comebacker\r\nComebacker was first reported by Google Threat Analysis Group in a 2021 report on a campaign targeting\r\nsecurity researchers. Functioning as a downloader and backdoor, it is designed to retrieve and execute DLLs\r\npayloads from a C\u0026C server. Microsoft later named the malware \"Comebacker\", and it has since been attributed\r\nto Lazarus group.\r\nSince its initial discovery in 2021, Comebacker has been observed in multiple campaigns. In 2024, variants were\r\nfound embedded in malicious PyPI packages, demonstrating the threat actor’s continued activity.\r\n2. Malware Analysis\r\n2.1. C\u0026C Server Open Directory\r\nWe identified staging activity on the open directory at an open directory on office-theme[.]com . This document\r\ninitiates a multi-stage execution flow, ultimately leading to the in-memory execution of the final COMEBACKER\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 1 of 15\n\npayload. The full infection chain is detailed in the following subsections.\r\nOpen directory listing on office-theme[.]com\r\nOpen directory listing on office-theme[.]com\r\nWhile multiple files were present in the directory, only four files with .bin extensions were downloadable at the\r\ntime of analysis. These files were identified as Microsoft Word documents, each containing a malicious VBA\r\nmacro. Although the lure content varied, all four droppers deploy the same malicious payload.\r\n2.2. Comebacker Dropper\r\nWhen a victim opens one of the malicious .docx files and enables macros, the embedded VBA code executes.\r\nWe extracted this macro code for analysis using the olevba tool.\r\nVBA macro code extracted via olevba\r\nVBA macro code extracted via olevba\r\nThe macro decrypts and deploys two embedded components that are stored as large hexadecimal strings: a loader\r\nDLL and a decoy document. The decryption process involves a custom algorithm using XOR and bit-swapping\r\noperations. A Python script to replicate this decryption is available in Appendix C, under \"Comebacker\r\nDropper Decryption Script\".\r\nThe decrypted files are written to the following paths on the victim system:\r\nLoader: C:\\ProgramData\\WPSOffice\\wpsoffice_aam.ocx\r\nDecoy document: C:\\ProgramData\\Document\\EDGE_Group_Interview_NDA.docx\r\nThe macro then executes the loader by calling the `LoadLibraryA` API function and opens the decoy document.\r\nWe identified four distinct decoy documents leveraging themes related to the aerospace and defense sectors,\r\nincluding lures impersonating Edge Group, Indian Institute of Technology Kanpur (IIT Kanpur), and Airbus. This\r\nspecific targeting strongly indicates the campaign's objective is espionage.\r\nDecoy document impersonating IIT Kanpur: Guest_Lecture_Invitation_Format_IITK.docx\r\nDecoy document impersonating IIT Kanpur: Guest_Lecture_Invitation_Format_IITK.docx\r\nDecoy document related to Airbus: Airbus_C295_Integration_Document_for_TASL.docx\r\nDecoy document related to Airbus: Airbus_C295_Integration_Document_for_TASL.docx\r\n2.3. Comebacker Stage 1 Loader – wpsoffice_aam.cox\r\nThe wpsoffice_aam.ocx file is the second-stage loader, employed to decrypt, persist, and execute the third stage\r\nof the infection chain.\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 2 of 15\n\nThe loader first decrypts an embedded payload using the ChaCha20 stream cipher. The static configuration for this\r\ndecryption is as follows:\r\nkey: ad9c5aca9977d04c73be579199a827049b6dd9840091ffe8e23acc05e1d4a657\r\niv: edc9ce049daeba35b8687740\r\ncounter: 1\r\nA Python script to replicate this decryption is available in Appendix C, under \"Comebacker Stage 1 Loader\r\nDecryption Script\".\r\nFollowing decryption, the loader decompresses the resulting data using the zlib library. The final payload is\r\nwritten to C:\\ProgramData\\USOShared\\USOPrivate.dll .\r\nChaCha20 decryption and writing of `USOPrivate.dll`\r\nChaCha20 decryption and writing of USOPrivate.dll\r\nTo establish persistence, the loader creates a shortcut ( .lnk ) to USOPrivate.dll in the user's Startup folder.\r\ncmd.exe /C powershell -Command \"$s = (New-Object -\r\nCOMWScript.Shell).CreateShortcut('C:\\\\ProgramData\\\\USOShared\\\\Micro.lnk'); $s.TargetPath =\r\n'C:\\\\Windows\\\\System32\\\\rundll32.exe'; $s.Arguments = '\\\"[USOPrivate.dll path]\\\" LoadMimi\r\n\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"'; $s.Save()\"\r\nAfter creating the shortcut, the loader calls the LoadMimi funciton USOPrivate.dll using rundll32.exe.\r\n2.4. Comebacker Stage 2 Loader – USOPrivate.dll\r\nUSOPrivate.dll is the final loader in the infection chain. It decrypts the embedded Comebacker and executes it\r\ndirectly from memory.\r\nThe DLL employs the same ChaCha20 decryption code seen in the previous stage, reusing the identical key, iv,\r\nand initial counter values.\r\nkey: ad9c5aca9977d04c73be579199a827049b6dd9840091ffe8e23acc05e1d4a657\r\niv: edc9ce049daeba35b8687740\r\ninitial counter value: 1\r\nReuse of the ChaCha20 decryption code in `USOPrivate.dll`\r\nReuse of the ChaCha20 decryption code in USOPrivate.dll\r\nAfter decryption and decompression, the loader loads the final Comebacker payload into memory. It then transfers\r\nexecution to the payload by calling its GetWindowSizedW export with the string argument \"1282\" .\r\nCalling the `GetWindowSizedW` export of the Comebacker payload\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 3 of 15\n\nCalling the GetWindowSizedW export of the Comebacker payload\r\n2.5. Comebacker\r\nOnce executed, the Comebacker payload's main GetWindowSizedW export begins by generating a unique victim\r\nidentifier. This ID is constructed by concatenating a randomly generated 10-character alphanumeric string, the\r\nargument value passed during execution ( \"1282\" ), and the static string \"64\" .\r\nVictim ID generation\r\nVictim ID generation\r\nThe malware then prepares to beacon out to its hardcoded C\u0026C server:\r\nhxxps://hiremployee[.]com\r\n2.5.1. C\u0026C Server Communication\r\nAll C\u0026C communications occur over HTTPS. The outbound data is first encrypted with AES-128-CBC and then\r\nBase64-encoded. The malware uses the same value for both the encryption key and the IV.\r\nencryption key and IV: x!P\u003c\u0026}mjH2YHRQ',\r\nAES encryption code\r\nAES encryption code\r\nData received from the C\u0026C server is similarly Base64-decoded and then decrypted using the same AES-128-\r\nCBC key and IV.\r\nA Python script to decrypt this C\u0026C traffic is available in Appendix C, under “Comebacker C\u0026C Data\r\nDecryption Script”.\r\n2.5.2. Initial Connection\r\nThe malware's initial beacon is encoded in the query string of the URL. The query string structure is as follows:\r\n[random 2 lowercase letters]=[random 10 lowercase letters]\u0026\r\n[random 5 lowercase letters]=[base64-encoded ID value]\u0026\r\n[random 4 lowercase letters]=\u0026\r\n[random 6 lowercase letters]=0\u0026\r\n[random 6 lowercase letters]=[base64-encoded length of the current time]\u0026\r\n[random 6 lowercase letters]=[base64-encoded current time]\u0026\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 4 of 15\n\n[random letters up to 10]=[random letters up to 20]\r\nThe C\u0026C server's response follows the following format.\r\n[4 hexadecimal digits] [1 hexadecimal digit] [base64-encoded message length] [base64-encoded message]\r\nThe malware parses the hex digits and the decoded message to determine its next action. The primary behaviors\r\nare outlined below.\r\nC\u0026C server\r\nresponse\r\naction\r\nFirst value is 13 Terminates process.\r\nDecoded message\r\nis \"0\"\r\nEnter a sleep-retry loop. Beacons again after 60 seconds. After 20 consecutive \"0\"\r\nresponses, the sleep interval increases to 20 minutes.\r\nDecoded message\r\nis \"1\"\r\nBeacon again after a short sleep of 10 seconds\r\nC\u0026C response info\r\nIf the server's response does not match any of the control commands, the malware downloads and executes a\r\npayload from the message with the following structure:\r\n[command code]|[encrypted file size]|[export name]|[argument]|[MD5 hash of the encrypted file]\r\nIf a message that satisfies the above condition is received, it downloads the encrypted file from the C\u0026C server\r\nand executes it.\r\n2.5.3. File Download and Execution\r\nUpon receiving a download and execute command, the malware requests the payload from the C\u0026C server. After\r\ndownloading, it first calculates the MD5 hash of the received encrypted file and compares it against the hash from\r\nthe command. If the hashes do not match, the download is considered corrupt, and the malware re-enters its sleep-retry loop.\r\nMD5 hash comparison\r\nMD5 hash comparison\r\nIf the hashes match, the malware decrypts the payload using the same ChaCha20 implementation seen in the\r\nloader stages, with identical static key, nonce, and counter values.\r\nkey: ad9c5aca9977d04c73be579199a827049b6dd9840091ffe8e23acc05e1d4a657\r\niv: edc9ce049daeba35b8687740\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 5 of 15\n\ninitial counter value: 1\r\nChaCha20 decryption code\r\nChaCha20 decryption code\r\nFinally, the decrypted payload is loaded into memory. The malware calls the exported function specified in the\r\ncommand, passing the provided argument. After execution completes, it sends the result back to the C\u0026C server\r\nand resumes beaconing.\r\nDuring our analysis, the C\u0026C server did not respond with download and execute command, so we were unable to\r\nretrieve or analyze any next-stage payloads.\r\n3. Additional Malware Collection and Analysis\r\nTo expand our visibility into the threat actor's infrastructure, we pivoted on known indicators. Using VirusTotal's\r\nRelations feature, we searched for other domains serving identical HTTP responses to the C\u0026C server\r\nhiremployee[.]com . This analysis identified a second C\u0026C domain: birancearea[.]com .\r\nVirusTotal Relations tab showing infrastructure overlap between C\u0026C domains\r\nbirancearea[.]com was scanned by VirusTotal in March 2025. We found an associated Comebacker sample that\r\ncommunicates with this domain, with the following hash.\r\nf2b3867aa06fb38d1505b3c2b9e523d83f906995dcdd1bb384a1087b385bfc50\r\n3.1. Comebacker Stage 1 Loader\r\nThis loader is a DLL file that functions as the first stage in this alternate infection chain. It was first uploaded to\r\nVirusTotal in March 2025, and is similar to the Comebacker loader that was embedded in PyPI packages and\r\ndistributed in 2024, including the HC256 implementation and usage, as well as the code that executes the\r\ndecrypted payload.\r\nUpon execution, the loader checks if the command line includes the specific argument \"9Ez6THDirL6Zye4\" . If\r\nthis argument is not present, the process terminates. This check indicates the loader is designed to be executed by\r\na preceding dropper or script, which we were unable to obtain.\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 6 of 15\n\nCommand-line argument check\r\nIf the argument is present, the loader decrypts an embedded payload using the HC256 stream cipher.\r\nThe decryption algorithm is HC256, and the hardcoded key/IV are identical to those used in the Comebacker\r\nloaders distributed via malicious PyPI packages in 2024.\r\nkey, iv: LH*x239udC\u003c*sd_Sej%lOa0$\u0026ujHl(.R\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 7 of 15\n\nHC256 code in the March 2025 Comebacker loader\r\nHC256 code in a 2024 PyPI-distributed sample\r\nA Python script to decrypt the payload is available in Appendix C, under “HC256 Decryption Script”.\r\nAfter decryption and decompression, the loader writes the next stage to C:\\ProgramData\\USOShared\\USOInfo.dat\r\nand executes it using rundll32.exe . It calls the GetSysStartTime export with two arguments: \"dfgdfg\" and\r\n\"G3z!X97k7QrwG\" .\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 8 of 15\n\nExecution of USOInfo.dat via rundll32.exe\r\n3.2. Comebacker Stage 2 Loader - USOInfo.dat\r\nUSOInfo.dat is the in-memory loader for this variant, analogous to USOPrivate.dll from the first infection\r\nchain. It begins by validating its command-line arguments, checking for \"G3z!X97k7QrwG\" .\r\nIf the argument check succeeds, it decrypts its embedded payload. This stage again uses the HC256 stream cipher\r\nbut with a different, unique key and IV pair.\r\nkey, iv: 6w6ZT9|a-0}s$@;(@\u0026#jPVC4o+V?1IU%\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 9 of 15\n\nArgument check and HC256 decryption in USOInfo.dat\r\nFollowing decryption and decompression, the loader loads the final payload into memory. It then calls the\r\npayload's GetWindowSizedW export with the argument \"3718\" .\r\nThe final payload Comebacker, with identical functionality to the Comebacker detailed in Section 2.5.\r\n4. Attack Evolution\r\n4.1. Decryption Process\r\nThe Comebacker variant described in the 2021 Google Threat Analysis Group report decrypted its payload using\r\neither RC4 or HC256 with the same key and IV.\r\nDecryption code in the Google, Microsoft report’s\r\na75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 10 of 15\n\nThe variant distributed in 2024 via PyPI packages and the variant discovered in March 2025 consistently used\r\nHC256 with identical keys and IVs.\r\nDecryption code in JPCERT's report on Comebacker distributed as pycryptoenv\r\nThe newly identified variant deviates from this by introducing a custom XOR/bit-swap algorithm for the initial\r\ndropper stage and adopting ChaCha20 for subsequent loader stages.\r\nChaCha20 decryption code in the new variant\r\n4.2. Communications Encrytion\r\nPast Comebacker variants communicated with their C2 servers in plaintext, including the samples from the 2021\r\nsecurity researcher campaign and the 2024 PyPI campaign.\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 11 of 15\n\nCommunication code in JPCERT report's report on Comebacker distributed as pycryptoenv\r\nThe variants observed since March 2025 introduce encrypted C2 communications, using AES-128-CBC to\r\nencrypt C\u0026C traffic.\r\nAES-128-CBC code in newer variants\r\n4.3. Distribution Process\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 12 of 15\n\nComebacker, first reported by Google's Threat Analysis Group, was employed in a campaign targeting security\r\nresearchers with themes of vulnerability research collaboration. The attacker used Visual Studio projects that\r\ncontained malicious Visual Studio Build Events. In addition, they carried out attacks using an Internet Explorer 0-\r\nday. At the time, we published analysis of the exploit on our blog. We have since translated the post to English.\r\nAttacker activity in the 2021 campaign targeting security researchers (Source: Google TAG)\r\nIn 2024, the actor published malicious packages to PyPI, using typosquatting tactics to target developers.\r\npycryptoconf package used to distribute Comebacker in 2024 (Source: JPCERT/CC)\r\nWhile we could not determine the distribution vector for the March 2025 sample, the lure documents from the\r\nmost recent activity provide strong clues. The documents impersonate specific organizations in the aerospace and\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 13 of 15\n\ndefense sector (Edge Group, IIT Kanpur, Airbus) and contain tailored content. This deliberate crafting of decoys\r\nfor specific targets is a hallmark of spear phishing campaigns aimed at a small set of victims.\r\n5. Conclusion\r\nThis report details a recent espionage campaign conducted by the DPRK-nexus threat actor Lazarus Group against\r\nthe aerospace and defense sectors. The campaign leverages a new variant of the Comebacker backdoor,\r\ndemonstrating the actor's continued refinement of its malware arsenal.\r\nThe actor's use of highly specific lure documents indicates that this is a targeted spear phishing campaign.\r\nAlthough there are no reports of victims so far, the C2 infrastructure remains active at the time of this publication.\r\nOrganizations in the aerospace, defense, and research sectors should remain vigilant for phishing attempts and\r\nensure they have robust defenses against macro-based threats.\r\n6. Appendix\r\nAppendix A. MITRE ATT\u0026CK\r\nAppendix B. IOCs\r\nsha256\r\nb7d625679fbcc86510119920ffdd6d21005427bf49c015697c69ae1ee27e6bab - docx file\r\n046caa2db6cd14509741890e971ddc8c64ef4cc0e369bd5ba039c40c907d1a1f - docx file\r\n14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382 - docx file\r\nb357b3882cf8107b1cb59015c4be3e0b8b4de80fd7b80ce3cd05081cd3f6a8ff - docx file\r\n7e61c884ce5207839e0df7a22f08f0ab7d483bfa1828090aa260a2f14a0c942c - wpsoffice_aam.cox\r\nc4a5179a42d9ff2774f7f1f937086c88c4bc7c098963b82cc28a2d41c4449f9e - USOPrivate.dll\r\nf2b3867aa06fb38d1505b3c2b9e523d83f906995dcdd1bb384a1087b385bfc50 - Comebacker Loader\r\n96b973e577458e5b912715171070c0a0171a3e02154eff487a2dcea4da9fb149 - USOInfo.dat\r\nC\u0026C\r\nhxxps://birancearea[.]com/adminv2\r\nhxxps://hiremployee[.]com\r\nOpen Directory C\u0026C\r\noffice-theme[.]com\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 14 of 15\n\naes key\r\nx!P\u003c\u0026}mjH2YHRQ',\r\nchacha20 key\r\nad9c5aca9977d04c73be579199a827049b6dd9840091ffe8e23acc05e1d4a657\r\nHC256 key\r\nLH*x239udC\u003c*sd_Sej%lOa0$\u0026ujHl(.R\r\n6w6ZT9|a-0}s$@;(@\u0026#jPVC4o+V?1IU%\r\nAppendix C. Decryption Scripts\r\nComebacker Dropper Decryption Script\r\nComebacker Stage 1 Loader Decryption Script\r\nComebacker C\u0026C Data Decryption Script\r\nHC256 Decryption Script\r\nSource: https://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nhttps://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant" ], "report_names": [ "lazarus-group-targets-aerospace-and-defense-with-new-comebacker-variant" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434767, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e45ace6b47019c13c76b9a68cc5e86a2127fff6.pdf", "text": "https://archive.orkl.eu/8e45ace6b47019c13c76b9a68cc5e86a2127fff6.txt", "img": "https://archive.orkl.eu/8e45ace6b47019c13c76b9a68cc5e86a2127fff6.jpg" } }