{
	"id": "afc31a5f-596e-4649-9953-88a207a6df97",
	"created_at": "2026-04-06T00:14:39.690825Z",
	"updated_at": "2026-04-10T03:24:03.733855Z",
	"deleted_at": null,
	"sha1_hash": "8fbc8e2198cb0a2037ad3038972fe7c24290baa1",
	"title": "Lazarus hackers target researchers with trojanized IDA Pro",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4571872,
	"plain_text": "Lazarus hackers target researchers with trojanized IDA Pro\r\nBy Lawrence Abrams\r\nPublished: 2021-11-10 · Archived: 2026-04-05 13:52:28 UTC\r\nA North Korean state-sponsored hacking group known as Lazarus is again trying to hack security researchers, this time with\r\na trojanized pirated version of the popular IDA Pro reverse engineering application.\r\nIDA Pro is an application that converts an executable into assembly language, allowing security researchers and\r\nprogrammers to analyze how a program works and discover potential bugs.\r\nSecurity researchers commonly use IDA to analyze legitimate software for vulnerabilities and malware to determine what\r\nmalicious behavior it performs.\r\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, as IDA Pro is an expensive application, some researchers download a pirated cracked version instead of\r\npurchasing it.\r\nAs with any pirated software, there is always the risk of it being tampered modified to include malicious executables, which\r\nis precisely what ESET researcher Anton Cherepanov discovered in a pirated version of IDA Pro distributed by the Lazarus\r\nhacking group.\r\nTrojanized IDA Pro targets security researchers\r\nToday, ESET tweeted about a malicious version of IDA Pro 7.5 discovered by Cherepanov that is being distributed online to\r\ntarget security researchers.\r\nThis IDA installer has been modified to include two malicious DLLs named idahelp.dll and win_fw.dll that will be\r\nexecuted when the program is installed.\r\nMalicious DLLs added to pirated IDA Pro\r\nSource: ESET\r\nThe win_fw.dll file will create a new task in the Windows Task Scheduler that launches the idahelper.dll program.\r\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nPage 3 of 6\n\nNew SRCheck scheduled task created by win_fw.dll\r\nSource: ESET\r\nThe idahelper.dll will then connect to the devguardmap[.]org site and download payloads believed to be the NukeSped\r\nremote access trojan. The installed RAT will allow the threat actors to gain access to the security researcher's device to steal\r\nfiles, take screenshots, log keystrokes, or execute further commands.\r\n\"Based on the domain and trojanized application, we attribute this malware to known Lazarus activity, previously reported\r\nby Google's Threat Analysis Group and Microsoft,\" ESET tweeted regarding connection to Lazarus.\r\nCherepanov told BleepingComputer that while he does not know how the installer is being distributed, it was discovered\r\nrecently and appears to have been distributed since Q1 2020\r\nLazarus has a history of targeting researchers\r\nThe Lazarus hacking group, also known as Zinc by Microsoft, has a long history of targeting security researchers with\r\nbackdoors and remote access trojans.\r\nIn January, Google disclosed that Lazarus conducted a social media campaign to create fake personas pretending to be\r\nvulnerability researchers.\r\nFake online security researcher personas\r\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nPage 4 of 6\n\nUsing these personas, the hacking group would contact other security researchers about potential collaboration in\r\nvulnerability research.\r\nAfter establishing contact with a researcher, the hackers would send Visual Studio projects related to an alleged\r\n'vulnerability,' which contained a malicious hidden DLL named 'vcxproj.suo.'\r\nWhen the researcher attempted to build the project, a pre-build event would execute the DLL, which acted as a custom\r\nbackdoor installed on the researcher's device.\r\nOther Lazarus attacks also used an Internet Explorer zero-day to deploy malware on security researcher's devices when they\r\nvisited links sent by the attackers.\r\nExploiting the Lazarus zero-day in Internet Explorer\r\nWhile it was never determined what the ultimate goal was for these attacks, it was likely to steal undisclosed security\r\nvulnerabilities and exploits that the hacking group could use in their own attacks.\r\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/"
	],
	"report_names": [
		"lazarus-hackers-target-researchers-with-trojanized-ida-pro"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434479,
	"ts_updated_at": 1775791443,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fbc8e2198cb0a2037ad3038972fe7c24290baa1.pdf",
		"text": "https://archive.orkl.eu/8fbc8e2198cb0a2037ad3038972fe7c24290baa1.txt",
		"img": "https://archive.orkl.eu/8fbc8e2198cb0a2037ad3038972fe7c24290baa1.jpg"
	}
}