{ "id": "ed471a85-010b-465a-abdc-a49d8865ade6", "created_at": "2026-04-06T00:20:21.312116Z", "updated_at": "2026-04-10T03:38:19.075802Z", "deleted_at": null, "sha1_hash": "a01e7b9556b2b4e0bb6553877a389595b0bbbd26", "title": "Lazarus Group Targeting Windows IIS Web Servers - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1387602, "plain_text": "Lazarus Group Targeting Windows IIS Web Servers - ASEC\r\nBy ATCP\r\nPublished: 2023-05-16 · Archived: 2026-04-05 15:46:19 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known\r\nto receive support on a national scale, carrying out attacks against Windows IIS web servers. Ordinarily, when\r\nthreat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for\r\nthe version to install a web shell or execute malicious commands. The AhnLab Smart Defense (ASD) log\r\ndisplayed below in Figure 1 shows that Windows server systems are being targeted for attacks, and malicious\r\nbehaviors are being carried out through w3wp.exe, an IIS web server process. Therefore, it can be assumed that\r\nthe threat actor uses poorly managed or vulnerable web servers as their initial breach routes before executing their\r\nmalicious commands later.\r\nThe threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application\r\n(Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to\r\ninitiate the execution of the malicious DLL. In MITRE ATT\u0026CK, this method of attack is categorized as the DLL\r\nside-loading (T1574.002) technique.\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 1 of 7\n\nThe Lazarus group’s use of the DLL side-loading technique to run malware has been confirmed many times\r\nalready. The threat actor has been continuously changing the name of the normal process used in the DLL side-loading technique. This post will cover the DLL side-loading technique used by the threat actor during their initial\r\ninfiltration process as well as their follow-up behaviors.\r\n1. Initial Infiltration: DLL Side-Loading Using Windows IIS Web Servers (Wordconv.exe, msvcr100.dll)\r\nThe threat actor creates Wordconv.exe, msvcr100.dll, and msvcr100.dat through the Windows IIS web server\r\nprocess (w3wp.exe) before executing Wordconv.exe. As shown in the below figure, msvcr100.dll is contained\r\nwithin the import DLL list of Wordconv.exe, so the first DLL file that is loaded when Wordconv.exe is executed is\r\ndetermined by the DLL search priority of the operating system. As a result, the malicious msvcr100.dll is run in\r\nthe memory of the Wordconv.exe process.\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 2 of 7\n\nAs can be seen in the below Figure 3, the functionality of msvcr100.dll involves decrypting an encoded PE file\r\n(msvcr100.dat) and the key (df2bsr2rob5s1f8788yk6ddi4x0wz1jq) that is transmitted as a command-line argument\r\nduring the execution of Wordconv.exe by utilizing the Salsa20 algorithm. The decrypted PE file is then executed\r\nin the memory. It then performs the function of clearing the malicious DLL module that was loaded through the\r\nFreeLibraryAndExitThread WinAPI call before deleting itself (msvcr100.dll).\r\nAlso, msvcr100.dll is very similar in both appearance and features to the cylvc.dll malware covered in the ASEC\r\nBlog post “A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs\r\nWith the BYOVD Technique”, which was released back in 2022. Thus, it is speculated that msvcr100.dll is a\r\nvariant malware of cylvc.dll.\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 3 of 7\n\nSimilarly to msvcr100.dll, cylvc.dll decrypts the data files with the .dat extension using the Salsa20 algorithm\r\nbefore executing the PE file within the memory space. The PE that was executed within the memory space back in\r\n2022 was a backdoor that communicated with the threat actor’s C\u0026C server.\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 4 of 7\n\n2. Establishing Foothold and Stealing Certificates\r\nAfter the initial infiltration, the threat actor established a foothold before creating additional malware (diagn.dll)\r\nby exploiting the open-source “color picker plugin”, which is a plugin for Notepad++.\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 5 of 7\n\ndiagn.dll is responsible for receiving the PE file encoded with the RC6 algorithm as an execution argument value\r\nbefore using an internally hard-coded key to decrypt the data file and execute the PE file in the memory.\r\nRC6 key: 5A 27 A3 E8 91 45 BE 63 34 23 11 4A 77 91 53 31 5F 47 14 E2 FF 75 5F D2 3F 58 55 6C A8\r\nBF 07 A1\r\nThe malicious behavior of the PE file executed in the memory is unknown since the PE data file that was encoded\r\nduring the attack could not be collected, but a log was confirmed through the AhnLab Smart Defense (ASD)\r\ninfrastructure of the threat actor accessing the memory space of the lsass.exe process through this module. Thus, it\r\nis suspected that the threat actor had executed a credential theft tool such as Mimikatz.\r\n3. Lateral Movement\r\nAfter acquiring the system credentials, the threat actor performed internal reconnaissance before utilizing remote\r\naccess (port 3389) to perform lateral movement into the internal network. No further malicious activities by the\r\nthreat actor have been uncovered since then.\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 6 of 7\n\n4. Conclusion and Response\r\nThe Lazarus group used a variety of attack vectors to perform their initial breach, including Log4Shell,  public\r\ncertificate vulnerability, 3CX supply chain attack, etc. This group is one of the highly dangerous groups that\r\nare actively launching attacks worldwide. Therefore, corporate security managers should utilize attack surface\r\nmanagement to identify the assets that could be exposed to threat actors and practice caution by applying the latest\r\nsecurity patches whenever possible.\r\nIn particular, since the threat group primarily utilizes the DLL side-loading technique during their initial\r\ninfiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive\r\nmeasures to prevent the threat group from carrying out activities such as information exfiltration and lateral\r\nmovement.\r\nAhnLab’s products detect and block the malware identified in the attack case covered in this post using the\r\nfollowing aliases.\r\n[File Detection]\r\n– Trojan/Win.LazarLoader.C5427612 (2023.05.15.02)\r\n– Trojan/Win.LazarLoader.C5427613 (2023.05.15.03)\r\nMD5\r\n228732b45ed1ca3cda2b2721f5f5667c\r\n47d380dd587db977bf6458ec767fee3d\r\n4d91cd34a9aae8f2d88e0f77e812cef7\r\ne501bb6762c14baafadbde8b0c04bbd6\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//www[.]samdb[.]or[.]kr/info/pinfo[.]aspx\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/53132/\r\nhttps://asec.ahnlab.com/en/53132/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/53132/" ], "report_names": [ "53132" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434821, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a01e7b9556b2b4e0bb6553877a389595b0bbbd26.pdf", "text": "https://archive.orkl.eu/a01e7b9556b2b4e0bb6553877a389595b0bbbd26.txt", "img": "https://archive.orkl.eu/a01e7b9556b2b4e0bb6553877a389595b0bbbd26.jpg" } }