{ "id": "7dee26ee-7533-4b67-9fec-a436a936cd40", "created_at": "2026-04-06T00:12:23.859267Z", "updated_at": "2026-04-10T03:38:19.704787Z", "deleted_at": null, "sha1_hash": "a09d995579ea00e584c36136d2705ce683a64056", "title": "A cascade of compromise: unveiling Lazarus’ new campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2617834, "plain_text": "A cascade of compromise: unveiling Lazarus’ new campaign\r\nBy Seongsu Park\r\nPublished: 2023-10-27 · Archived: 2026-04-05 21:50:39 UTC\r\nAPT reports\r\nAPT reports\r\n27 Oct 2023\r\n 9 minute read\r\n Seongsu Park\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 1 of 14\n\nEarlier this year, a software vendor was compromised by the Lazarus malware delivered through unpatched\r\nlegitimate software. What’s remarkable is that these software vulnerabilities were not new, and despite warnings\r\nand patches from the vendor, many of the vendor’s systems continued to use the flawed software, allowing the\r\nthreat actor to exploit them. Fortunately, a proactive response by us detected an attack on another vendor and\r\neffectively thwarted the attacker’s efforts.\r\nUpon further investigation, we discovered that the software vendor that developed the exploited software had\r\npreviously fallen victim to Lazarus several times. This recurring breach suggested a persistent and determined\r\nthreat actor with the likely objective of stealing valuable source code or tampering with the software supply chain,\r\nand they continued to exploit vulnerabilities in the company’s software while targeting other software makers.\r\nInfection timeline\r\nThe adversary demonstrated a high level of sophistication, employing advanced evasion techniques and\r\nintroducing SIGNBT malware for victim control. In addition, other malware found in memory included Lazarus’\r\nprominent LPEClient, a tool known for victim profiling and payload delivery that has previously been observed in\r\nattacks on defense contractors and the cryptocurrency industry.\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 2 of 14\n\nExecutive summary:\r\nA software vendor was compromised through the exploitation of another high-profile software.\r\nThe SIGNBT malware used in this attack employed a diverse infection chain and sophisticated techniques.\r\nLPEClient used in this attack was observed executing a range of targeted attacks associated with the\r\nLazarus group.\r\nFor more information, please contact: intelreports@kaspersky.com\r\nSIGNBT loader\r\nIn mid-July 2023, we detected a series of attacks on several victims who had been targeted through legitimate\r\nsecurity software designed to encrypt web communications using digital certificates. The exact method by which\r\nthis software was exploited to deliver the malware remains elusive. However, we identified post-exploitation\r\nactivity within the processes of the legitimate software. In one instance, while examining the memory of the\r\ncompromised security software from a victim’s system, we discovered the presence of the SIGNBT malware\r\naccompanied by a shellcode. This shellcode was responsible for launching a Windows executable file directly in\r\nmemory.\r\nThe actor uses various tactics to establish and maintain persistence on compromised systems. These include the\r\ncreation of a file called ualapi.dll in the system folder, which is automatically loaded by the spoolsv.exe process at\r\neach system boot. Additionally, in several instances, registry entries were recorded to execute legitimate files for\r\nthe purpose of malicious side-loading, further ensuring a resilient persistence mechanism.\r\nMethods for loading the final payload\r\nLeveraging the spoolsv.exe process for hijacking purposes is a long-standing strategy for Lazarus. Automatically\r\nloading the ualapi.dll file after each reboot is not a new technique for this actor. We have seen similar tactics used\r\nby the Gopuram malware in the past.\r\nThe malicious ualapi.dll file was developed using a public source code known as Shareaza Torrent Wizard. It\r\nfollows a typical Lazarus group approach of utilizing public source code as a foundation and injecting specific\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 3 of 14\n\nmalicious functions into it. This loader malware has a routine to verify the victim. It retrieves the victim’s\r\nMachineGuid by reading it from the Windows registry and then compares it with an embedded MachineGuid\r\nvalue. To access this embedded MachineGuid value, the malware locates the sequence “43 EB 8C BD 1D 98 3D\r\n14” and reads the DWORD immediately following it. Only if the victim’s MachineGuid matches the expected one\r\ndoes the malware proceed to the next step. The malware then reads the payload from a hard-coded file path and\r\ncontinues its malicious activities.\r\nPayload path: C:\\Windows\\system32\\config\\systemprofile\\appdata\\Local\\tw-100a-a00-e14d9.tmp\r\nThe loader process retrieves the first 32 bytes from tw-100a-a00-e14d9.tmp and uses this data as an AES\r\ndecryption key to decrypt the remaining contents. Once decrypted, the payload, a Windows executable identified\r\nas SIGNBT, is loaded directly into memory. In this case, the loaded payload also reads the configuration file from\r\nthe same path, but with a slightly different file name.\r\nConfig file: C:\\Windows\\system32\\config\\systemprofile\\appdata\\Local\\tw-100b-a00-e14d9.tmp\r\nInside this file is a base64-encoded string, mirroring the approach used in the previous SIGNBT malware method.\r\nThe first 32 characters of this string serve as the AES decryption key, while the subsequent data contains\r\nconfiguration information used by the malware. This decrypted configuration data includes details such as three\r\nC2 addresses, which are referred to as proxies, sleep intervals, version information, monitored targets, and various\r\nother parameters critical to the malware’s operation.\r\nSIGNBT\r\nThe majority of SIGNBT malware instances are launched through the malware loader, which operates exclusively\r\nin memory. Upon execution, the malware begins communicating with the C2 server by sending a beacon after\r\ninitialization of its configuration data. In its C2 communication, the malware uses distinctive strings that start with\r\nSIGNBT. This unique characteristic has earned it the designation of SIGNBT. In addition, the malware uses\r\ndifferent prefixes at each stage of its C2 operation to verify and maintain its activities.\r\nPrefix name Description\r\nSIGNBTLG Initial connection.\r\nSIGNBTKE Success – update the key and ask for a profiling process.\r\nSIGNBTGC Ask for commands.\r\nSIGNBTFI Operation failed.\r\nSIGNBTSR Operation success.\r\nThe malware employs a multi-step process to create a 24-byte value for various purposes. First, it generates this\r\nvalue with the following components:\r\n1. 1 8 bytes of hard-coded value (SIGNBTLG): this is a fixed part of the value and serves to validate the\r\nlegitimacy of the client’s connection.\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 4 of 14\n\n2. 2 8 bytes from the MD5 hash of the hostname: the first 8 bytes of the MD5 hash of the victim’s\r\ncomputer name are included, helping to distinguishing each victim.\r\n3. 3 8 bytes of randomly generated identifier: another 8 bytes are randomly generated, probably used for\r\nsession identifiers.\r\nAfter creating this 24-byte value, the malware generates an additional 24 bytes of random data. These two sets of\r\n24 bytes are then XORed together using another randomly generated 24-byte key. Subsequently, both the resulting\r\nvalue and the 24-byte key are encoded with base64. Finally, these encoded values are combined with either three\r\nor seven randomly generated HTTP parameter names. In all future C2 communications, the malware uses a\r\nsimilar structure, making it more challenging to detect and analyze its communications.\r\nStructure of HTTP POST data\r\nThe malware uses a mechanism to validate the response data received from the C2 server. Specifically, it checks to\r\nsee if the response data contains a hard-coded HTML script.\r\n1\r\n2\r\n3\r\n4\r\n\u003c!DOCTYPE html\u003e\u003chtml\u003e\u003chead\u003e\u003c/head\u003e\u003cbody marginwidth=\"0\" marginheight=\"0\"\r\nstyle=\"background-color:transparent\"\u003e\u003cscript\u003e\r\n[delivered data]\r\n\u003c/script\u003e\u003c/body\u003e\u003c/html\u003e\r\nDuring the validation process, the malware decodes the first 12 bytes from the C2 server using base64, replacing\r\nthe spaces with plus signs to create a seven-character string. This process is then repeated with the next 12 bytes.\r\nThe first seven characters from each set are then XORed and compared to the “success” string. This repetitive\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 5 of 14\n\nprocedure is applied to every HTTP communication sequence to verify that the response aligns with the expected\r\n“success” criterion.\r\nNext, the malware sends HTTP requests with the SIGNBTKE header, and if it receives a “success” message from\r\nthe C2 server, it activates the getInfo function within the CCBrush class. This function gathers various information\r\nabout the victim’s computer, such as computer name, product name, OS details, system uptime, CPU information,\r\nsystem locale, time zone, network status, and malware configuration data. After sending this system-specific\r\ninformation, the malware sends another HTTP request with the SIGNBTGC prefix, this time using a randomly\r\nchosen embedded HTTP parameter from a list of 100 possible parameter names.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nclient, output, h, slotname, adk, adf, pi, w, format, url, ea, flash, tt_state, dt, bpp,\r\nbdt, idt, shv, ptt, saldr, frm, ife, pv, ga_vid, ga_sid, ga_hid, ga_fc, nhd, u_tz, u_his,\r\nu_java, u_h, u_w, u_ah, u_aw, u_cd, u_nplug, u_nmime, adx, ady, biw, bih, isw, ish, ifk,\r\nscr_x, scr_y, eid, oid, pvsid, pem, loc, eae, brdim, vis, rsz, abl, pfx, fu, bc, ifi, uci,\r\nfsb, dtd, atyp, ei, s, t, bl, imn, ima, imad, aftp, adh, conn, ime, imex, imeh, imea,\r\nimeb, wh, scp, net, mem, sto, sys, rt, zx, su, tb, calp, rui, u, XU, TREX, UID, SID, dr,\r\nXDR, dt\r\nThe data received from the C2 server is decrypted using AES with a decryption key obtained from a SIGNBTLG\r\nHTTP request. If the decrypted data is “keep”, the malware responds with an “OK” message using the SIGNBTSR\r\nprefix, indicating a successful communication. If there are problems, the malware uses the SIGNBTFI prefix to\r\nconvey the nature of the problem or failure in communication. To summarize, the C2 communication process can\r\nbe described as follows:\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 6 of 14\n\nC2 communication process\r\nIf the delivered data does not equal “keep”, indicating that specific instructions or actions are required, the\r\nmalware proceeds to invoke the corresponding class and function for backdoor behavior. The SIGNBT malware is\r\nequipped with an extensive set of functionalities designed to exert control over the victim’s system. To perform\r\nthese functions, the malware receives instructions from the C2 server in the form of a class name, function name,\r\nand any necessary parameters. It then executes the relevant function embedded in the malware’s codebase.\r\nClass name Function name\r\nCCBrush getInfo, testConnect, setSleep, setHibernate, sendConfig, setConfig\r\nCCList getProcessList, processKill, runFile, runAsUser, injectDll, freeDll\r\nCCComboBox\r\ngetDriveList, getFileDir, changeFileTime, secDelete, folderProperty, changeFileName,\r\nmakeNewFolder\r\nCCButton startDownload, upFile, selfMemload, scrCapture\r\nCCBitmap\r\nping, netshAdvfirewall, netstat, reg, sc, whoami, arp, nslookup, systeminfo, ipconfig, net,\r\nver, wmic, deploy, copy\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 7 of 14\n\nThe name of each backdoor command is straightforward, implementing commonly used Windows commands\r\nsuch as ping, netstat, and systeminfo. It’s important to note that the backdoor is capable of implanting an\r\nadditional payload for auto execution, internally named “deploy”. This backdoor function receives file paths via\r\ncommand-line arguments decrypted with AES. Using this command, SIGNBT has been observed to implant the\r\nphantom DLL we already described in the SIGNBT loader section above.\r\nBased on the analysis, it is evident that the actor’s initial compromise of the victim involved exploiting\r\nvulnerabilities within the software exploit. They then proceeded to deploy the SIGNBT malware using a DLL\r\nside-loading technique. Furthermore, the actor used the backdoor capability “deploy” to implant an additional\r\npayload for automated execution. This multifaceted attack demonstrates a high level of sophistication and a\r\ndeliberate effort to infiltrate and maintain control over the victim’s system.\r\nLPEClient\r\nUsing the comprehensive backdoor as described above, the actor deploys additional malware in the victim’s\r\nmemory. Notably, these newly delivered malware variants predominantly execute in the system’s memory only,\r\nwithout touching the disk. Based on our telemetry, the actor has been observed to deliver such tools as LPEClient\r\nand credential dumping utilities to the victim machines.\r\nAdditional payload delivered by SIGNBT\r\nThe LPEClient malware is not new and was first discovered during an investigation of a defense contractor attack\r\nin 2020. It is designed to collect victim information and download additional payloads from a remote server to run\r\nin memory. Although it has been previously noted in our threat intelligence reports to our customers, recent\r\ndiscoveries indicate that LPEClient has undergone significant evolution. It now employs advanced techniques to\r\nimprove its stealth and avoid detection, such as disabling user-mode syscall hooking and restoring system library\r\nmemory sections. This indicates a continued effort by the threat actors to increase the sophistication and\r\neffectiveness of their malware.\r\nConnections with other campaigns\r\nOne of the malware strains employed in this attack, known as LPEClient, has featured prominently in recent\r\nactivity attributed to the Lazarus group. This particular malware consistently serves as the initial infection vector,\r\nenabling victim profiling and facilitating the delivery of additional payloads. Over an extended period of time, one\r\nof these campaigns specifically targeted defense contractors and nuclear engineers. In a recent incident, the threat\r\nactor compromised a victim by delivering LPEClient via a Trojanized VNC or Putty client for an intermediate\r\ninfection. Another campaign targeting the cryptocurrency industry was discovered in July 2023. In this financially\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 8 of 14\n\nmotivated campaign, the actor leveraged the Gopuram malware, associated with the 3CX supply chain attack.\r\nInterestingly, the actor also used LPEClient malware in this case. Prior to the introduction of the Gopuram cluster,\r\nLPEClient was used to deliver the subsequent malware. These three campaigns attributed to Lazarus in 2023\r\nillustrate different initial infection vectors and infection chains, but they consistently relied on LPEClient malware\r\nto deliver the final payload.\r\nThe infection chains of the three campaigns attributed to Lazarus in 2023\r\nConclusions\r\nThe Lazarus group remains a highly active and versatile threat actor in today’s cybersecurity landscape. The threat\r\nactor has demonstrated a profound understanding of IT environments, refining their tactics to include exploiting\r\nvulnerabilities in high-profile software. This approach allows them to efficiently spread their malware once initial\r\ninfections are achieved. Moreover, the activities of this notorious actor transcend geographic boundaries and\r\nindustry sectors. They have targeted various industries, each with distinct objectives and using different tools,\r\ntactics and techniques. This underscores their recent and ongoing activity characterized by sophisticated methods\r\nand unwavering motivations.\r\nIndicators of Compromise\r\nSIGNBT loader\r\n9cd90dff2d9d56654dbecdcd409e1ef3         %system%\\ualapi.dll\r\n88a96f8730b35c7406d57f23bbba734d        %system%\\ualapi.dll\r\n54df2984e833ba2854de670cce43b823       %system%\\ualapi.dll\r\nAe00b0f490b122ebab614d98bb2361f7          %system%\\ualapi.dll\r\ne6fa116ef2705ecf9677021e5e2f691e\r\n31af3e7fff79bc48a99b8679ea74b589           C:\\GoogleD\\Coding\\JS\\Node\\winhttp.dll\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 9 of 14\n\nSIGNBT\r\n9b62352851c9f82157d1d7fcafeb49d3\r\nLPEClient\r\n3a77b5054c36e6812f07366fb70b007d       %systme%\\wbem\\wbemcomn.dll\r\nE89fa6345d06da32f9c8786b65111928 %ProgramData%\\Microsoft\\Windows\\ServiceSetting\\ESENT.dll\r\nFile path\r\nC:\\GoogleD\\Coding\\JS\\Node\\SgrmLpac.exe\r\nC:\\GoogleD\\Coding\\JS\\Node\\winhttp.dll\r\nC:\\Windows\\system32\\config\\systemprofile\\appdata\\Local\\tw-100a-a00-e14d9.tmp\r\nC:\\Windows\\system32\\config\\systemprofile\\appdata\\Local\\tw-100b-a00-e14d9.tmp\r\nC:\\ProgramData\\ntuser.008.dat\r\nC:\\ProgramData\\ntuser.009.dat\r\nC:\\ProgramData\\ntuser.001.dat\r\nC:\\ProgramData\\ntuser.002.dat\r\nC:\\ProgramData\\Microsoft\\Windows\\ServiceSetting\\ESENT.dll\r\nC2 servers\r\nhxxp://ictm[.]or[.]kr/UPLOAD_file/board/free/edit/index[.]php\r\nhxxp://samwoosystem[.]co[.]kr/board/list/write[.]asp\r\nhxxp://theorigin[.]co[.]kr:443/admin/management/index[.]php\r\nhxxp://ucware[.]net/skins/PHPMailer-master/index[.]php\r\nhxxp://www[.]friendmc[.]com/upload/board/asp20062107[.]asp\r\nhxxp://www[.]hankooktop[.]com/ko/company/info[.]asp\r\nhxxp://www[.]khmcpharm[.]com/Lib/Modules/HtmlEditor/Util/read[.]cer\r\nhxxp://www[.]vietjetairkorea[.]com/INFO/info[.]asp\r\nhxxp://yoohannet[.]kr/min/tmp/process/proc[.]php\r\nhxxps://admin[.]esangedu[.]kr/XPaySample/submit[.]php\r\nhxxps://api[.]shw[.]kr/login_admin/member/login_fail[.]php\r\nhxxps://hicar[.]kalo[.]kr/data/rental/Coupon/include/inc[.]asp\r\nhxxps://hspje[.]com:80/menu6/teacher_qna[.]asp\r\nhxxps://kscmfs[.]or[.]kr/member/handle/log_proc[.]php\r\nhxxps://kstr[.]radiology[.]or[.]kr/upload/schedule/29431_1687715624[.]inc\r\nhxxps://little-pet[.]com/web/board/skin/default/read[.]php\r\nhxxps://mainbiz[.]or[.]kr/SmartEditor2/photo_uploader/popup/edit[.]asp\r\nhxxps://mainbiz[.]or[.]kr/include/common[.]asp\r\nhxxps://new-q-cells[.]com/upload/newsletter/cn/frame[.]php\r\nhxxps://pediatrics[.]or[.]kr/PubReader/build_css[.]php\r\nhxxps://pms[.]nninc[.]co[.]kr/app/content/board/inc_list[.]asp\r\nhxxps://safemotors[.]co[.]kr/daumeditor/pages/template/template[.]asp\r\nhxxps://swt-keystonevalve[.]com/data/editor/index[.]php\r\nhxxps://vnfmal2022[.]com/niabbs5/upload/gongji/index[.]php\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 10 of 14\n\nhxxps://warevalley[.]com/en/common/include/page_tab[.]asp\r\nhxxps://www[.]blastedlevels[.]com/levels4SqR8/measure[.]asp\r\nhxxps://www[.]droof[.]kr/Board/htmlEdit/PopupWin/Editor[.]asp\r\nhxxps://www[.]friendmc[.]com:80/upload/board/asp20062107[.]asp\r\nhxxps://www[.]hanlasangjo[.]com/editor/pages/page[.]asp\r\nhxxps://www[.]happinesscc[.]com/mobile/include/func[.]asp\r\nhxxps://www[.]healthpro[.]or[.]kr/upload/naver_editor/subview/view[.]inc\r\nhxxps://www[.]medric[.]or[.]kr/Controls/Board/certificate[.]cer\r\nhxxps://www[.]muijae[.]com/daumeditor/pages/template/simple[.]asp\r\nhxxps://www[.]muijae[.]com/daumeditor/pages/template/template[.]asp\r\nhxxps://www[.]nonstopexpress[.]com/community/include/index[.]asp\r\nhxxps://www[.]seoulanesthesia[.]or[.]kr/mail/mail_211230[.]html\r\nhxxps://www[.]seouldementia[.]or[.]kr/_manage/inc/bbs/jiyeuk1_ok[.]asp\r\nhxxps://www[.]siriuskorea[.]co[.]kr/mall/community/bbs_read[.]asp\r\nhxxps://yoohannet[.]kr/min/tmp/process/proc[.]php\r\nMITRE ATT\u0026CK Mapping\r\nTactic Techniques\r\nInitial Access T1189\r\nExecution T1203\r\nPersistence T1547.012, T1574.002\r\nPrivilege Escalation T1547.012\r\nDefense Evasion T1140, T1574.002, T1027.001, T1027.002, T1620\r\nCredential Access T1003.001\r\nDiscovery T1057, T1082, T1083\r\nCollection T1113\r\nCommand and Control T1071.001, T1132.002, T1573.001\r\nExfiltration T1041\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 11 of 14\n\nLatest Webinars\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 12 of 14\n\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 13 of 14\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nhttps://securelist.com/unveiling-lazarus-new-campaign/110888/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/unveiling-lazarus-new-campaign/110888/" ], "report_names": [ "110888" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a09d995579ea00e584c36136d2705ce683a64056.pdf", "text": "https://archive.orkl.eu/a09d995579ea00e584c36136d2705ce683a64056.txt", "img": "https://archive.orkl.eu/a09d995579ea00e584c36136d2705ce683a64056.jpg" } }