{ "id": "837e8453-fb42-4782-aeba-a459595338b1", "created_at": "2026-04-06T00:07:54.79088Z", "updated_at": "2026-04-10T03:38:18.988677Z", "deleted_at": null, "sha1_hash": "a68b93b9ad31b1fcf731a1f5c3e77682dd54a143", "title": "APT Lazarus: Eager Crypto Beavers, Video calls and Games | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159513, "plain_text": "Sharmine Low\r\nMalware Analyst, APAC\r\nAPT Lazarus: Eager Crypto\r\nBeavers, Video calls and Games\r\nExplore the growing threats posed by the Lazarus Group's financially-driven campaign against\r\ndevelopers. We will examine their recent Python scripts, including the CivetQ and BeaverTail\r\nmalware variants, along with their updated versions in Windows and Python releases. Additionally,\r\nwe will analyze their tactics, techniques, and indicators of compromise.\r\nSeptember 4, 2024 · min to read · Advanced Persistent Threats\r\n← Blog\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 1 of 25\n\nLazarus APT Malware analysis Python Scripts Threat Intelligence\r\nIntroduction\r\nLazarus is definitely going full steam ahead this year with their cyber campaign. Beaver fever has\r\ncontinued into 2024 with the Lazarus-led Contagious Interview campaign still creating all sorts of\r\nmayhem. This campaign begins with a fictitious job interview, tricking job-seekers into downloading\r\nand running a Node.js project which contains the BeaverTail malware, which in turn delivers the\r\nPython backdoor known as InvisibleFerret. BeaverTail was first discovered by PANW researchers as\r\na Javascript malware in November 2023, but recently a native macOS version of BeaverTail was\r\ndiscovered in July 2024.\r\nGroup-IB researchers spotted a fraudulent Windows video conferencing application impersonating\r\na legitimate application in mid-August 2024,which has been identified as BeaverTail after analysis.\r\nDuring the course of our research, we have also found additional malicious repositories newly\r\nhosted on code sharing platforms that are related to Lazarus malware. We have also discovered a\r\nPython version of BeaverTail featuring more capabilities. In this blog, we will burrow deeper into the\r\nversions of BeaverTail, their updated toolset, and shed further insights on their Tactics, techniques,\r\nand procedures (TTPs), infrastructure, and finally consolidate some of the Indicators of Compromise\r\n(IOCs) that we uncovered.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 2 of 25\n\nKey Findings\r\nDiscovery of a different fraudulent video conferencing application dubbed “FCCCall” that\r\nmimics a legitimate video conferencing application, which is used as part of an attack chain.\r\nClassification of a new suite of Python scripts as CivetQ.\r\nAside from Linkedin, they also reached out to victims using other job search platforms, and\r\nattempted to continue the conversation via Telegram.\r\nAll tools are in active development, with code updates observed between the binaries found in\r\nJuly and August 2024. Updates were also made to BeaverTail (Javascript) and InvisibleFerret as\r\nwell.\r\nTelegram was added as an additional data exfiltration method.\r\nBeaverTail (Python) configures AnyDesk for Unattended Access.\r\nTrojanizing Node.js-based web games projects.\r\nImplementation of stealthier ways to obscure malicious code.\r\nExpanded scope of targeted browser extensions and data including Authenticator, WinAuth,\r\nProxifier, password managers, note-taking applications, and cryptocurrency wallets.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 3 of 25\n\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 4 of 25\n\nTargeting victims through job portals\r\nLazarus has become more creative in their approach in targeting blockchain professionals. In\r\naddition to Linkedin, Lazarus is also actively searching for potential victims on other job search\r\nplatforms such as WWR, Moonlight, Upwork, and others. After making initial contact, they would\r\noften attempt to move the conversation onto Telegram, where they would then ask the potential\r\ninterviewees to download a video conferencing application, or a Node.js project, to perform a\r\ntechnical task as part of the interview process.\r\nIn addition to their usual focus on cryptocurrency-related repositories to lure professionals seeking\r\nemployment, they have recently begun injecting the malicious javascripts into gaming-related\r\nrepositories using similar tactics. Aside from their usual deception of asking victims to download\r\nmalicious software under the guise of a review or analysis task, Lazarus also employs fraudulent\r\nvideo conferencing applications as an alternative method.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 5 of 25\n\nFigure 1: Chain of events leading to compromise.\r\nThe FCCCall file is a video conferencing call application installer—possibly downloaded from\r\nhxxp://freeconference[.]io— and it is a cloned website of the legitimate business. Using Group-IB’s\r\nGraph Network Analysis, we noticed that the SSL certificate for the cloned website was created very\r\nrecently on 2 August 2024, and that it uses the same registrar as the fictitious mirotalk[.]net website\r\nwhich distributed the fraudulent MiroTalk application discussed in an earlier research.\r\nFigure 2: Screenshot of the cloned website.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 6 of 25\n\nFigure 3: Group-IB Graph Network Analysis depicting the overlapping features of the two domains.\r\nTechnical Details\r\nBeaverTail – Windows\r\nBeaverTail arrives in the form of a Windows Installer file, which will install a fake video conferencing\r\napplication named FCCCall. This malware originated around July 2024 alongside the MiroTalk\r\napplication. The three FCCCall executables were created fairly recently in 2024, one on 19 July at\r\n01:23:32 (HH:MM:SS), another on August 8 at 03:34:43, and the most recent one on 16 August\r\nat 14:30:10, each with minor improvements over the previous one.\r\nThe application is developed using Qt6, which supports cross-compilation for both macOS and\r\nWindows platforms. Qt6 facilitates the development and deployment of applications across multiple\r\noperating systems. Shortly after the upload of the Windows Installer FCCCall.msi, the macOS\r\nversion of it was found the next day.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 7 of 25\n\nFigure 4: Screenshot of the FCCCall Installer.\r\nUpon launching the installed application, the victim is presented with a screen that loads the\r\nlegitimate URL inside a widget, asking for a meeting access code. This deceptive interface lulls the\r\nvictims into a false sense of security, while the malicious processes run in the background.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 8 of 25\n\nFigure 5: Screen displayed upon launching of the executable.\r\nThe core functionality of BeaverTail remains unchanged: it exfiltrates credentials from browsers, and\r\ndata from cryptocurrency wallets browser extension. It then downloads and executes the Python\r\nexecutable and the next-stage payload, InvisibleFerret. Both BeaverTail and InvisibleFerret are still\r\nactively being developed, with minor code changes observed between the versions found in July\r\nand August 2024.\r\nThis binary executable version of BeaverTail collects all the data at once, copying the targeted files\r\ninto a newly created folder `[homepath]/.n3/`. It then sends them using the multipart/form-data\r\nMIME type to the `https://[C2]:1224/uploads` endpoint, and then later removes the .n3 directory.\r\nName Data\r\ntype campaign_id\r\nhid Call_[hostname]\r\nuts Unix timestamp\r\nlst Browser Local State\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 9 of 25\n\npld Browser Login Data\r\nlogkc_db Keychain files\r\n[filename] Files collected from targeted browser extensions\r\nTable 1: Data name and values\r\nWe also noticed that they increased the number of targeted cryptocurrency browser extensions,\r\nadding Kaikas, Rabby, Argent X, Exodus Web3, and others.\r\nBrowser Extension ID Wallets\r\nnkbihfbeogaeaoehlefnkodbefgpgknn Metamask\r\nejbalbakoplchlghecdalmeeeajnimhm Metamask (Edge)\r\nfhbohimaelbohpjbbldcngcnapndodjp BNB Chain Wallet\r\nhnfanknocfeofbddgcijnmhnfnkdnaad Coinbase\r\nibnejdfjmmkpcnlpebklmnkoeoihofec TronLink\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa Phantom\r\naeachknmefphepccionboohckonoeemg Coin98\r\nhifafgmccdpekplomjjkcfgodnhcellj Crypto.com\r\njblndlipeogpafnldhgmapagcccfchpi Kaia\r\nTable 2: Targeted browser extensions\r\nC2 Endpoint:\r\nEndpoint Description Location\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 10 of 25\n\n/pdown Downloads Python library [homepath]/p\r\n/uploads Sends collected information –\r\n/client/[campaign_id] Downloads InvisibleFerret Initial script [homepath]/[campaign_id]\r\nTable 3: Command and control (C2) endpoints for BeaverTail (Windows)\r\nMalicious Repositories\r\nApart from the newly emerged binaries, trojanized Node.js projects continue to be used as a tactic\r\nand show no signs of slowing down. They have a preference for modifying cryptocurrency projects,\r\ngames, or projects bootstrapped with the Create React App or Create Next App. These repositories\r\nare either hosted on code-sharing platforms such as Github, Gitlab, Bitbucket, or sometimes even\r\non third-party file hosting services.\r\nWhile monitoring their activities, we observed that they occasionally update their scripts and alter\r\nthe scripts’ entry points. Also, for evasion reasons, they will make the repository private, overwrite\r\nGit History, or remove malicious code from the repository after some time.\r\nFigure 6: Third party service hosting malicious repositories.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 11 of 25\n\nThe malicious Javascript code is buried within these repositories. The following are examples of a\r\ntrojanized repository, where the `node server/server.js` command was added to the “scripts”\r\nproperty in package.json. Here, `server/server.js` serves as the initial entry point, which in turn loads\r\nthe malicious script in `middlewares/helpers/error.js`.\r\nThe following is another example of an one-liner addition in one of the malicious repositories. The\r\nhostile Javascript one-liner now also features a different obfuscation pattern, and appears to use\r\nthe widely popular Javascript obfuscator. The obfuscated code is often positioned far to the right\r\nafter many blank spaces, or hidden after hundreds of blank lines, making it visually challenging to\r\ndetect.\r\nFigure 8: One-liner code at Line 818, Column 969.\r\nFigure 7: Example of a trojanized repository.\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 12 of 25\n\nFigure 9: Commit showing the removal of the malicious code at Line 14363.\r\nAnother discreet approach was to fetch the malicious code from an intermediary server. In the\r\nfollowing code snippet, it retrieves the BeaverTail Javascript code from the C2 ipcheck[.]cloud or\r\nregioncheck[.]net. In this case, the server will return a response with the payload in the “cookie” field\r\nbut with a HTTP status code of 500, which will then cause the eval() in the catch block to be\r\nexecuted. This is quite intriguing because researchers who rely on scripts for their analysis could\r\nencounter errors. There are other variants where HTTP status code 200 is used, and the eval()\r\nfunction is not in the error-handling block.\r\nFigure 10: Fetching the malicious code.\r\nBeaverTail – Python \u0026 CivetQ\r\nOne significant change was the introduction of BeaverTail (Python) and CivetQ. We observed that\r\nthe malicious javascript code has been changed to a simpler downloader rather than the full-fledged BeaverTail. This makes sense as a shorter line of code will be harder to detect. This\r\ndownloader communicates with the C2 at port 54321 and retrieves the Python executable and\r\nBeaverTail (Python) from it.\r\nOther than the usual stealing of data from browsers, browser extensions, cryptocurrency wallets,\r\nand credential vaults, BeaverTail (Python) now has implemented other functionalities, such as\r\nestablishing persistence and configuring AnyDesk. It also fetches several Python scripts that as a\r\nbundle we named, CivetQ. Lazarus has taken a more modular approach, with each script now\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 13 of 25\n\nperforming a distinct task. These tools are still in development as we see some unused functions\r\nand variables.\r\nFigure 11: Components of CivetQ.\r\nFiles Description\r\n.q2\r\n.queue Keylogger and clipboard stealer component and writes to [homepath]/.pygl/.[uuid]\r\ncoks Cookies stealer component\r\nbow Browser stealer component\r\n.ext Any additional Python scripts\r\nTable 4: Description of the components of CivetQ.\r\nEstablishes persistency to run .q2 script\r\nBeaverTail fetches the ‘.queue’ and ‘.q2’ files from C2 and writes it to “.locale/.queue” and\r\n“.locale/.q2” respectively. The “.q2” script is responsible for launching the “.queue” file, and also\r\nLaunches the “.queue” script\r\nExecute any scripts sent by C2. It can choose if the downloaded script is to be\r\nsaved as “.ext” on disk\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 14 of 25\n\nstarting a separate thread to fetch and execute any new payloads from C2. BeaverTail establishes\npersistence for these “.queue” and “.q2” scripts on the system by creating various files depending\non platforms. These scripts are configured to execute automatically each time the system starts up.\nAs a result, the malware ensures that it remains active and operational after every reboot.\nPlatform Persistence mechanism\nWindows %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\queue.bat\nmacOS [homepath]/Library/LaunchAgents/com.avatar.update.wake.plist\nLinux [homepath]/.config/autostart/queue.desktop\nTable 5: Persistence mechanism for different platforms\n?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\nUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyLi\nLabelcom.avatar.update.wakeProgramArguments[filepath of python][filepath of .q2]RunAtLoad Figure 12: Example of the created macOS property list file – com.avatar.update.wake.plist\nConfiguring AnyDesk for Unattended Access\nIt modifies the `%APPDATA%/service.conf` file by appending the following lines to it. This sets up a\npermanent password on the remote device and allows another to connect to it anytime, even if no\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\nPage 15 of 25\n\none is there to accept the connection. This modification eliminates the need for a user prompt.\r\nAdditionally, it sends the contents of the AnyDesk `system.conf` file to the command-and-control\r\n(C2) server. This file contains configuration variables utilized by the AnyDesk application and they\r\nare likely doing this to retrieve the `ad.anynet.id` value, so the attacker knows the ID to connect to.\r\nHowever, for the attacker to connect to the victim’s host, it still requires the AnyDesk application to\r\nbe running. We presume that the additional payload or new updates to the code will involve\r\ninstalling AnyDesk, and creating a scheduled task for it.\r\nad.anynet.pwd_hash=1bbb953890e752a6898afe71121583881c3eebd2365df7d985c52dda0bd89e14\r\nad.anynet.pwd_salt=675928d7a0a28f70740b7eedf021de82\r\nad.anynet.token_salt=2c5e45a85a8eed94ffed26a7c3b0790e\r\nFigure 13: Lines added for AnyDesk service.conf file\r\nSteals data from Microsoft Sticky Notes\r\nThe malware is able to steal data from Microsoft Sticky Notes by targeting the application’s SQLite\r\ndatabase files located at\r\n`%LocalAppData%\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sql\r\nwhere user notes are stored in an unencrypted format. By querying and extracting data from this\r\ndatabase, the malware can retrieve and exfiltrate sensitive information from the victim’s Sticky Notes\r\napplication.\r\nThe list of targeted browser extensions has expanded significantly to a total of 74 applications.\r\nNotably, it now includes the addition of the Authenticator, password managers and note-taking\r\nextensions. Authenticator is a browser extension that generates two-factor authentication (2FA)\r\ncodes in the browser. Please refer to Annex A for a full list of extensions.\r\nC2 Endpoints:\r\nEndpoint Description Location\r\n/pdown Downloads Python executable\r\n[tmpdir]/p.zip, [tmpdir]/p2.zip,\r\n[homepath]/.pyp\r\n/avatar Downloads BeaverTail (Python) [homepath]/.avatar\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 16 of 25\n\n/info Sends host information –\r\n/anys\r\nSends contents of AnyDesk\r\n‘system.conf’ file.\r\n–\r\n/queue Download ‘.queue’ file [homepath]/.locale/.queue\r\n/queue Download ‘.q2’ file [homepath]/.locale/.q2\r\n/bow/[campaign_id]\r\nDownload ‘bow’ script – browser stealer\r\ncomponent\r\n[homepath]/.locale/bow\r\nTable 6: Combined command and control (C2) endpoints for BeaverTail (Python), CivetQ, and\r\ndownloader\r\nInvisibleFerret\r\nWe still spot occurrences of InvisibleFerret that are downloaded using BeaverTail (Javascript).\r\nInvisibleFerret is a cross-platform Python backdoor. It consists of an initial script and two additional\r\ncomponents, bow and pay. The initial script is usually named ‘.npl’. The main capabilities of\r\nInvisibleFerret include remote control, keylogging, browser stealing, and facilitating the downloading\r\nof an AnyDesk client. It will connect to two different IP addresses, one at port 1244 and another at\r\nport 1245. In recent months, we have seen its changes and will turn our attention to its updates in\r\nthis section.\r\nFigure 14: Components of InvisibleFerret (source).\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 17 of 25\n\nDuring our analysis we observe that one of the ‘pay’ scripts for InvisibleFerret has changed its style\r\nof obfuscation. It now employs a Matryoshka-style of encryption, which involves repeated\r\ncompression, base64-encoding and reversal.\r\nFigure 15: Different obfuscation used in InvisibleFerret’s ‘pay’ script.\r\nEndpoint Location Description\r\n/payload/[campaign_id] [homepath]/.n2/pay\r\nDownloads infostealer, remote control\r\ncomponent\r\n/brow/[campaign_id] [homepath]/.n2/bow Downloads browser stealer component\r\n/keys – Upload data\r\nTable 7: C2 endpoints for InvisibleFerret\r\nWhile comparing between versions of the scripts, we found that most of the files uploaded using\r\nFile Transfer Protocol (FTP) were XOR-encrypted with the key `G01d*8@(“`.\r\nAn additional command, `ssh_zcp`, has also been included in the latest iteration of the script. It\r\nenumerates the browser extensions’ data from six different browsers (Chrome, Chromium, Opera,\r\nBrave, MsEdge, and Vivaldi) if present. It also attempts to locate targeted data on disk, such as\r\ndirectories for example, `%LocalAppData%\\1Password` and `%AppData%\\WinAuth`. The collected\r\ndata will then be compressed with a password ‘2024’ before it is uploaded. Along with uploading\r\nthe data to the FTP server, they have now included Telegram as an additional method for data\r\nexfiltration. For the complete list of the targeted applications specified in this script, please refer to\r\nAnnex B.\r\nSummary of InvisibleFerret C2 Commands:\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 18 of 25\n\nCommands Description\r\nssh_obj Command Execution\r\nssh_cmd Closes socket\r\nssh_clip Sends clipboard and keylogger data\r\nssh_run\r\nDownloads and executes the browser stealer script form http://[host]:\r\n[port]/brow/[campaign_id]/\r\nssh_upload Upload directories and files specified in given command\r\nssh_kill Kill Chrome and Brave browser processes\r\nssh_any Download AnyDesk from http://[host]:[port]/adc/[campaign_id]\r\nCollect and upload folders via FTP\r\nTable 8: Commands available for InvisibleFerret ‘pay’ script.\r\nFigure 16: Snippet of targeted data.\r\nAn interesting note of the timezone specified for the uploaded file:\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 19 of 25\n\nFigure 17: Snippet of specified timezone.\r\nBy no means exhaustive, the following is a list of malicious repositories that we have discovered\r\nduring our research:\r\nRepository nameFilepath\r\nOriginal App\r\n/ Template\r\nDate\r\ncreated\r\nGamer-Hub server/app.js GamerHub\r\n2024-08-\r\n29\r\nguilherme-matos-test-task\r\nserver/controllers/userController.js\r\nCreate Next\r\nApp\r\n2024-08-\r\n28\r\ngglab-mvp-v1.7 socket/index.js\r\nCasino\r\nTemplate\r\n2024-08-\r\n26\r\nultrax-u2u auth/controllers/orderController.js ULTRA-X-DEX\r\n2024-08-\r\n22\r\nllgchessgame routes/api.js Chess Hub\r\n2024-08-\r\n22\r\njetracing backend/app.js CubeRun\r\n2024-08-\r\n21\r\nTable 9: Malicious repositories\r\nDynamic Analysis\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 20 of 25\n\nUsing Group-IB’s malware detonation platform, we can readily observe key processes spawned\r\nsuch as python.exe, tar.exe, and watch a video of it during its execution. Visit our detonation\r\nplatform to view a demonstration of BeaverTail sample execution.\r\nFigure 18: Group-IB’s malware detonation platform detonating a BeaverTail sample.\r\nConclusion\r\nLazarus has updated their tactics, upgraded their tools and found better ways to conceal their\r\nactivities. They show no signs of easing their efforts, with their campaign targeting job seekers\r\nextending into 2024 and to the present day. Their attacks have become increasingly creative, and\r\nthey are now expanding their reach across more platforms. This evolution underscores the\r\nimportance of staying alert and adapting our security measures to deal with these new and\r\nwidespread risks.\r\nRecommendations\r\nBe vigilant when recruiters ask you to perform tasks or download applications, especially if these\r\ninvolve executable files.\r\nAlways verify that the companies and recruiters offering job interviews are genuine and properly\r\nestablished\r\nBe cautious with links and attachments in unsolicited emails or messages claiming to be from\r\nrecruiters or companies\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 21 of 25\n\nSupercharge your cybersecurity with\r\nGroup-IB Threat Intelligence\r\nFilename SHA256\r\nFCCCall.msi fd9e8fcc5bda88870b12b47cbb1cc8775ccff285f980c4a2b683463b26e36bf0\r\nFCCCall.msi 36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670\r\nUse up-to-date antivirus and anti-malware software to scan any files or applications before\r\nopening them.\r\nKeeping your organization secure requires ongoing vigilance. Utilizing a proprietary solution like\r\nGroup-IB’s Threat Intelligence can enhance your security posture by providing teams with\r\nadvanced insights into emerging threats allowing you to identify potential risks sooner and\r\nimplement defenses more proactively.\r\nImplementing a Digital Risk Protection solution will enhance your company’s security by\r\ndetecting and addressing instances of brand impersonation, allowing you to identify and\r\nmitigate risks from unauthorized entities exploiting your brand’s identity.\r\nRequest a demo\r\nMITRE ATT\u0026CK arrow_drop_down\r\nIndicators of Compromise arrow_drop_down\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 22 of 25\n\nFCCCall.msi d502f822e6c52345227b64e3c326e2dbefdd8fc3f844df0821598f8d3732f763\r\nFCCCall.exe d5c0b89e1dfbe9f5e5b2c3f745af895a36adf772f0b72a22052ae6dfa045cea6\r\nFCCCall.exe 0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd\r\nFCCCall.exe c0110cb21ae0e7fb5dec83ca90db9e250b47a394662810f230eb621b0728aa97\r\nFCCCall d801ad1beeab3500c65434da51326d7648a3c54923d794b2411b7b6a2960f31e\r\nFCCCall.dmg 000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923\r\nAnnex A\r\nAnnex B\r\nConsolidated Network IoCs arrow_drop_down\r\nExtensions arrow_drop_down\r\nExtensions arrow_drop_down\r\nApplication Data arrow_drop_down\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 23 of 25\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 24 of 25\n\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/apt-lazarus-python-scripts/\r\nPage 25 of 25\n\nafter many detect. blank spaces, or hidden after hundreds of blank lines, making it visually challenging to\nFigure 8: One-liner code at Line 818, Column 969. \n Page 12 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.group-ib.com/blog/apt-lazarus-python-scripts/" ], "report_names": [ "apt-lazarus-python-scripts" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434074, "ts_updated_at": 1775792298, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a68b93b9ad31b1fcf731a1f5c3e77682dd54a143.pdf", "text": "https://archive.orkl.eu/a68b93b9ad31b1fcf731a1f5c3e77682dd54a143.txt", "img": "https://archive.orkl.eu/a68b93b9ad31b1fcf731a1f5c3e77682dd54a143.jpg" } }