{ "id": "b3c4c93b-4fa1-43e6-a1df-f71a946e2710", "created_at": "2026-04-06T01:32:06.157113Z", "updated_at": "2026-04-10T13:12:00.84505Z", "deleted_at": null, "sha1_hash": "aad82ec406e2d04c1ef1de60cc4bd90321b1fec9", "title": "The Lazarus’ gaze to the world: What is behind the first stone ?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 828761, "plain_text": "The Lazarus’ gaze to the world: What is behind the first stone ?\r\nBy widerview\r\nPublished: 2019-11-05 · Archived: 2026-04-06 00:42:15 UTC\r\nThe malicious document has two separate first-stage doubly base64 encoded payloads included within it (one for\r\n32 and one for 64-bit systems) in addition to another doubly encoded base64 word document that is designed to be\r\nshown to the user.\r\nAn example of one of these payloads is shown as follows:\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 1 of 16\n\nOnce the macro is executed, the first infection process is started using the AutoOpen Sub. Variables dllPath and\r\ndocPath are filled calling respectively the functions GetDllName() and GetDocName() in order to retrieve the\r\npaths from where they will be loaded later. For the first stage, it is as follows:\r\n%USERPROFILE%”\\AppData\\Local\\Microsoft\\ThumbNail\\thumnail.db\r\nA subsequent LoadLibraryA loads dropped dll. A variable named “a” is then filled with the results of the so-called ShowState function within the content of an active opened document.\r\nThese instructions result in executing the dropped library.\r\nFirst run and persistence\r\nThe ShowState function has mainly the task of recovering the current execution path, starting the\r\nSetupWorkStation function in the same module context and ensuring persistence in the affected system.\r\nIt is interesting to note how the functions CoInitialize and CoCreateIstance are used respectively to initialize the\r\nCOM library and to instantiate the COM object.\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 2 of 16\n\nHowever, in order to understand which object is being instantiated, the first argument to the CoCreateInstance()\r\nfunction must be inspected to extract the unique identifier (CLSID) of the COM object. A look at variable as it\r\nwould look in memory is shown as follows:\r\nOpening the HKEY_CLASSES_ROOTCLSID key gives the corresponding readable format:\r\nOn function return, a new shortcut (lnk) is created under the local path resulting from GetTempPath function\r\nminus “\\Local\\Temp\\” and plus “\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\thumbnail.lnk“\r\nThe content of thumbnail.lnk is:\r\n“C:\\Windows\\System32\\rundll32.exe” “full path of module”, SetupWorkStation S-6-38-4412-76700627-315277-\r\n3247 0 0 9109 1\r\nImplant Initialization\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 3 of 16\n\nSetupWorkStation function of the implant is aimed at a system reconnaissance and at performing beacon of the\r\ncommand and control center. If the malware does not find the exact number of expected arguments in its\r\ncommand line, it simply quits the execution without going any further.\r\nInside this frame of code, a new thread is created with the starting address 100075A0. sub_10007340 is designed\r\nto initialize external communication. It internally calls sub_100071F0 that is aimed to executing operations\r\ndesigned for system reconnaissance.\r\nAn example of these instructions from dynamically generated pseudo-code is shown below:\r\nRetrieving Username and CumputerName\r\nRetrieving LogicalDrives, DriveTypes\r\nRetrieving FreeSpace for drives\r\nPerforming Processes Enumeration\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 4 of 16\n\nThe collected information is then compressed and encrypted. Subsequent HTTP request is prepared in order to\r\nsend data to command and control. Communications make use of HTTP protocol and POST method. “ned“, “gl”\r\nand “hl” parameters will be used in order to interact with remote command and control script that are used to\r\nhandle victims and to deliver the second stage payload. A code frame regarding the functions used for HTTP\r\ncommunication is reported as follows:\r\nBehind the first stone\r\nWe had the opportunity to analyze what the actor did in the backend in order to manage the victims of the first\r\nstage implanter that has been described. The remote script, at least as far as observed, is copied into legitimate\r\ncompromised sites. It also includes the possibility to decide if and when the second level payload is to be released\r\nand works through blacklists and whitelists in order to protect the final backdoor from unwanted spread.\r\nIt looks like a heavily obfuscated VBScript artifact. Here an extract from the original retrieved code:\r\nAfter retrieving the original instructions set, it has been possible to deeply understand the working logic behind;\r\nThe remote script works mainly through Request.Form variables that are filled when receiving beacons from\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 5 of 16\n\nvictims and by local variables named as following:\r\n1. strworkdir: The working folder within the compromised wwwroot.\r\n2. strlogpath: The path to the file used in order to log victims’ data. In this case a fake .mp3 file\r\n3. strwhitefile: The path to the file used in order to store whitelisted victims IP address. In this case, a fake .mp3\r\nfile.\r\n4. strblackfile: The path to the file used in order to store the blacklisted IP address. In this case, a fake .mp3 file.\r\nParameters “gl” and “hl” are used respectively to retrieve system info about victims and OS architecture. On the\r\nbasis of what we have collected, the log file mapped by strlogpath variable is then updated with a new row\r\ncomprising victim IP address, victim system info, request timestamp and adopted case in handling the victim.\r\nThe cases that have been designed by the threat actor can be four on the basis of interest for the victim:\r\n1. case_1_64/86: MD5 of IP address that made the request is on whitelist. The actor has selected the victim to\r\nbe infected with a second-stage payload. TorisMa_x64/86 payload is then released to the victim.\r\n2. case_2_64/86: MD5 of IP address that made the request is on blacklist. The actor wants to prevent the\r\nspreading of the second stage payload to that IP address. Doris_x64/86 (non-sense chars) payload is then\r\nreleased to the victim.\r\n3. case_3: The victim results of particular interest for the threat actor on the basis of retrieved system info\r\n(identified with a value of 24 of “ned“). Second stage payload is not yet delivered.\r\n4. case_4: The victim results of no particular interest for the threat actor. no previous condition has been met.\r\nSecond stage payload is not yet delivered.\r\nBelow, the primary construct used to manage what is received by the backend script:\r\nVictimology\r\nAccording to the visibility obtained so far, we asses with a high degree of confidence that this campaign is mainly\r\ndirected against research/defense sector and financial / payments institutions. Other types of sectors are obviously\r\nnot to be excluded on the basis of actor interests. Most of the malicious activities associated with the examined\r\nmalware set are limited to the Indian region. However, organizations of other countries as well are inside of\r\nLazarus’ interests. Here there is an exhaustive geographical map where it is possible to observe actions\r\nattributable to this specific threat (note that these malicious actions may not have led to a current active infection\r\nbut could be only limited to infection attempts):\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 6 of 16\n\nConclusions\r\nIn this case, the Lazarus group targets research / defense and financial organizations mainly in the same region\r\nwhere the security community has recently attributed an attack from the same group against a nuclear power plant.\r\nHowever, it has also been noted that the actor has extended its interests to other regions of the world, including\r\nItaly. Furthermore, we have observed an info-gathering implanter used to quickly identify interesting targets and\r\nwe have exposed the use of a backend script designed to handle the victims and limit the spread of second-stage\r\npayloads only to wanted ones.\r\nMITRE ATT\u0026CK Techniques\r\n[+] T1193 – Actor relies on spear-phishing as infection vector\r\n[+] T1002 – Actor compresses and encrypts data\r\n[+] T1132 – Actor encodes data\r\n[+] T1023 – Actor relies on shortcuts to achieve persistence\r\n[+] T1060 – Malware maintain persistence through Start menu folder\r\n[+] T1071 – Actor relies on standard application layer protocol for C2 coms\r\n[+] T1043 – Actor uses common ports to communicate\r\nIndicators of Compromise\r\nSHA256: b018639e9a5f3b2b9c257b83ee51a3f77bbec1a984db13d1c00e0CC77704abb4\r\nSHA256: adf86d77eb4064c52a3e4fb3f1c3218ee2b7de2b1780b81c612886d72aa9c923\r\nSHA256: 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 7 of 16\n\nSHA256: ec254c40abff00b104a949f07b7b64235fc395ecb9311eb4020c1c4da0e6b5c4\r\nSHA256: 26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa\r\nDomain name (compromised): curiofirenze[.]com\r\nIP Address: 193.70.64.163\r\nFile: %USERPROFILE%”\\AppData\\Local\\Microsoft\\ThumbNail\\thumnail.db\r\nFile: %APPDATA% \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\thumbnail.lnk\r\nArtifacts detection rules\r\nYARA detection rule for unpacked dll implant is available here\r\nThird-party freely available rules for detecting executables that have been encoded with base64 twice are here\r\nCheck more related articles on our blog.\r\nIntroduction\r\nLazarus (aka APT38 / Hidden Cobra / Stardust Chollima) is one of the more prolific threat actors in the APT\r\npanorama. Since 2009, the group leveraged its capability in order to target and compromise a wide range of\r\ntargets; Over the time, the main victims have been government and defense institutions, organizations operating in\r\nthe energy and petrochemical sector in addition to those operating in financial and banking one.\r\nThe group has also a wide range of tools at its disposal; among these, it’s possible to catalog [D] DoS botnets, first\r\nstage implanters, remote access tools (RATs), keyloggers and wipers. This list of malicious tools has over time\r\nsupported a series of operations that have ranged from espionage to funding up to sabotage.\r\nThis specific blog post is related to a recent operation most likely carried out by this group and directed towards\r\ntargets located in different parts of the world. However, our analysis started from a single malicious e-mail\r\ndelivered against an important Italian institution operating in the banking and financial sector.\r\nStarting from this email, we traced back the moves of the actor up to obtaining an excellent degree of visibility on\r\nwhat was going on.\r\nHowever, in this intervention, we will describe only the first phase of the kill chain; Here, the threat actor provides\r\ntwo types of first stage payloads based on the architecture of the victim’s system. These payloads are used in order\r\nto carry out a first recognition phase. Afterward, some features of the remote script that is used for managing and\r\ncontrolling victims will be explored. Further information about this campaign are available for our threat\r\nintelligence portal customers by referring to the investigation ATR:78456.\r\nVector\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 8 of 16\n\nThe threat actor, in this case, relied on a spoofed e-mail message (coming from\r\ne_banking@victim_name_domain_name) in order to deliver to the victims a message with a malicious Microsoft\r\nOffice Word document attached. One of these retrieved documents refers to an alleged vacant job position for the\r\nHindustan Aeronautics company.\r\nThe malicious document has two separate first-stage doubly base64 encoded payloads included within it (one for\r\n32 and one for 64-bit systems) in addition to another doubly encoded base64 word document that is designed to be\r\nshown to the user.\r\nAn example of one of these payloads is shown as follows:\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 9 of 16\n\nOnce the macro is executed, the first infection process is started using the AutoOpen Sub. Variables dllPath and\r\ndocPath are filled calling respectively the functions GetDllName() and GetDocName() in order to retrieve the\r\npaths from where they will be loaded later. For the first stage, it is as follows:\r\n%USERPROFILE%”\\AppData\\Local\\Microsoft\\ThumbNail\\thumnail.db\r\nA subsequent LoadLibraryA loads dropped dll. A variable named “a” is then filled with the results of the so-called ShowState function within the content of an active opened document.\r\nThese instructions result in executing the dropped library.\r\nFirst run and persistence\r\nThe ShowState function has mainly the task of recovering the current execution path, starting the\r\nSetupWorkStation function in the same module context and ensuring persistence in the affected system.\r\nIt is interesting to note how the functions CoInitialize and CoCreateIstance are used respectively to initialize the\r\nCOM library and to instantiate the COM object.\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 10 of 16\n\nHowever, in order to understand which object is being instantiated, the first argument to the CoCreateInstance()\r\nfunction must be inspected to extract the unique identifier (CLSID) of the COM object. A look at variable as it\r\nwould look in memory is shown as follows:\r\nOpening the HKEY_CLASSES_ROOTCLSID key gives the corresponding readable format:\r\nOn function return, a new shortcut (lnk) is created under the local path resulting from GetTempPath function\r\nminus “\\Local\\Temp\\” and plus “\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\thumbnail.lnk“\r\nThe content of thumbnail.lnk is:\r\n“C:\\Windows\\System32\\rundll32.exe” “full path of module”, SetupWorkStation S-6-38-4412-76700627-315277-\r\n3247 0 0 9109 1\r\nImplant Initialization\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 11 of 16\n\nSetupWorkStation function of the implant is aimed at a system reconnaissance and at performing beacon of the\r\ncommand and control center. If the malware does not find the exact number of expected arguments in its\r\ncommand line, it simply quits the execution without going any further.\r\nInside this frame of code, a new thread is created with the starting address 100075A0. sub_10007340 is designed\r\nto initialize external communication. It internally calls sub_100071F0 that is aimed to executing operations\r\ndesigned for system reconnaissance.\r\nAn example of these instructions from dynamically generated pseudo-code is shown below:\r\nRetrieving Username and CumputerName\r\nRetrieving LogicalDrives, DriveTypes\r\nRetrieving FreeSpace for drives\r\nPerforming Processes Enumeration\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 12 of 16\n\nThe collected information is then compressed and encrypted. Subsequent HTTP request is prepared in order to\r\nsend data to command and control. Communications make use of HTTP protocol and POST method. “ned“, “gl”\r\nand “hl” parameters will be used in order to interact with remote command and control script that are used to\r\nhandle victims and to deliver the second stage payload. A code frame regarding the functions used for HTTP\r\ncommunication is reported as follows:\r\nBehind the first stone\r\nWe had the opportunity to analyze what the actor did in the backend in order to manage the victims of the first\r\nstage implanter that has been described. The remote script, at least as far as observed, is copied into legitimate\r\ncompromised sites. It also includes the possibility to decide if and when the second level payload is to be released\r\nand works through blacklists and whitelists in order to protect the final backdoor from unwanted spread.\r\nIt looks like a heavily obfuscated VBScript artifact. Here an extract from the original retrieved code:\r\nAfter retrieving the original instructions set, it has been possible to deeply understand the working logic behind;\r\nThe remote script works mainly through Request.Form variables that are filled when receiving beacons from\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 13 of 16\n\nvictims and by local variables named as following:\r\n1. strworkdir: The working folder within the compromised wwwroot.\r\n2. strlogpath: The path to the file used in order to log victims’ data. In this case a fake .mp3 file\r\n3. strwhitefile: The path to the file used in order to store whitelisted victims IP address. In this case, a fake .mp3\r\nfile.\r\n4. strblackfile: The path to the file used in order to store the blacklisted IP address. In this case, a fake .mp3 file.\r\nParameters “gl” and “hl” are used respectively to retrieve system info about victims and OS architecture. On the\r\nbasis of what we have collected, the log file mapped by strlogpath variable is then updated with a new row\r\ncomprising victim IP address, victim system info, request timestamp and adopted case in handling the victim.\r\nThe cases that have been designed by the threat actor can be four on the basis of interest for the victim:\r\n1. case_1_64/86: MD5 of IP address that made the request is on whitelist. The actor has selected the victim to\r\nbe infected with a second-stage payload. TorisMa_x64/86 payload is then released to the victim.\r\n2. case_2_64/86: MD5 of IP address that made the request is on blacklist. The actor wants to prevent the\r\nspreading of the second stage payload to that IP address. Doris_x64/86 (non-sense chars) payload is then\r\nreleased to the victim.\r\n3. case_3: The victim results of particular interest for the threat actor on the basis of retrieved system info\r\n(identified with a value of 24 of “ned“). Second stage payload is not yet delivered.\r\n4. case_4: The victim results of no particular interest for the threat actor. no previous condition has been met.\r\nSecond stage payload is not yet delivered.\r\nBelow, the primary construct used to manage what is received by the backend script:\r\nVictimology\r\nAccording to the visibility obtained so far, we asses with a high degree of confidence that this campaign is mainly\r\ndirected against research/defense sector and financial / payments institutions. Other types of sectors are obviously\r\nnot to be excluded on the basis of actor interests. Most of the malicious activities associated with the examined\r\nmalware set are limited to the Indian region. However, organizations of other countries as well are inside of\r\nLazarus’ interests. Here there is an exhaustive geographical map where it is possible to observe actions\r\nattributable to this specific threat (note that these malicious actions may not have led to a current active infection\r\nbut could be only limited to infection attempts):\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 14 of 16\n\nConclusions\r\nIn this case, the Lazarus group targets research / defense and financial organizations mainly in the same region\r\nwhere the security community has recently attributed an attack from the same group against a nuclear power plant.\r\nHowever, it has also been noted that the actor has extended its interests to other regions of the world, including\r\nItaly. Furthermore, we have observed an info-gathering implanter used to quickly identify interesting targets and\r\nwe have exposed the use of a backend script designed to handle the victims and limit the spread of second-stage\r\npayloads only to wanted ones.\r\nMITRE ATT\u0026CK Techniques\r\n[+] T1193 – Actor relies on spear-phishing as infection vector\r\n[+] T1002 – Actor compresses and encrypts data\r\n[+] T1132 – Actor encodes data\r\n[+] T1023 – Actor relies on shortcuts to achieve persistence\r\n[+] T1060 – Malware maintain persistence through Start menu folder\r\n[+] T1071 – Actor relies on standard application layer protocol for C2 coms\r\n[+] T1043 – Actor uses common ports to communicate\r\nIndicators of Compromise\r\nSHA256: b018639e9a5f3b2b9c257b83ee51a3f77bbec1a984db13d1c00e0CC77704abb4\r\nSHA256: adf86d77eb4064c52a3e4fb3f1c3218ee2b7de2b1780b81c612886d72aa9c923\r\nSHA256: 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 15 of 16\n\nSHA256: ec254c40abff00b104a949f07b7b64235fc395ecb9311eb4020c1c4da0e6b5c4\r\nSHA256: 26a2fa7b45a455c311fd57875d8231c853ea4399be7b9344f2136030b2edc4aa\r\nDomain name (compromised): curiofirenze[.]com\r\nIP Address: 193.70.64.163\r\nFile: %USERPROFILE%”\\AppData\\Local\\Microsoft\\ThumbNail\\thumnail.db\r\nFile: %APPDATA% \\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\thumbnail.lnk\r\nArtifacts detection rules\r\nYARA detection rule for unpacked dll implant is available here\r\nThird-party freely available rules for detecting executables that have been encoded with base64 twice are here\r\nCheck more related articles on our blog.\r\nSource: https://www.telsy.com/lazarus-gate/\r\nhttps://www.telsy.com/lazarus-gate/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.telsy.com/lazarus-gate/" ], "report_names": [ "lazarus-gate" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439126, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aad82ec406e2d04c1ef1de60cc4bd90321b1fec9.pdf", "text": "https://archive.orkl.eu/aad82ec406e2d04c1ef1de60cc4bd90321b1fec9.txt", "img": "https://archive.orkl.eu/aad82ec406e2d04c1ef1de60cc4bd90321b1fec9.jpg" } }