{ "id": "d6603fca-fbea-4954-b63b-cc3cb8d7ed47", "created_at": "2026-04-06T00:08:43.201098Z", "updated_at": "2026-04-10T03:38:19.877478Z", "deleted_at": null, "sha1_hash": "ae03bac4dbaa1a8c2b95f6b1df7e535751cd2a53", "title": "Endpoint Protection - Symantec Enterprise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 214577, "plain_text": "Endpoint Protection - Symantec Enterprise\r\nArchived: 2026-04-05 23:16:22 UTC\r\nOrganizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least\r\nOctober 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with\r\npreviously unknown malware. There has been no evidence found yet that funds have been stolen from any\r\ninfected banks.\r\nThe attacks came to light when a bank in Poland discovered previously unknown malware running on a number of\r\nits computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of\r\nother institutions confirmed that they too had been compromised.\r\nAs reported, the source of the attack appears to have been the website of the Polish financial regulator. The\r\nattackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on\r\nselected targets.\r\nSymantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that\r\ninfected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against\r\ncomputers in Uruguay, and two against computers in Poland.\r\nCustom exploit kit\r\nThe attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which\r\nis preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong\r\nto 104 different organizations located in 31 different countries. The vast majority of these organizations are banks,\r\nwith a small number of telecoms and internet firms also on the list.\r\nFigure 1. Countries in which three or more organizations were targeted by attackers\r\nhttps://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b\r\nPage 1 of 4\n\nLinks to Lazarus?\r\nThe malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by\r\nSymantec under generic detection signatures, which are designed to block any files seen to engage in malicious\r\nactivities.\r\nAnalysis of the malware is still underway. Some code strings seen in the malware used shares commonalities with\r\ncode from malware used by the threat group known as Lazarus.\r\nRatankba was observed contacting eye-watch[.]in for command and control (C\u0026C) communications.\r\nRatankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with\r\nmalware previously associated with Lazarus. \r\nFigure 2. Code strings seen in sample of Hacktool used in recent attacks\r\nhttps://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b\r\nPage 2 of 4\n\nFigure 3. Code strings seen in sample of Hacktool previously associated with Lazarus\r\nLazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and\r\nSouth Korea. Lazarus has been involved in high level financial attacks before and some of the tools used in the\r\nBangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.\r\nFurther investigation of these attacks is underway and, over time, more evidence may emerge about the identity\r\nand motives of the attackers. After a series of high profile attacks on banks during 2016, this latest incident\r\nprovides a timely reminder of the growing range of threats facing financial institutions.\r\n[click_to_tweet:1]\r\nUPDATE – March 15, 2017:\r\nFurther investigation by Symantec into the recent attacks against banks in Poland has uncovered additional links\r\nto the threat group known as Lazarus. At the time of our original blog, Symantec had found one link: code strings\r\nseen in a Hacktool used in the Polish bank attacks shared distinctive characteristics with malware previously\r\nassociated with Lazarus.\r\nThe number of tentative links Symantec has established has since broadened from one to four. One piece of\r\nmalware (MD5:91b2558f5319960c85522dc8e372a2b9) found on a computer at one of the Polish targets has been\r\npreviously used and attributed to the Lazarus group. The previously mentioned Lazarus-linked Hacktool was also\r\nfound on the same computer at the Polish target.\r\nIn addition to this, a sample of Downloader.Ratankba (MD5:cb52c013f7af0219d45953bae663c9a2), which has\r\nonly been seen in the 2017 Polish Bank attacks, was submitted by a Symantec customer for analysis along with a\r\nsample of Backdoor.Destover, the disk-wiping malware linked to Lazarus and used in the Sony Pictures attacks.\r\nA fourth link is the unique trait \"del /a %1\", which was found in Downloader.Ratankba. It was also identified in\r\nmultiple malware families linked to Lazarus including Backdoor.Joanap and Backdoor.Destover.\r\nAs a result of these findings, Symantec has upgraded its assessment of a Lazarus link. The crossover in tools used\r\nleads us to believe there is a reasonable possibility that the Polish bank attacks were the work of attackers linked\r\nto Lazarus.\r\nProtection\r\nSymantec and Norton products protect against these attacks with the following detections:\r\nDownloader.Ratankba\r\nWeb Attack: SunDown Exploit Kit Website 5\r\nBackdoor.Destover\r\nIOCs\r\nThe follow are indicators of compromise related to these attacks.\r\nhttps://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b\r\nPage 3 of 4\n\nCommand and control infrastructure\r\neye-watch[.]in\r\nsap.misapor[.]ch\r\nDownloader.Ratankba\r\nMD5                                                                     \r\n1f7897b041a812f96f1925138ea38c46\r\n911de8d67af652a87415f8c0a30688b2\r\n1507e7a741367745425e0530e23768e6\r\ncb52c013f7af0219d45953bae663c9a2\r\n18a451d70f96a1335623b385f0993bcc\r\nSHA256\r\n99017270f0af0e499cfeb19409020bfa0c2de741e5b32b9f6a01c34fe13fda7d\r\n825624d8a93c88a811262bd32cc51e19538c5d65f6f9137e30e72c5de4f044cc\r\n200c0f4600e54007cb4707c9727b1171f56c17c80c16c53966535c57ab684e22\r\n95c8ffe03547bcb0afd4d025fb14908f5230c6dc6fdd16686609681c7f40aca2\r\n7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836\r\nHacktool\r\nMD5                                                                     \r\n3af4e21bbbeb846ca295143e03ec0054   \r\nSHA256\r\nefa57ca7aa5f42578ab83c9d510393fcf4e981a3eb422197973c65b7415863e7\r\nBackdoor.Destover\r\nMD5                                                                     \r\n7fe80cee04003fed91c02e3a372f4b01\r\nSHA256\r\n4fe3c853ab237005f7d62324535dd641e1e095d1615a416a9b39e042f136cf6b\r\nSource: https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b\r\nhttps://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b" ], "report_names": [ "attackers-target-dozens-of-global-b" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434123, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae03bac4dbaa1a8c2b95f6b1df7e535751cd2a53.pdf", "text": "https://archive.orkl.eu/ae03bac4dbaa1a8c2b95f6b1df7e535751cd2a53.txt", "img": "https://archive.orkl.eu/ae03bac4dbaa1a8c2b95f6b1df7e535751cd2a53.jpg" } }