{ "id": "d9c93a37-ff9d-4d4b-8f64-f3804b5ca52a", "created_at": "2026-04-06T00:13:22.864348Z", "updated_at": "2026-04-10T13:12:09.271163Z", "deleted_at": null, "sha1_hash": "b43b5ad7d10249205af77c7c1cf829b75a5e9c15", "title": "Lazarus supply-chain attack in South Korea", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 932097, "plain_text": "Lazarus supply-chain attack in South Korea\r\nBy Anton CherepanovPeter Kálnai\r\nArchived: 2026-04-05 13:51:24 UTC\r\nESET telemetry data recently led our researchers to discover attempts to deploy Lazarus malware via a supply-chain attack\r\nin South Korea. In order to deliver its malware, the attackers used an unusual supply-chain mechanism, abusing legitimate\r\nSouth Korean security software and digital certificates stolen from two different companies.\r\nThe Lazarus group was first identified in Novetta’s report Operation Blockbuster in February 2016; US-CERT and the FBI\r\ncall this group HIDDEN COBRA. These cybercriminals rose to prominence with the infamous case of cybersabotage\r\nagainst Sony Pictures Entertainment.\r\nSome of the past attacks attributed to the Lazarus group attracted the interest of security researchers who relied on Novetta\r\net al.’s white papers with hundreds of pages describing the tools used in the attacks – the Polish and Mexican banks, the\r\nWannaCryptor outbreak, phishing campaigns against US defense contractors, Lazarus KillDisk attack against Central\r\nAmerican casino, etc. – and provides grounds for the attribution of these attacks to the Lazarus group.\r\nNote that the Lazarus toolset (i.e., the collection of all files that are considered by the security industry as fingerprints of the\r\ngroup’s activity) is extremely broad, and we believe there are numerous subgroups. Unlike toolsets used by some other\r\ncybercriminal groups, none of the source code of any Lazarus tools has ever been disclosed in a public leak.\r\nLatest Lazarus supply-chain attack\r\nTo understand this novel supply-chain attack, you should be aware that South Korean internet users are often asked to install\r\nadditional security software when visiting government or internet banking websites.\r\nWIZVERA VeraPort, referred to as an integration installation program, is a South Korean application that helps manage\r\nsuch additional security software. With WIZVERA VeraPort installed on their devices, users receive and install all\r\nnecessarily software required by a specific website with VeraPort (e.g., browser plug-ins, security software, identity\r\nverification software, etc.). Minimal user interaction is required to start such a software installation from a website that\r\nsupports WIZVERA VeraPort. Usually, this software is used by government and banking websites in South Korea. For some\r\nof these websites it is mandatory to have WIZVERA VeraPort installed for users to be able to access the sites’ services.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 1 of 15\n\nFigure 1. A WIZVERA VeraPort window displayed to the user when installing additional software\r\nThe Lazarus attackers abused the above-mentioned mechanism of installing security software in order to deliver Lazarus\r\nmalware from a legitimate but compromised website. However, it should be noted that a successful malware deployment\r\nusing this method requires a number of preconditions; that’s why it was used in limited Lazarus campaigns. To make this\r\nattack possible:\r\nthe victim must have WIZVERA VeraPort software installed\r\nthe victim must visit a compromised website that already has support for WIZVERA VeraPort\r\nthis website must have specific entries in its VeraPort configuration file that allows attackers to replace regular\r\nsoftware in its VeraPort software bundle with their malware.\r\nIt is important to note that, based on our analysis, we believe that these supply-chain attacks happen at websites that use\r\nWIZVERA VeraPort, rather than at WIZVERA itself.\r\nWebsites that support WIZVERA VeraPort software contain a server-side component, specifically some JavaScripts and a\r\nWIZVERA configuration file. The configuration file is base64-encoded XML containing the website address, a list of\r\nsoftware to install, download URLs, and other parameters.\r\nFigure 2. An example of a WIZVERA VeraPort configuration (redacted by ESET)\r\nThese configuration files are digitally signed by WIZVERA. Once downloaded, they are verified using a strong\r\ncryptographic algorithm (RSA), which is why attackers can’t easily modify the content of these configuration files or set up\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 2 of 15\n\ntheir own fake website. However, the attackers can replace the software to be delivered to WIZVERA VeraPort users from a\r\nlegitimate but compromised website. We believe this is the scenario the Lazarus attackers used.\r\nFigure 3. Simplified scheme of the WIZVERA supply-chain attack conducted by the Lazarus group\r\nIt should be noted that WIZVERA VeraPort configurations contain an option to verify the digital signature of downloaded\r\nbinaries before they are executed, and in most cases this option is enabled by default. However, VeraPort only verifies that\r\nthe digital signature is valid, without checking to whom it belongs. Thus, to abuse WIZVERA VeraPort, attackers must have\r\nany valid code-signing certificate in order to push their payload via this method or get lucky and find a VeraPort\r\nconfiguration that does not require code-signing verification.\r\nSo far, we have observed two malware samples that were delivered using this supply-chain attack and both were signed:\r\nSHA-1 Filename Digital signature\r\n3D311117D09F4A6AD300E471C2FB2B3C63344B1D Delfino.exe ALEXIS SECURITY GROUP, LLC\r\n3ABFEC6FC3445759730789D4322B0BE73DC695C7 MagicLineNPIZ.exe DREAM SECURITY USA INC\r\nThe attackers used illegally obtained code-signing certificates in order to sign the malware samples. Interestingly, one of\r\nthese certificates was issued to the US branch of a South Korean security company.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 3 of 15\n\nFigure 4. The ALEXIS SECURITY GROUP, LLC code-signing certificate used to sign Lazarus malware\r\nFigure 5. The DREAM SECURITY USA INC code-signing certificate used to sign Lazarus malware\r\nThe attackers camouflaged the Lazarus malware samples as legitimate software. These samples have similar filenames,\r\nicons and VERSIONINFO resources as legitimate South Korean software often delivered via WIZVERA VeraPort. Binaries\r\nthat are downloaded and executed via the WIZVERA VeraPort mechanism are stored in %Temp%\\\r\n[12_RANDOM_DIGITS]\\.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 4 of 15\n\nIt should be noted that WIZVERA VeraPort’s configuration has an option not only to verify digital signatures, but also to\r\nverify the hash of downloaded binaries. If this option is enabled, then such an attack cannot be performed so easily, even if\r\nthe website with WIZVERA VeraPort is compromised.\r\nAttribution\r\nWe strongly attribute this supply-chain attack to the Lazarus group, based on the following aspects:\r\n1. Community agreement: The current attack is a continuation of what KrCERT has called Operation Bookcodes. While\r\nKrCERT hasn’t attributed that campaign to the Lazarus group, Kaspersky did in their report about Q2 2020 APT\r\ntrends.\r\n2. Toolset characteristics and detection:\r\n1. The initial dropper is a console application that requires parameters, executing the next stages in a cascade and\r\nutilizes an encryption, cf. the watering hole attacks against Polish and Mexican banks\r\n2. The final payload is a RAT module, with TCP communications and its commands indexed by 32-bit integers,\r\ncf. KillDisk in Central America\r\n3. Many tools delivered via this chain are already flagged as NukeSped by ESET software. For example, the\r\nsigned Downloader in the Analysis section is based on a project called WinHttpClient and it leads to the\r\nsimilar tool with hash 1EA7481878F0D9053CCD81B4589CECAEFC306CF2, which we link with with a\r\nsample from Operation Blockbuster (CB818BE1FCE5393A83FBFCB3B6F4AC5A3B5B8A4B). The\r\nconnection between the latter two is the dynamic resolution of Windows APIs where the names are XOR-encrypted by 0x23, e.g., dFWwLHFMjMELQNBWJLM is the encoding of GetTokenInformation.\r\n3. Victimology: the Lazarus group has a long history of attacks against victims in South Korea like Operation Troy,\r\nincluding DDoS attacks Ten Days of Rain in 2011, South Korean Cyberattacks in 2013, or South Korean\r\ncryptocurrency exchanges targeted in 2017.\r\n4. Network infrastructure: the server-side techniques of webshells and the organization of C\u0026Cs are covered very\r\nprecisely in KrCERT’s white paper #2. The current campaign uses a very similar setup as well.\r\n5. Eccentric approach:\r\n1. In intrusion methods: The unusual method of infiltration is a clue that could be attributed to a sophisticated\r\nand professionally organized actor like Lazarus. In the past, we saw how a vulnerability in software existing\r\nonly in specific networks was leveraged by this group, and not visible with any other APT actor. For example,\r\nthe case of “A Strange Coinminer” delivered through the ManageEngine Desktop Central software.\r\n2. In encryption methods: We saw a Spritz variant of RC4 in the watering hole attacks against Polish and\r\nMexican banks; later Lazarus used a modified RC4 in Operation In(ter)ception. In this campaign, it is a\r\nmodified A5/1 stream cipher that degrades to a single-byte XOR in many cases.\r\nMalware analysis\r\nIt is a common characteristic of many APT groups, especially Lazarus, that they unleash their arsenal within several stages\r\nthat execute as a cascade: from the dropper to intermediate products (the Loader, serving as an injector) up to the final\r\npayloads (the Downloader, the Module). The same is true for this campaign.\r\nDuring our analysis we found similarities in code and architecture between Lazarus malware delivered via this WIZVERA\r\nsupply-chain attack and the malware described in the Operation BookCodes report (part one, part two) published by Korea\r\nInternet \u0026 Security Agency this year.\r\nComparison with Operation BookCodes\r\nTable 1. Common characteristics between two Lazarus operations\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 5 of 15\n\nParameter/\r\nCampaign\r\nOperation BookCodes Via WIZVERA Vera Port\r\nLocation of\r\ntargets\r\nSouth Korea South Korea\r\nTime Q1-Q2 2020 Q2-Q3 2020\r\nMethods of\r\ncompromise\r\nKorean spearphishing email (link to download or\r\nHWP attachment)\r\nWatering hole website\r\nSupply-chain attack\r\nFilename of\r\nthe dropper\r\nC:\\Windows\\SoftwareDistribution\\Download\\BIT[4-\r\n5digits].tmp\r\nC:\\Windows\\SoftwareDistribution\\Download\\BIT388293.\r\nBinary\r\nconfiguration\r\nfile\r\nperf91nc.inf (12000 bytes) assocnet.inf (8348 bytes)\r\nLoader name nwsapagentmonsvc.dll\r\nBtserv.dll\r\niasregmonsvc.dll\r\nRC4 key 1qaz2wsx3edc4rfv5tgb$%^\u0026*!@#$ 1q2w3e4r!@#$%^\u0026*\r\nLog file %Temp%\\services_dll.log %Temp%\\server_dll.log\r\nSigned initial downloader\r\nThis is the Lazarus component delivered via the VeraPort hijack described earlier. The signed initial downloaders are\r\nThemida-protected binaries, which download, decrypt and execute other payloads in memory, without dropping them to the\r\ndisk. This downloader sends an HTTP POST request to a hardcoded C\u0026C server, decrypts the server’s answer using the\r\nRC4 algorithm, and executes it in memory using its own loader for PE files.\r\nFigure 6. The POST request made by the initial downloader\r\nInterestingly, both discovered samples send a small, hardcoded ID in the body of the POST request: MagicLineNPIZ.gif or\r\ndelfino.gif.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 6 of 15\n\nFigure 7. Scheme of the initial compromise\r\nDropper\r\nThis is the initial stage of the cascade. While one can’t see any polymorphism or obfuscation in the code, it encapsulates\r\nthree encrypted files in its resources. Moreover, it’s a console application expecting three parameters in an encrypted state:\r\nthe name of the first file (the Loader, Btserv.dll), the name of the second file (the Downloader, bcyp655.tlb), and the\r\nnecessary decryption key for the previous values (542).\r\nBIT388293.tmp oJaRh5CUzIaOjg== aGlzejw/PyR+Zmg= 542\r\nThe extraction of resources is one of two main roles of the dropper; it does so in the %WINDOWS%\\SYSTEM32 folder,\r\ndecrypting the Loader and preserving the encrypted state of the Downloader that will be decrypted just before being injected\r\ninto another process. It also drops the configuration file assocnet.inf that will later be leveraged by the final payloads,\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 7 of 15\n\nnamely the Downloader and the Module. Then it chooses a service by checking the following list of three legitimate service\r\nnames Winmgmt;ProfSvc;wmiApSrv; and injects the Downloader into the matched service using reflective DLL injection.\r\nThe file name of the Loader is stored in the following Windows registry value:\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages\r\nFigure 8. The decompiled code of the dropper\r\nLoader\r\nThis component is a Themida-protected file. We estimate the version of Themida to be 2.0-2.5, which agrees with KrCERT’s\r\nreport (page 20). The Loader serves as a simple injector that is looking for its injection parameters in the resources: the name\r\nof the encrypted file and the decryption key, which is the string “542”. The instance delivered by the dropper looks for the\r\nfile bcyp655.tlb (the Downloader). It creates a mutex Global\\RRfreshRA_Mutex_Object. The choice of the targeted service\r\nand the injection method are the same as in the dropper.\r\nLet us talk for a while about the encryption method used by the dropper and by this loader. The common key is the string\r\n“542”, which is initially provided as a command-line parameter to the Dropper and subsequently as a 3-byte encrypted\r\nresource for the Loader. To expand a short master key to a larger expanded key (so-called key scheduling), the MD5 hash of\r\nthe string is computed, which is 7DCD340D84F762EBA80AA538B0C527F7. Then it takes first three double words, let's\r\ndenote them A := 0x7DCD340D, B := 0x84f762EB, C:= 0xA80aa538. The length of an encrypted buffer is divided by 3, and\r\nthis is the number of iterations that transforms the initial sequence (A,B,C) into the proper key. In every iteration (X,Y,Z)\r\nbecomes (X^Y, Y^Z, X^Y^Z). Because the XOR operation (denoted ^) is commutative and transitive, and its square is zero,\r\nwhich leaves everything unchanged, we can compute that after 8 iterations we get the identity, so the key could reach just 7\r\npairwise different states and is equal to the first 12 characters of the MD5 hash of \"542\" if the length is a multiple of 24.\r\nWhat is interesting is how the remainder of the length division by 3 is treated. If the number of iterations was increased by\r\nthis remainder, then we would reach just another of the 7 states of the key. However, the twist is in the change of operation:\r\n^ is replaced with the OR operation in the code for the remainder. For example, the key with the remainder 1 becomes {FE\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 8 of 15\n\nF7 3A F9 F7 D7 FF FD FF F7 FF FD} for one of the states (of (C, A^B, B^C) to be precise), so we get new possible\r\ntransformations of the key that tend to be more likely to be ones than zeroes.\r\nThat was the part preparing the key. The encryption algorithm itself looks like A5/1 at first glance. It was a secret technology\r\ndeveloped in 1987 and used in over-the-air communication privacy in the GSM cellular telephone standard until reverse-engineered in 1999. The crucial part of the algorithm is three linear feedback shift registers (LFSRs). However, only the\r\nlengths of LFSRs in the malware code coincide with the official implementation, not the constants.\r\nTable 2. Comparison of crypto algorithms between malware and the official implementation\r\nLFSR Malware code Official A5/1\r\n1\r\nLength: 19 Length: 19\r\nConstants: 13, 16, 17, 18 Constants: 13, 16, 17, 18\r\n2\r\nLength: 22 Length: 22\r\nConstants: 12, 16, 20, 21 Constants: 20, 21\r\n3 Length: 23 Length: 23\r\nConstants: 17,18,21,22 Constants: 7, 20, 21, 22\r\nThe decryption loop in each iteration basically derives a 1-byte XOR key for the corresponding byte of the encrypted buffer.\r\nThe purpose of LFSRs is that they could transform the key, so the whole process is much more complicated. But due to the\r\nmentioned change of the operation, LFSRs would not affect it and the 1-byte XOR key remains the same for all iterations.\r\nDownloader, aka WinHttpClient\r\nThe main downloader is dropped by the Dropper component under the bcyp655.tlb name and injected into one of the\r\nservices by the Loader. Its main purpose is to deliver additional stages onto the victim’s computers. The network protocol is\r\nbased on HTTP but requires several stages to establish a trusted connection.\r\nThe malware fingerprints the victim’s system: see Figure 9.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 9 of 15\n\nFigure 9. The length of the buffer is 0x114 and contains campaign ID, local IP address, Windows version, processor version\r\n(cf. KrCERT page 59, Figure [4-17])\r\nThe first step is authorization. After sending randomly generated, generic parameters code and id, the expected response\r\nstarts with \u003c!DOCTYPE HTML PUBLIC Authentication En\u003e followed by additional data delimited by a semicolon.\r\nHowever, in the next POST request the parameters are already based on the victim’s IP. Because we didn’t know which\r\nvictims were targeted, during our investigation, we always received a “Not Found” reply, not the successful “OK”.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 10 of 15\n\nFigure 10. Primary message exchange with C\u0026C having generic parameters code and id\r\nFigure 11. Secondary message exchange with C\u0026C having a specific parameter name\r\nIf the victim passes these introductory messages and the connection is acknowledged, then the decrypted response starts\r\nwith an interesting artifact: a keyword ohayogonbangwa!!. As a whole, we haven’t found that word on the internet, but the\r\nclosest meaning could be “Ohayo, Konbangwa” (おはようこんばんぐぁ), which is “Good morning, good evening” in\r\nJapanese. From this point, there are more messages that are exchanged, with the final exchange asking for an executable to\r\nload into memory.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 11 of 15\n\nFigure 12. Japanese artifact in the code\r\nModule, the final RAT payload\r\nThis is a RAT with a set of typical features used by the Lazarus group. The commands include operations on the victim’s\r\nfilesystem and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit\r\nintegers and coincide with those reported by KrCERT on page 61.\r\nFigure 13. Some of the commands supported by Module\r\nConclusion\r\nAttackers are constantly trying to find new ways to deliver malware to target computers. Attackers are particularly interested\r\nin supply-chain attacks, because they allow them to covertly deploy malware on many computers at the same time. In recent\r\nyears ESET researchers analyzed such cases as M.E.Doc, Elmedia Player, VestaCP, Statcounter, and the gaming industry.\r\nWe can safely predict that the number of supply-chain attacks will increase in the future, especially against companies\r\nwhose services are popular in specific regions or in specific industry verticals.\r\nThis time we analyzed how the Lazarus group used a very interesting approach to target South Korean users of WIZVERA\r\nVeraPort software. As mentioned in our analysis, it’s the combination of compromised websites with WIZVERA VeraPort\r\nsupport and specific VeraPort configuration options that allow attackers to perform this attack. Owners of such websites\r\ncould decrease the possibility of such attacks, even if their sites are compromised, by enabling specific options (e.g. by\r\nspecifying hashes of binaries in the VeraPort configuration).\r\nSpecial thanks to Dávid Gábriš and Peter Košinár.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/NukeSped.HW\r\nWin32/NukeSped.FO\r\nWin32/NukeSped.HG\r\nWin32/NukeSped.HI\r\nWin64/NukeSped.CV\r\nWin64/NukeSped.DH\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 12 of 15\n\nWin64/NukeSped.DI\r\nWin64/NukeSped.DK\r\nWin64/NukeSped.EP\r\nSHA-1 of signed samples\r\n3D311117D09F4A6AD300E471C2FB2B3C63344B1D\r\n3ABFEC6FC3445759730789D4322B0BE73DC695C7\r\nSHA-1 of samples\r\n5CE3CDFB61F3097E5974F5A07CF0BD2186585776\r\nFAC3FB1C20F2A56887BDBA892E470700C76C81BA\r\nAA374FA424CC31D2E5EC8ECE2BA745C28CB4E1E8\r\nE50AD1A7A30A385A9D0A2C0A483D85D906EF4A9C\r\nDC72D464289102CAAF47EC318B6110ED6AF7E5E4\r\n9F7B4004018229FAD8489B17F60AADB3281D6177\r\n2A2839F69EC1BA74853B11F8A8505F7086F1C07A\r\n8EDB488B5F280490102241B56F1A8A71EBEEF8E3\r\nCode signing certificate serial numbers\r\n00B7F19B13DE9BEE8A52FF365CED6F67FA\r\n4C8DEF294478B7D59EE95C61FAE3D965\r\nC\u0026C\r\nhttp://www.ikrea.or[.]kr/main/main_board.asp\r\nhttp://www.fored.or[.]kr/home/board/view.php\r\nhttps://www.zndance[.]com/shop/post.asp\r\nhttp://www.cowp.or[.]kr/html/board/main.asp\r\nhttp://www.style1.co[.]kr/main/view.asp\r\nhttp://www.erpmas.co[.]kr/Member/franchise_modify.asp\r\nhttps://www.wowpress.co[.]kr/customer/refuse_05.asp\r\nhttps://www.quecue[.]kr/okproj/ex_join.asp\r\nhttp://www.pcdesk.co[.]kr/Freeboard/mn_board.asp\r\nhttp://www.gongsinet[.]kr/comm/comm_gongsi.asp\r\nhttp://www.goojoo[.]net/board/banner01.asp\r\nhttp://www.pgak[.]net/service/engine/release.asp\r\nhttps://www.gncaf.or[.]kr/cafe/cafe_board.asp\r\nhttps://www.hsbutton.co[.]kr/bbs/bbs_write.asp\r\nhttps://www.hstudymall.co[.]kr/easypay/web/bottom.asp\r\nMutexes\r\nGlobal\\RRfreshRA_Mutex_Object\r\nReferences\r\nKrCERT/CC, “Operation BookCodes TTPs#1 Controlling local network through vulnerable websites”, English Translation,\r\n1\r\nst\r\n April 2020\r\nKrCERT/CC, “Operation BookCodes TTPs#2 스피어 피싱으로 정보를 수집하는 공격망 구성 방식 분석”, Korean, 29th\r\nJune 2020\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 13 of 15\n\nP. Kálnai, M. Poslušný: “Lazarus Group: a mahjong game played in different sets of tiles”, Virus Bulletin 2018 (Montreal)\r\nP. Kálnai: “Demystifying targeted malware used against Polish banks”, WeLiveSecurity, February 2017\r\nP. Kálnai, A. Cherepanov “Lazarus KillDisks Central American casino”, WeLiveSecurity, April 2018\r\nD. Breitenbacher, K. Osis: “Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies”,\r\nJune 2020\r\nNovetta et al, “Operation Blockbuster”, February 2016, https://www.operationblockbuster.com/resources\r\nMarcus Hutchins, “How to accidentally stop a global cyber-attack”,  May 2015\r\nKaspersky GReAT: “APT trends report Q2 2020”, July 2020\r\nA. Kasza: “The Blockbuster Saga Continues”, Palo Alto Networks, August 2017\r\nUS-CERT CISA, https://us-cert.cisa.gov/northkorea\r\nWeLiveSecurity: “Sony Pictures hacking traced to Thai hotel as North Korea denies involvement”, December 2014\r\nR. Sherstobitoff, I. Liba. J. Walter: “Dissecting Operation Troy: Cyberespionage in South Korea”, McAfee® Labs, May\r\n2018\r\nMcAfee Labs: “Ten Days of Rain”, July 2011\r\nFireye/Mandiant: “Why Is North Korea So Interested in Bitcoin?”, September 2017\r\nChoe Sang-Hun: “Computer Networks in South Korea Are Paralyzed in Cyberattacks”, March 2013\r\nA5/1 stream cipher, Wikipedia\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1584.004\r\nCompromise Infrastructure:\r\nServer\r\nThe Lazarus group uses compromised servers as\r\ninfrastructure.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nThe Lazarus group developed custom malware and\r\nmalware components.\r\nT1588.003\r\nObtain Capabilities: Code\r\nSigning Certificates\r\nThe Lazarus group obtained code-signing\r\ncertificates.\r\nInitial Access T1195.002\r\nSupply Chain Compromise:\r\nCompromise Software\r\nSupply Chain\r\nThe Lazarus group pushed this malware using a\r\nsupply-chain attack via WIZVERA VeraPort.\r\nExecution T1106 Native API\r\nThe Lazarus payload is executed using native API\r\ncalls.\r\nPersistence T1547.005\r\nBoot or Logon Autostart\r\nExecution: Security Support\r\nProvider\r\nThe Lazarus malware maintains persistence by\r\ninstalling an SSP DLL.\r\nDefense\r\nEvasion\r\nT1036 Masquerading\r\nThe Lazarus malware masqueraded as a South\r\nKorean security software\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nThe Lazarus group uses Themida-protected\r\nmalware.\r\nT1055 Process Injection The Lazarus malware injects itself in svchost.exe.\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 14 of 15\n\nTactic ID Name Description\r\nT1553.002\r\nSubvert Trust Controls: Code\r\nSigning\r\nThe Lazarus group used illegally obtained code-signing certificates to sign the initial downloader\r\nused in this supply-chain attack.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nThe Lazarus malware uses HTTP for C\u0026C.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nThe Lazarus malware uses the RC4 algorithm to\r\nencrypt its C\u0026C communications.\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nThe Lazarus malware exfiltrates data over the C\u0026C\r\nchannel.\r\nSource: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nhttps://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/" ], "report_names": [ "lazarus-supply-chain-attack-south-korea" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b43b5ad7d10249205af77c7c1cf829b75a5e9c15.pdf", "text": "https://archive.orkl.eu/b43b5ad7d10249205af77c7c1cf829b75a5e9c15.txt", "img": "https://archive.orkl.eu/b43b5ad7d10249205af77c7c1cf829b75a5e9c15.jpg" } }