{ "id": "fd4478ea-7ccc-44db-89e0-2ac1c1402612", "created_at": "2026-04-06T00:17:18.302636Z", "updated_at": "2026-04-10T03:38:20.443577Z", "deleted_at": null, "sha1_hash": "ba46a35e40fd90d41403b73f328f46698cca5eeb", "title": "Lazarus covets COVID-19-related intelligence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1427504, "plain_text": "Lazarus covets COVID-19-related intelligence\r\nBy Seongsu Park\r\nPublished: 2020-12-23 · Archived: 2026-04-05 13:55:52 UTC\r\nAs the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means\r\navailable. We have found evidence that actors, such as the Lazarus group, are going after intelligence that could help\r\nthese efforts by attacking entities related to COVID-19 research.\r\nWhile tracking the Lazarus group’s continuous campaigns targeting various industries, we discovered that they recently\r\nwent after COVID-19-related entities. They attacked a pharmaceutical company at the end of September, and during\r\nour investigation we discovered that they had also attacked a government ministry related to the COVID-19 response.\r\nEach attack used different tactics, techniques and procedures (TTPs), but we found connections between the two cases\r\nand evidence linking those attacks to the notorious Lazarus group.\r\nRelationship of recent Lazarus group attack\r\nIn this blog, we describe two separate incidents. The first one is an attack against a government health ministry: on\r\nOctober 27, 2020, two Windows servers were compromised at the ministry. We were unable to identify the infection\r\nvector, but the threat actor was able to install a sophisticated malware cluster on these servers. We already knew this\r\nmalware as ‘wAgent’. It’s main component only works in memory and it fetches additional payloads from a remote\r\nserver.\r\nThe second incident involves a pharmaceutical company. According to our telemetry, this company was breached on\r\nSeptember 25, 2020. This time, the Lazarus group deployed the Bookcode malware, previously reported by ESET, in a\r\nsupply chain attack through a South Korean software company. We were also able to observe post-exploitation\r\ncommands run by Lazarus on this target.\r\nBoth attacks leveraged different malware clusters that do not overlap much. However, we can confirm that both of them\r\nare connected to the Lazarus group, and we also found overlaps in the post-exploitation process.\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 1 of 11\n\nwAgent malware cluster\r\nThe malware cluster has a complex infection scheme:\r\nInfection scheme of the wAgent malware cluster\r\nUnfortunately, we were unable to obtain the starter module used in this attack. The module seems to have a trivial role:\r\nexecuting wAgent with specific parameters. One of the wAgent samples we collected has fake metadata in order to\r\nmake it look like the legitimate compression utility XZ Utils.\r\nAccording to our telemetry, this malware was directly executed on the victim machine from the command line shell by\r\ncalling the Thumbs export function with the parameter:\r\nc:\\windows\\system32\\rundll32.exe  C:\\Programdata\\Oracle\\javac.dat, Thumbs 8IZ-VU7-109-S2MY\r\nThe 16-byte string parameter is used as an AES key to decrypt an embedded payload – a Windows DLL. When the\r\nembedded payload is loaded in memory, it decrypts configuration information using the given decryption key. The\r\nconfiguration contains various information including C2 server addresses, as well as a file path used later on. Although\r\nthe configuration specifies two C2 servers, it contains the same C2 server twice. Interestingly, the configuration has\r\nseveral URL paths separated with an ‘@’ symbol. The malware attempts to connect to each URL path randomly.\r\nC2 address in the configuration\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 2 of 11\n\nWhen the malware is executed for the first time, it generates identifiers to distinguish each victim using the hash of a\r\nrandom value. It also generates a 16-byte random value and reverses its order. Next, the malware concatenates this\r\nrandom 16-byte value and the hash using ‘@’ as a delimiter. i.e.: 82UKx3vnjQ791PL2@29312663988969\r\nPOST parameter names (shown below) are decrypted at runtime and chosen randomly at each C2 connection. We’ve\r\npreviously seen and reported to our Threat Intelligence Report customers that a very similar technique was used when\r\nthe Lazarus group attacked cryptocurrency businesses with an evolved downloader malware. It is worth noting that\r\nTistory is a South Korean blog posting service, which means the malware author is familiar with the South Korean\r\ninternet environment:\r\nplugin course property tistory tag vacon slide parent manual themes product notice portal articles category doc entry\r\nisbn tb idx tab maincode level bbs method thesis content blogdata tname \r\nThe malware encodes the generated identifier as base64 and POSTs it to the C2. Finally, the agent fetches the next\r\npayload from the C2 server and loads it in memory directly. Unfortunately, we couldn’t obtain a copy of it, but\r\naccording to our telemetry, the fetched payload is a Windows DLL containing backdoor functionalities. Using this in-memory backdoor, the malware operator executed numerous shell commands to gather victim information:\r\ncmd.exe /c ping -n 1 -a 192.[redacted]\r\ncmd.exe /c ping -n 1 -a 192.[redacted]\r\ncmd.exe /c dir \\\\192.[redacted]\\c$\r\ncmd.exe /c query user\r\ncmd.exe /c net user [redacted] /domain\r\ncmd.exe /c whoami\r\nPersistent wAgent deployed\r\nUsing the wAgent backdoor, the operator installed an additional wAgent payload that has a persistence mechanism.\r\nAfter fetching this DLL, an export called SagePlug was executed with the following command line parameters:\r\nrundll32.exe c:\\programdata\\oracle\\javac.io, SagePlug 4GO-R19-0TQ-HL2A\r\nc:\\programdata\\oracle\\~TMP739.TMP\r\n4GO-R19-0TQ-HL2A is used as a key and the file path indicates where debugging messages are saved. This wAgent\r\ninstaller works similarly to the wAgent loader malware described above. It is responsible for loading an embedded\r\npayload after decrypting it with the 16-byte key from the command line. In the decrypted payload, the malware\r\ngenerates a file path to proceed with the infection:\r\nC:\\Windows\\system32\\[random 2 characters]svc.drv\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 3 of 11\n\nThis file is disguised as a legitimate tool named SageThumbs Shell Extension. This tool shows image files directly in\r\nWindows Explorer. However, inside it contains an additional malicious routine.\r\nWhile creating this file, the installer module fills it with random data to increase its size. The malware also copies\r\ncmd.exe’s creation time to the new file in order to make it less easy to spot.\r\nFor logging and debugging purposes, the malware stores information in the file provided as the second argument\r\n(c:\\programdata\\oracle\\~TMP739.TMP in this case). This log file contains timestamps and information about the\r\ninfection process. We observed that the malware operators were checking this file manually using Windows commands.\r\nThese debugging messages have the same structure as previous malware used in attacks against cryptocurrency\r\nbusinesses involving the Lazarus group. More details are provided in the Attribution section.\r\nAfter that, the malware decrypts its embedded configuration. This configuration data has a similar structure as the\r\naforementioned wAgent malware. It also contains C2 addresses in the same format:\r\nhxxps://iski.silogica[.]net/events/serial.jsp@WFRForms.jsp@import.jsp@view.jsp@cookie.jsp\r\nhxxp://sistema.celllab[.]com.br/webrun/Navbar/auth.jsp@cache.jsp@legacy.jsp@chooseIcon.jsp@customZoom.jsp\r\nhxxp://www.bytecortex.com[.]br/eletronicos/digital.jsp@exit.jsp@helpform.jsp@masks.jsp@Functions.jsp\r\nhxxps://sac.najatelecom.com[.]br/sac/Dados/ntlm.jsp@loading.jsp@access.jsp@local.jsp@default.jsp\r\nThe malware encrypts configuration data and stores it as a predefined registry key with its file name:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application\\Emulate – [random 2\r\ncharacters]svc\r\nIt also takes advantage of the Custom Security Support Provider by registering the created file path to the end of the\r\nexisting registry value. Thanks to this registry key, this DLL will be loaded by lsass.exe during the next startup.\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa – Security Packages : kerberos msv1_0\r\nschannel wdigest tspkg pku2u [random 2 characters]svc.drv\r\nFinally, the starter module starts the [random 2 characters]svc.drv file in a remote process. It searches for the first\r\nsvchost.exe process and performs DLL injection. The injected [random 2 characters]svc.drv malware contains a\r\nmalicious routine for decrypting and loading its embedded payload. The final payload is wAgent, which is responsible\r\nfor fetching additional payloads from the C2, possibly a fully featured backdoor, and loading it in the memory.\r\nBookcode malware cluster\r\nThe pharmaceutical company targeted by Lazarus group’s Bookcode malware is developing a COVID-19 vaccine and\r\nis authorized to produce and distribute COVID-19 vaccines. We previously saw Lazarus attack a software company in\r\nSouth Korea with Bookcode malware, possibly targeting the source code or supply chain of that company. We have also\r\nwitnessed the Lazarus group carry out spear phishing or strategic website compromise in order to deliver Bookcode\r\nmalware in the past. However, we weren’t able to identify the exact initial infection vector for this incident. The whole\r\ninfection procedure confirmed by our telemetry is very similar to the one described in ESET’s latest publication on the\r\nsubject.\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 4 of 11\n\nBookcode infection procedure\r\nAlthough we didn’t find the piece of malware tasked with deploying the loader and its encrypted Bookcode payload, we\r\nwere able to identify a loader sample. This file is responsible for loading an encrypted payload named gmslogmgr.dat\r\nlocated in the system folder. After decrypting the payload, the loader finds the Service Host Process (svchost.exe) with\r\nwinmgmt, ProfSvc or Appinfo parameters and injects the payload into it. Unfortunately, we couldn’t acquire the\r\nencrypted payload file, but we were able to reconstruct the malware actions on the victim machine and identify it as the\r\nBookcode malware we reported to our Threat Intelligence Report customers.\r\nUpon execution, the Bookcode malware reads a configuration file. While previous Bookcode samples used the file\r\nperf91nc.inf as a configuration file, this version reads its configuration from a file called C_28705.NLS. This Bookcode\r\nsample has almost identical functionality as the malware described in the comprehensive report recently published by\r\nKorea Internet \u0026 Security Agency (KISA). As described on page 57 of that report, once the malware is started it sends\r\ninformation about the victim to the attacker’s infrastructure. After communicating with the C2 server, the malware\r\nprovides standard backdoor functionalities.\r\nPost-exploitation phase\r\nThe Lazarus group’s campaign using the Bookcode cluster has its own unique TTPs, and the same modus operandi was\r\nused in this attack.\r\nExtracting infected host information, including password hashes, from the registry sam dump.\r\nUsing Windows commands in order to check network connectivity.\r\nUsing the WakeMeOnLan tool to scan hosts in the same network.\r\nAfter installing Bookcode on September 25, 2020, the malware operator started gathering system and network\r\ninformation from the victim. The malware operator also collected a registry sam dump containing password hashes:\r\nexe /c “reg.exe save hklm\\sam %temp%\\~reg_sam.save \u003e “%temp%\\BD54EA8118AF46.TMP~” 2\u003e\u00261″\r\nexe /c “reg.exe save hklm\\system %temp%\\~reg_system.save \u003e “%temp%\\405A758FA9C3DD.TMP~” 2\u003e\u00261″\r\nIn the lateral movement phase, the malware operator used well-known methodologies. After acquiring account\r\ninformation, they connected to another host with the “net” command and executed a copied payload with the “wmic”\r\ncommand.\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 5 of 11\n\nexe /c “netstat -aon | find “ESTA” \u003e %temp%\\~431F.tmp\r\nexe /c “net use \\\\172.[redacted] “[redacted]” /u:[redacted] \u003e %temp%\\~D94.tmp” 2\u003e\u00261″\r\nwmic /node:172.[redacted] /user:[redacted] /password:”[redacted]” process call create “%temp%\\engtask.exe” \u003e\r\n%temp%\\~9DC9.tmp” 2\u003e\u00261″\r\nMoreover, Lazarus used ADfind in order to collect additional information from the Active Directory. Using this utility,\r\nthe threat actor extracted a list of the victim’s users and computers.\r\nInfrastructure of Bookcode\r\nAs a result of closely working with the victim to help remediate this attack, we discovered an additional configuration\r\nfile. It contains four C2 servers, all of which are compromised web servers located in South Korea.\r\nhxxps://www.kne.co[.]kr/upload/Customer/BBS.asp\r\nhxxp://www.k-kiosk[.]com/bbs/notice_write.asp\r\nhxxps://www.gongim[.]com/board/ajax_Write.asp\r\nhxxp://www.cometnet[.]biz/framework/common/common.asp\r\nOne of those C2 servers had directory listing enabled, so we were able to gain insights as to how the attackers manage\r\ntheir C2 server:\r\nAttacker files listed on a compromised website\r\nWe discovered several log files and a script from the compromised server, which is a “first-stage” C2 server. It receives\r\nconnections from the backdoor, but only serves as a proxy to a “second-stage” server where the operators actually store\r\norders.\r\nFile name Description\r\n_ICEBIRD007.dat A log file containing the identifier of victims and timestamps.\r\n~F05990302ERA.jpg\r\nSecond-stage C2 server address:\r\nhxxps://www.locknlockmall[.]com/common/popup_left.asp\r\nCustomer_Session.asp Malware control script.\r\nCustomer_Session.asp is a first-stage C2 script responsible for delivering commands from the next-stage C2 server and\r\ncommand execution results from the implant. In order to deliver proper commands to each victim, the bbs_code\r\nparameter from the implants is used as an identifier. The script uses this identifier to assign commands to the correct\r\nvictims. Here is how the process of sending an order for a particular victim works:\r\n1. 1 The malware operator sets the corresponding flag([id]_208) of a specific implant and saves the command to\r\nthe variable([id]_210).\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 6 of 11\n\n2. 2 The implant checks the corresponding flag([id]_208) and retrieves the command from the variable([id]_210)\r\nif it is set.\r\n3. 3 After executing the command, the implant sends the result to the C2 server and sets the corresponding flag.\r\n4. 4 The malware operator checks the flag and retrieves the result if the flag is set.\r\nLogic of the C2 script\r\nBesides implant control features, the C2 script has additional capabilities such as updating the next-stage C2 server\r\naddress, sending the identifier of the implant to the next-stage server or removing a log file.\r\ntable_nm value Function name Description\r\ntable_qna qnaview\r\nSet [id]_209 variable to TRUE and save the “content” parameter value to\r\n[id]_211.\r\ntable_recruit recuritview\r\nIf [id]_209 is SET, send contents of [id]_211 and reset it, and set [ID]_209\r\nto FALSE.\r\ntable_notice notcieview Set [id]_208 and save the “content” parameter value to [id]_210.\r\ntable_bVoice voiceview\r\nIf [id]_208 is SET, send contents of [id]_210 and reset it, and set [id]_208\r\nto FALSE.\r\ntable_bProduct productview\r\nUpdate the ~F05990302ERA.jpg file with the URL passed as the\r\n“target_url” parameter.\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 7 of 11\n\ntable_community communityview\r\nSave the identifier of the implant to the log file. Read the second-stage\r\nURL from ~F05990302ERA.jpg and send the current server URL and\r\nidentifier to the next hop server using the following format:\r\nbbs_type=qnaboard\u0026table_id=[base64ed identifier] \u0026accept_identity=\r\n[base64 encoded current server IP]\u0026redirect_info=[base64ed current\r\nserver URL]\r\ntable_free freeview Read _ICEBIRD007.dat and send its contents, and delete it.\r\nAttribution\r\nWe assess with high confidence that the activity analyzed in this post is attributable to the Lazarus group. In our\r\nprevious research, we already attributed the malware clusters used in both incidents described here to the Lazarus\r\ngroup. First of all, we observe that the wAgent malware used against the health ministry has the same infection scheme\r\nas the malware that the Lazarus group used previously in attacks on cryptocurrency businesses.\r\nBoth cases used a similar malware naming scheme, generating two characters randomly and appending “svc” to\r\nit to generate the path where the payload is dropped.\r\nBoth malicious programs use a Security Support Provider as a persistence mechanism.\r\nBoth malicious programs have almost identical debugging messages.\r\nHere is a side-by-side comparison of the malware used in the ministry of health incident, and the malware\r\n(4088946632e75498d9c478da782aa880) used in the cryptocurrency business attack:\r\nDebugging log from ministry of health case Debugging log of cryptocurrency business case\r\n15:18:20 Extracted Dll : [random 2bytes]svc.drv\r\n15:59:32 Reg Config Success !\r\n16:08:45 Register Svc Success !\r\n16:24:53 Injection Success, Process ID : 544\r\nExtracted Dll : [random 2bytes]svc.dll\r\nExtracted Injecter : [random 2bytes]proc.exe\r\nReg Config Success !\r\nRegister Svc Success !\r\nStart Injecter Success !\r\nRegarding the pharmaceutical company incident, we previously concluded that Bookcode is exclusively used by the\r\nLazarus group. According to our Kaspersky Threat Attribution Engine (KTAE), one of the Bookcode malware samples\r\n(MD5 0e44fcafab066abe99fe64ec6c46c84e) contains lots of code overlaps with old Manuscrypt variants.\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 8 of 11\n\nKaspersky Threat Attribution Engine results for Bookcode\r\nMoreover, the same strategy was used in the post-exploitation phase, for example, the usage of ADFind in the attack\r\nagainst the health ministry to collect further information on the victim’s environment. The same tool was deployed\r\nduring the pharmaceutical company case in order to extract the list of employees and computers from the Active\r\nDirectory. Although ADfind is a common tool for the post-exploitation process, it is an additional data point that\r\nindicates that the attackers use shared tools and methodologies.\r\nConclusions\r\nThese two incidents reveal the Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly\r\nknown for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all\r\nentities currently involved in activities such as vaccine research or crisis handling should be on high alert for\r\ncyberattacks.\r\nIndicators of compromise\r\nwAgent\r\ndc3c2663bd9a991e0fbec791c20cbf92      %programdata%\\oracle\\javac.dat\r\n26545f5abb70fc32ac62fdab6d0ea5b2     %programdata%\\oracle\\javac.dat\r\n9c6ba9678ff986bcf858de18a3114ef3          %programdata%\\grouppolicy\\Policy.DAT\r\nwAgent Installer\r\n4814b06d056950749d07be2c799e8dc2    %programdata%\\oracle\\javac.io, %appdata%\\ntuser.dat\r\nwAgent compromised C2 servers\r\nhttp://client.livesistemas[.]com/Live/posto/system.jsp@public.jsp@jenkins.jsp@tomas.jsp@story.jsp\r\nhxxps://iski.silogica[.]net/events/serial.jsp@WFRForms.jsp@import.jsp@view.jsp@cookie.jsp\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 9 of 11\n\nhxxp://sistema.celllab[.]com.br/webrun/Navbar/auth.jsp@cache.jsp@legacy.jsp@chooseIcon.jsp@customZoom.jsp\r\nhxxp://www.bytecortex.com[.]br/eletronicos/digital.jsp@exit.jsp@helpform.jsp@masks.jsp@Functions.jsp\r\nhxxps://sac.najatelecom.com[.]br/sac/Dados/ntlm.jsp@loading.jsp@access.jsp@local.jsp@default.jsp\r\nwAgent file path\r\n%SystemRoot%\\system32\\[random 2 characters]svc.drv\r\nwAgent registry path\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application\\Emulate - [random 2\r\ncharacters]svc\r\nBookcode injector\r\n5983db89609d0d94c3bcc88c6342b354    %SystemRoot%\\system32\\scaccessservice.exe, rasprocservice.exe\r\nBookcode file path\r\n%SystemRoot%\\system32\\C_28705.NLS\r\n%SystemRoot%\\system32\\gmslogmgr.dat\r\nBookcode compromised C2 servers\r\nhxxps://www.kne.co[.]kr/upload/Customer/BBS.asp\r\nhxxp://www.k-kiosk[.]com/bbs/notice_write.asp\r\nhxxps://www.gongim[.]com/board/ajax_Write.asp\r\nhxxp://www.cometnet[.]biz/framework/common/common.asp\r\nhxxps://www.locknlockmall[.]com/common/popup_left.asp\r\nMITRE ATT\u0026CK Mapping.\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 10 of 11\n\nTactic Technique. Technique Name.        \r\nExecution\r\nT1059.003\r\nT1569.002\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nSystem Services: Service Execution\r\nPersistence\r\nT1547.005\r\nT1543.003\r\nBoot or Logon Autostart Execution: Security Support Provider\r\nCreate or Modify System Process: Windows Service\r\nPrivilege Escalation\r\nT1547.005\r\nT1543.003\r\nT1055.001\r\nBoot or Logon Autostart Execution: Security Support Provider\r\nCreate or Modify System Process: Windows Service\r\nProcess Injection: Dynamic-link Library Injection\r\nDefense Evasion\r\nT1070.006\r\nT1055.001\r\nT1140\r\nT1027.001\r\nIndicator Removal on Host: Timestomp\r\nProcess Injection: Dynamic-link Library Injection\r\nDeobfuscate/Decode Files or Information\r\nObfuscated Files or Information: Binary Padding\r\nCredential Access T1003.002 OS Credential Dumping: Security Account Manager\r\nDiscovery\r\nT1082\r\nT1033\r\nT1049\r\nSystem Information Discovery\r\nSystem Owner/User Discovery\r\nSystem Network Connections Discovery\r\nLateral Movement T1021.002 SMB/Windows Admin Shares\r\nCommand and Control\r\nT1071.001\r\nT1132.001\r\nApplication Layer Protocol: Web Protocols\r\nData Encoding: Standard Encoding\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nSource: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/" ], "report_names": [ "99906" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434638, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba46a35e40fd90d41403b73f328f46698cca5eeb.pdf", "text": "https://archive.orkl.eu/ba46a35e40fd90d41403b73f328f46698cca5eeb.txt", "img": "https://archive.orkl.eu/ba46a35e40fd90d41403b73f328f46698cca5eeb.jpg" } }