{ "id": "e0894553-3291-4f42-a911-117c8a25ff5f", "created_at": "2026-04-06T00:21:05.344683Z", "updated_at": "2026-04-10T03:35:42.318382Z", "deleted_at": null, "sha1_hash": "c0b2ef496fb5d8c5ddc4cb486d377c54e28e46bf", "title": "Why LaZagne Makes D-Bus API Vigilance Crucial", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1561515, "plain_text": "Why LaZagne Makes D-Bus API Vigilance Crucial\r\nBy Siddharth Sharma\r\nPublished: 2023-08-24 · Archived: 2026-04-05 17:53:40 UTC\r\nExecutive Summary\r\nAttackers have increased targeted attacks on Linux systems, and the easy accessibility of hacktool utilities like\r\nLaZagne (a popular open-source password recovery tool) has made this increasingly convenient for threat actors\r\nto use in malware attack chains for dumping passwords. The tool poses a significant risk to Linux users because it\r\ntargets popular chat software like Pidgin, using D-Bus APIs to extract sensitive information including passwords.\r\nThis article provides a concise overview of how LaZagne leverages the Pidgin D-Bus APIs to fetch this\r\ninformation, and why keeping an eye on the D-Bus APIs can be a smart security move. We will also examine how\r\nattackers use LaZagne in specific malware campaigns.\r\nAdvanced WildFire for Linux empowered with eBPF successfully detects D-Bus API related activities. Palo Alto\r\nNetworks customers receive protection from the hacktool LaZagne in Wildfire through YARA and behavioral\r\nrules to detect suspicious activity related to the LaZagne threat.\r\nIntroduction to D-Bus\r\nDesktop-Bus, commonly called D-Bus, is an inter-process communication (IPC) mechanism in *nix-based\r\nsystems that allows applications and services to communicate with each other efficiently. D-Bus uses a client-server architecture where the dbus-daemon application acts as a server and applications act as clients.\r\nD-Bus is widely used in popular software like NetworkManager, PulseAudio, systemd and Evolution, and it\r\nenables seamless communication between various system components and applications. For example, Evolution\r\nemail clients use D-Bus for communication with other components like the Evolution Data Server. This data\r\nserver handles tasks such as storing and managing email accounts, contacts and calendars.\r\nThe D-Bus APIs on a Linux system facilitate communication between applications and services, potentially\r\nexposing sensitive data. Therefore, the APIs could pose risk if they are not monitored. The LaZagne hacktool\r\nleverages the Pidgin D-Bus APIs to dump credentials.\r\nHow LaZagne Steals Pidgin Credentials\r\nLaZagne connects to the Pidgin client’s D-Bus API and fetches account credentials, including usernames and\r\npasswords, while the application runs (as shown in Figure 1).\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 1 of 7\n\nFigure 1. LaZagne fetching account credentials.\r\nThe code in Figure 2 shows how the LaZagne hacktool connects with the Pidgin D-Bus APIs to retrieve\r\ncredentials.\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 2 of 7\n\nFigure 2. LaZagne leveraging D-Bus to fetch passwords. Source: AlessandroZ/LaZagne.\r\nHere is a breakdown of the highlighted code shown above in Figure 2.\r\nThe get_password_from_dbus method is defined inside the Pidgin class, which inherits from the\r\nModuleInfo class.\r\nD-Bus connections for each session are created using dbus.bus.BusConnection(session). For each method\r\ncalled on the purple object (created as an instance of the Pidgin D-Bus APIs), the dbus-python library\r\ninternally handles the creation, sending and receiving of D-Bus messages.\r\nThe PurpleAccountGetUsername(_acc), PurpleAccountGetPassword(_acc) and\r\nPurpleAccountGetProtocolName(_acc) methods are used to interact with the Pidgin application. They fetch\r\nthe username, password and protocol name respectively, for each account from the Pidgin D-Bus APIs.\r\nThe extracted information is then stored in a list called pwd_found as dictionaries.\r\nSome of the low-level libdbus library APIs (shown in Figure 3) that could be used for similar processes include:\r\ndbus_message_new_method_call()\r\nTo create a new D-Bus message for a method call\r\ndbus_message_append_args()\r\nTo append arguments to a D-Bus message\r\ndbus_connection_send_with_reply_and_block()\r\nTo send the message and wait for a reply\r\ndbus_message_get_args()\r\nTo extract the arguments from the reply message\r\nFigure 3. Low-level implementation of LaZagne’s Pidgin class.\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 3 of 7\n\nLaZagne allows threat actors to dump credentials for other accounts in addition to Pidgin’s. It can also dump KDE\r\nWallet (KWallet) passwords via D-Bus APIs. KWallet is a secure password management system used by the KDE\r\ndesktop environment on Linux. These passwords are the individual passwords saved within the KWallet system,\r\nwhich can include passwords for websites, email accounts, Wi-Fi networks or any other credentials a user chooses\r\nto store.\r\nThreat actors have leveraged these D-Bus APIs to obtain sensitive data, and various public sources document\r\ncases of criminal groups that have utilized LaZagne during the past few years.\r\nLaZagne in Malware Campaigns\r\nLaZagne's availability on multiple operating systems has made it an attractive tool for threat actors.\r\nIn 2019, suspected Iranian-sponsored threat group Agent Serpens (aka Charming Kitten or APT35) used LaZagne\r\nin a series of attacks that harvested login credentials from Windows-based systems.\r\nIn 2020, the activity cluster Unit 42 researchers track as CL-CRI-0025 (tracked by other companies as a threat\r\nactor known as UNC1945 or LightBasin), used a custom Quick Emulator (QEMU) Linux virtual machine that\r\ncontained various tools, including LaZagne, to harvest credentials from Italian and other European targets.\r\nSince 2020, the threat actor we track as Prying Libra (aka Gold Dupont, behind attacks leading to RansomEXX\r\nransomware) have reportedly used LaZagne to extract credentials from targeted hosts.\r\nAs early as July 2021, Adept Libra (aka TeamTNT) used LaZagne as part of its Chimaera campaign to steal\r\npasswords from various operating systems, including Linux distributions in cloud-based environments. This\r\ncampaign continued through at least December 2021, when Adept Libra used LaZagne to steal passwords from a\r\nWordPress site in a Kubernetes environment.\r\nThe following table summarizes the use of the hacktool in various malware attack campaigns:\r\nFigure 4 shows an example of the bash script using LaZagne in the reported December 2021 attack.\r\nFigure 4. TeamTNT LaZagne script (VirusTotal results by hash).\r\nThe use of LaZagne by sophisticated threat groups in their campaigns highlight the tool's effectiveness in\r\ncapturing passwords and enabling further exploitation.\r\nMonitoring D-Bus API\r\nSince LaZagne can leverage D-Bus to extract sensitive data from running applications, we can monitor D-Bus API\r\ncalls to detect such suspicious activity. Library tracing tools such as those based on Extended Berkeley Packet\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 4 of 7\n\nFilter (eBPF) help in exposing the D-Bus API calls.\r\nFigure 5 below illustrates monitoring of D-Bus APIs using the bpftrace tool against LaZagne hacktool activity\r\n(SHA256: d2421efee7a559085550b5575e2301a7c2ed9541b9e861a23e57361c0cdbdbdb)\r\nBpftrace is a command-line tool for Linux systems, designed for dynamic analysis of kernel and user-level\r\nprograms. Using the bpftrace tool, we set the probe on the dbus_message_get_args() API. We used this API to\r\nextract the arguments from the reply message, which is defined in the libdbus-1.so.3 shared object library.\r\nThe one-liner bpftrace probe command we used is as follows:\r\nsudo bpftrace -e 'uprobe:/lib/x86_64-linux-gnu/libdbus-1.so.3:dbus_message_get_args { printf(\"pid: %d,\r\ncomm: %s, func: %s called with 1st param value: 0x%lx\\n\", pid, comm, func, arg0); }'\r\nFigure 5. Monitoring D-Bus API using bpftrace.\r\nFigure 5 above shows that Pidgin usernames and passwords were successfully dumped by LaZagne (on the left\r\nterminal) and the API calls were logged in the bpftrace output (on the right terminal).\r\nHooking high level D-Bus APIs and logging the details like process identifier (PID) and program name can be\r\nuseful as they allow us to identify which process is calling the API.\r\nConclusion\r\nClosely monitoring D-Bus APIs could be an important way for defenders to secure applications and connected\r\nsystems against malware and hacktools. Developers and cybersecurity professionals must collaborate to stay\r\ninformed about security risks and take necessary actions to protect applications and sensitive user data.\r\nWith the increasing adoption of cloud computing and IoT, robust security measures are essential. Advanced\r\nWildFire for Linux empowered with eBPF successfully detects D-Bus API related activities. Palo Alto Networks\r\ncustomers receive protection from the hacktool LaZagne in Wildfire through YARA and behavioral rules to detect\r\nsuspicious activity related to the LaZagne threat.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 5 of 7\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, with our fellow\r\nCyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAcknowledgments\r\nI would like to thank Yang Ji and Dongrui Zeng for their valuable inputs and suggestions that helped shape up this\r\narticle.\r\nIndicators of Compromise\r\nLaZagne binary\r\nd2421efee7a559085550b5575e2301a7c2ed9541b9e861a23e57361c0cdbdbdb\r\nLaZagne binary\r\nd23707e0123732e03d156a0fd474a1384e1b3deee3235df9e96ff5d21a4d440c\r\nLaZagne shell script (used in kubelet campaign)\r\nb58bef842f6d6d4f53e6821f9ac1b63780267cc81006b649b56c263efeab1306\r\nYARA\r\nrule elf_hacktool_lazagne\r\n{\r\nmeta:\r\nauthor = \"Siddharth Sharma - PaloAltoNetworks\"\r\ndescription = \"the lazagne hacktool.\"\r\nstrings:\r\n$str1=\"lazagne\" ascii wide nocase\r\n$str2=\"softwares.chats.pidgin\" ascii wide nocase\r\n$str3=\"softwares.wallet.gnome\" ascii wide nocase\r\n$str4=\"softwares.sysadmin.shadow\" ascii wide nocase\r\n$str5=\"libdbus\" ascii wide nocase\r\ncondition:\r\nuint32(0) == 0x464c457f and all of them\r\n}\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 6 of 7\n\nSource: https://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nhttps://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/lazagne-leverages-d-bus/" ], "report_names": [ "lazagne-leverages-d-bus" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "ac71b0f9-bff8-4b0c-a17c-a528e3bd3c67", "created_at": "2023-01-06T13:46:39.428801Z", "updated_at": "2026-04-10T02:00:03.324294Z", "deleted_at": null, "main_name": "Pickaxe", "aliases": [ "Prying Libra" ], "source_name": "MISPGALAXY:Pickaxe", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434865, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0b2ef496fb5d8c5ddc4cb486d377c54e28e46bf.pdf", "text": "https://archive.orkl.eu/c0b2ef496fb5d8c5ddc4cb486d377c54e28e46bf.txt", "img": "https://archive.orkl.eu/c0b2ef496fb5d8c5ddc4cb486d377c54e28e46bf.jpg" } }