{ "id": "5840d7b6-69c5-4852-b41d-5731f5c70414", "created_at": "2026-04-06T00:15:39.748908Z", "updated_at": "2026-04-10T03:38:19.426765Z", "deleted_at": null, "sha1_hash": "c27642024e5f2a0244488daab443c260eb5d7850", "title": "3CX Supply Chain Compromise Leads to ICONIC Incident", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1202926, "plain_text": "3CX Supply Chain Compromise Leads to ICONIC Incident\r\nBy mindgrub\r\nPublished: 2023-03-30 · Archived: 2026-04-05 16:45:01 UTC\r\n[Update: Following additional analysis of shellcode used in ICONIC, in conjunction with other observations from\r\nthe wider security community, Volexity now attributes the activity described in this post to the Lazarus threat actor.\r\nSpecifically, in addition to other claims of similarity, the shellcode sequence {E8 00 00 00 00 59 49 89 C8 48 81 C1\r\n58 06 00 00} appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known\r\nto be linked to Lazarus. The original post has been left as written.]\r\nOn Wednesday, March 29, 2023, Volexity became aware of a supply chain compromise by a suspected North\r\nKorean threat actor, which Volexity tracks as UTA0040*. Endpoints with the 3CX Desktop application installed\r\nreceived a malicious update of this software that was signed by 3CX and downloaded from their servers. This was\r\npart of the default automatic update process and would result in information-stealing malware being installed on the\r\nvictim’s host. It is possible that additional malicious activity may have taken place if the threat actor deemed the\r\nendpoint to be of sufficient interest.\r\n3CX is a phone system company and claims to have more than 600,000 customers and 12 million users, including\r\nworld-renowned brands. They have posted an update on their website acknowledging the compromise, though it\r\nshould be noted the information in this post should not be deemed conclusive or entirely accurate based on\r\nVolexity’s analysis.\r\nIn a public post on Reddit, CrowdStrike identified signed 3CX installation files as being malicious and reported that\r\ncustomers were seeing malicious activity emanating from the “3CXDesktopApp”. Volexity further identified public\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 1 of 13\n\nforum postings on 3CX’s own website that stated various endpoint detection and response (EDR) and antivirus (AV)\r\nvendors began flagging malicious activity from updates as early as March 22, 2023. Volexity’s analysis suggests the\r\nmalicious activity likely began much earlier.\r\nVolexity was able to obtain multiple malicious installers for Windows and macOS directly from 3CX download\r\nservers. Analysis of installers from both platforms allowed Volexity to identify several new indicators of\r\ncompromise and gain further insight into how the malware functions.\r\nThis post details what Volexity discovered from its analysis of the malicious installers and the additional files it\r\ndownloads. Highlights of the findings include the following:\r\nBoth the macOS and Windows installers for 3CX are affected.\r\nBased on data recovered from GitHub, infrastructure used by the Windows variant was activated on\r\nDecember 7, 2022.\r\nDomains and web infrastructure used in the attacks were registered as early as November 2022.\r\nA reconnaissance payload was deployed far and wide to Windows users.\r\nThe same functionality to download a payload was identified in the macOS sample, although Volexity could\r\nnot confirm the final payload as the C2 was unresponsive at the time of analysis.\r\nAny endpoint impacted by this malicious update should be isolated and investigated for further signs of\r\ncompromise. Organizations should assess the potentially impacted information on these endpoints and look to cycle\r\nsecrets to reduce the risk of additional future compromise.\r\nICONIC Analysis\r\nStage #1: Supply Chain Attacks – ICONIC\r\nVolexity’s analysis began with one of the installers tagged as malicious in public discourse:\r\nName(s) 3CXDesktopApp-18.12.416.msi\r\nSize 97.8MB (102555648 Bytes)\r\nFile Type Windows Installer\r\nMD5 0eeb1c0133eb4d571178b2d9d14ce3e9\r\nSHA1 bfecb8ce89a312d2ef4afc64a63847ae11c6f69e\r\nSHA256 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983\r\nThe installer contains a malicious version of ffmpeg.dll, an open-source video player library:\r\nName(s) ffmpeg.dll\r\nSize 2.7MB (2814976 Bytes)\r\nFile Type Win32 DLL\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 2 of 13\n\nMD5 74bc2d0b6680faa1a5a76b27e5479cbc\r\nSHA1 bf939c9c261d27ee7bb92325cc588624fca75429\r\nSHA256 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896\r\nThe library is loaded by 3CXDesktopApp.exe, and it is used to decode and inject a payload into memory:\r\nName(s) N/A\r\nSize 288.0KB (294912 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 11bc82a9bd8297bd0823bce5d6202082\r\nSHA1 894e7d4ffd764bb458809c7f0643694b036ead30\r\nSHA256 f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952\r\nThe purpose of this malware, which Volexity will refer to as “ICONIC”, is as follows:\r\nDownload various files that contain additional code, with names such as icon[0-15].ico, hosted at\r\nhttps://github[.]com/IconStorages/images/. (Note: the GitHub repository has since been taken down.)\r\nParse these files to identify a “$” character followed by a base64-encoded string appended to the end of the\r\nICO files.\r\nDecrypt the base64 string using the AES-GCM encryption algorithm. All values required to decrypt AES-GCM are derived from a complex function that third-party researchers have indicated is based on a publicly\r\navailable gist.\r\nOnce the string is decoded, it contains the URLs with which the DLL will then communicate to receive a\r\nnext-stage payload.\r\nThe next-stage payload is a JSON object that is then parsed and must further be decrypted (with the same\r\nAES-GCM decryption function). The next stage is expected to be a 64-bit PE that is reflectively loaded\r\nthrough a shellcode loader stored at the head of the file.\r\nA script is provided with this post on GitHub that can be used to decrypt the base64 blobs appended to the ICO files.\r\nVolexity was able to clone the GitHub project, and through the commit history, was also able to retrieve files that\r\nhad previously been deleted. The table below provides details of each file and the decoded URL from each one.\r\nNote that there are duplicate filenames due to deletions, and in some cases the files were identical.\r\nActive Files\r\nFilename Hash (SHA1) Decoded URL\r\nicon0.ico 9c943baad621654cc0a0495262b6175276a0a9fb https://www.3cx[.]com/blog/event-trainings/\r\nicon1.ico 96910a3dbc194a7bf9a452afe8a35eceb904b6e4 https://msstorageazure[.]com/window\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 3 of 13\n\nicon2.ico ffccc3a29d1582989430e9b6c6d2bff1e3a3bb14 https://officestoragebox[.]com/api/session\r\nicon3.ico 89827af650640c7042077be64dc643230d1f7482 https://visualstudiofactory[.]com/workload\r\nicon4.ico b5de30a83084d6f27d902b96dd12e15c77d1f90b https://azuredeploystore[.]com/cloud/services\r\nicon5.ico 3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8 https://msstorageboxes[.]com/office\r\nicon6.ico caa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352 https://officeaddons[.]com/technologies\r\nicon7.ico 57a9f3d5d1592a0769886493f566930d8f32a0fc https://sourceslabs[.]com/downloads\r\nicon8.ico f533bea1c0558f73f6a3930343c16945fb75b20f https://zacharryblogs[.]com/feed\r\nicon9.ico 31d775ab577f3cc88991d90e9ae58501dbe1f0da https://pbxcloudeservices[.]com/phonesystem\r\nicon10.ico 0d890267ec8d6d2aaf43eaca727c1fbba6acd16e https://akamaitechcloudservices[.]com/v2/storage\r\nicon11.ico 0d890267ec8d6d2aaf43eaca727c1fbba6acd16e https://akamaitechcloudservices[.]com/v2/storage\r\nicon12.ico b1dee3ebcffad01a51ff31ff495fef1d40fdfaa0 https://azureonlinestorage[.]com/azure/storage\r\nicon13.ico 64ab912d0af35c01355430d85dd4181f25e88838 https://msedgepackageinfo[.]com/microsoft-edge\r\nicon14.ico 8377fb40c76aa3ba3efae3d284fa51aa7748e010 https://glcloudservice[.]com/v1/console\r\nicon15.ico 11ae67704ea0b930b2cc966e6d07f8b898f1a7d2 https://pbxsources[.]com/exchange\r\nDeleted Files\r\nFilename Hash (SHA1) Decoded URL\r\nicon1.ico ad37112b302c5193e60f6f6f49f4df668f5d3eb9 https://msedgeupdate[.]net/Windows\r\nicon2.ico ad37112b302c5193e60f6f6f49f4df668f5d3eb9 https://msedgeupdate[.]net/Windows\r\nicon10.ico 3a2138cd38ff2cef246f122a97d3c8f85ab6fc94 https://pbxphonenetwork[.]com/voip\r\nicon0.ico 3df119f322c5182bdbea4ab364eec8a0e23d888b https://msstorageazure[.]com/window\r\nicon1.ico 9c943baad621654cc0a0495262b6175276a0a9fb https://www.3cx[.]com/blog/event-trainings/\r\nicon0.ico 9c943baad621654cc0a0495262b6175276a0a9fb https://www.3cx[.]com/blog/event-trainings/\r\nA summary of the created, last modified, and domain registration times for each of these files is provided as an\r\nattachment to this post here.\r\nVolexity believes the www.3cx[.]com entries were used for testing because, at the time of analysis, these URLs\r\nwould not return a payload that could be parsed by the malware. Volexity was not able to retrieve payloads from the\r\nmsedgeupdate[.]net or pbxphonenetwork[.]com domains, while the remainder of the URLs all provided the same\r\nvalid second-stage payload.\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 4 of 13\n\nThe first commit to the GitHub page containing an ICO file with an encrypted 3cx[.]com URL was added on\r\nDecember 7, 2022, which suggests that the attacker had potentially initiated their own testing of the backdoor at this\r\ntime.\r\nStage #2: ICONIC Stealer\r\nOnce a URL is decoded from an ICO file, a specially formatted request is made to download a second-stage\r\npayload. The format of the request is below:\r\naccept: */*\r\naccept-language: en-US,en;q=0.9\r\naccept-encoding: gzip, deflate, br\r\ncontent-type: text/plain\r\ncookie: __tutma={MachineGuid}\r\nThe MachineGuid is derived from the system’s registry via SOFTWARE\\Microsoft\\ Cryptography.\r\nVolexity’s analysis determined that the “cookie” header is the crucial component to retrieving the second-stage\r\npayload. If this value is not sent, no payload is returned to the user; the C2 responds with a 204 (No Content) status\r\ncode instead. Volexity also determined that the second-stage payload servers are forwarding requests upstream to\r\ncentral infrastructure. This assertion is based on the fact that any given MachineGuid sent in the cookie header will\r\nonly work once, even when used with different C2s.\r\nBelow is a snippet of what the returned JSON looks like:\r\n{\"url\":\"\",\"description\":\"\",\"meta\":\"vyoAAL4D\u003csnip\u003e\"}\r\nEach of the live servers returned identical responses, consisting of shellcode followed by a 64-bit DLL, which\r\nVolexity refers to as “ICONICSTEALER”. The DLL was compiled on March 16, 2023, and is designed to collect\r\ninformation about the system and browser using an embedded copy of the SQLite3 library. Details of the DLL are\r\ngiven below:\r\nName(s) N/A\r\nSize 1.1MB (1182208 Bytes)\r\nFile Type application/x-dosexec\r\nMD5 7faea2b01796b80d180399040bb69835\r\nSHA1 3b3e778b647371262120a523eb873c20bb82beaf\r\nSHA256 8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423\r\nThe DLL retrieves the hostname, domain name, and OS version. Then, it will retrieve the browser history (title and\r\nURL) of the following browsers:\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 5 of 13\n\nBrave\r\nChrome\r\nEdge\r\nFirefox\r\nIt limits the output to the first 500 entries, and it passes this data back to the ICONIC malware that then POSTs the\r\ndata back to the C2. It is likely that the attacker then serves a further payload to victims of interest. Volexity has not\r\nbeen able to retrieve a further payload at this time.\r\nmacOS ICONIC Analysis\r\nThe macOS installer for 3CX was also compromised. The following table shows the details of this installer:\r\nName(s) 3CXDesktopApp-18.12.416.dmg|3CXDesktopApp-latest.dmg\r\nSize 164.2MB (172150545 Bytes)\r\nFile Type Macintosh Disk Image\r\nMD5 d5101c3b86d973a848ab7ed79cd11e5a\r\nSHA1 3dc840d32ce86cebf657b17cef62814646ba8e98\r\nSHA256 e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec\r\nThe backdoor component is libffmpeg.dylib located in /Contents/Frameworks/Electron\r\nFramework.framework/Versions/A/Libraries. It is worth noting that this is the equivalent of the same library that\r\nwas abused in the Windows binary.\r\nName(s) libffmpeg.dylib\r\nSize 4.7MB (4979136 Bytes)\r\nFile Type Mach-O\r\nMD5 660ea9b8205fbd2da59fefd26ae5115c\r\nSHA1 769383fc65d1386dd141c960c9970114547da0c2\r\nSHA256 a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67\r\nThe macOS version does not use GitHub to retrieve its C2 server. Instead, a list of C2 servers is stored in the file\r\nencoded with a single byte XOR key, 0x7A. Below is a list of the URLs it will attempt to contact. Note that the\r\ndomains largely overlap with the Windows sample, but the URIs are different.\r\nmsstorageazure[.]com/analysis\r\nofficestoragebox[.]com/api/biosync\r\nvisualstudiofactory[.]com/groupcore\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 6 of 13\n\nazuredeploystore[.]com/cloud/images\r\nmsstorageboxes[.]com/xbox\r\nofficeaddons[.]com/quality\r\nsourceslabs[.]com/status\r\nzacharryblogs[.]com/xmlquery\r\npbxcloudeservices[.]com/network\r\npbxphonenetwork[.]com/phone\r\nakamaitechcloudservices[.]com/v2/fileapi\r\nazureonlinestorage[.]com/google/storage\r\nmsedgepackageinfo[.]com/ms-webview\r\nglcloudservice[.]com/v1/status\r\npbxsources[.]com/queue\r\nwww.3cx[.]com/blog/event-trainings/\r\nIt is interesting to note that IDA Pro is confused by the main malicious function used in the macOS malware. The\r\ndecompiled pseudocode hides most of the features. This means analysts relying on this view may miss the malicious\r\nfunctionality. Figure 1 shows the pseudocode of the function in IDA Pro. Figure 2 shows the same function with\r\nGhidra, with more than 800 lines of pseudocode.\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 7 of 13\n\nFigure 1. IDA Pro Pseudo Code\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 8 of 13\n\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 9 of 13\n\nFigure 2.\r\nGhidra pseudo code (totaling more than 800 lines)\r\nThe malware randomly picks one of the servers from the list to retrieve the next stage. As with the Windows version\r\nof the malware, a specially formatted cookie must be included in the web request to retrieve a further payload:\r\n3cx_auth_id=%s;3cx_auth_token_content=%s;__tutma=true\r\nThe user-agent is also hardcoded and may be used by the attacker to filter valid requests:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.128\r\nVolexity was not able to retrieve the next stage from the C2 servers, as the upstream C2 infrastructure had stopped\r\nresponding by the time it made requests.\r\nInfrastructure \u0026 Attribution\r\nIn terms of attacker infrastructure, the domains used in these attacks are hosted on shared infrastructure and appear\r\nto simply proxy requests to an unknown upstream C2. Domains were registered with several providers, including\r\nNameCheap, Public Domain Registry, and NameSilo. Some of the domains were not registered using WHOIS\r\nprotection, and each was registered using a unique email address. The following emails were observed in WHOIS\r\nrecords for related domains:\r\ncliego.garcia@proton[.]me\r\nremey.simpson@outlook[.]com\r\njackiewcaudill@gmail[.]com\r\nphilip.je@proton[.]me\r\nharoldjmarable@gmail[.]com\r\nIn terms of attribution, the original CrowdStrike post suggests the incident is related to LABYRINTH CHOLLIMA,\r\nwhich is related to the public Lazarus moniker (although Volexity does not have visibility of exactly which parts of\r\nLazarus this maps to). Volexity cannot currently map the disclosed activity to any threat actor, so it will be tracked\r\nunder UTA0040.\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 10 of 13\n\nConclusion \u0026 Mitigations\r\nVolexity’s analysis concludes that both the Windows and macOS installers for the 3CX desktop application had\r\nmalicious code inserted into them before being provided to customers. This suggests that 3CX was itself\r\ncompromised by the threat actor for a period of time prior to the infection, allowing the attacker to develop an\r\nunderstanding, access, and malicious code for the development-update process of the company.\r\nThe end result for victims of this campaign was that information-stealing malware was installed on endpoints that\r\ninstalled this update, and for selected victims, an additional arbitrary payload may also have been delivered.\r\nSupply chain attacks are relatively rare due to the high level of technical and operational capability required for\r\nsuccess. However, organizations with a large customer base, such as 3CX, are attractive targets due to the broad\r\nlevel of access these attacks can grant threat actors.\r\nVolexity assesses that it is likely UTA0040 is a nation-state-backed threat actor based on the level of capabilities\r\nutilized in this campaign, combined with a perceived intent to gather information from victims for further targeted\r\ncompromise. Crimeware-based threat groups who have historically conducted supply chain attacks typically push\r\nransomware payloads immediately with their access, rather than try to conduct reconnaissance to filter victims of\r\ntheir true payload. While Volexity cannot attribute this cluster to any known group at this time, CrowdStrike has\r\nattributed this activity to LABYRINTH CHOLLIMA, a North Korean group.\r\nSupply chain attacks are complex issues for defenders to defend against. This instance highlights how large code\r\nbases can be backdoored with minor additions to existing code and remain undetected by the software provider and\r\nthe end user. However, information in the public domain highlights the value of endpoint and network detection\r\ncapabilities, which provided valuable identification of anomalous behavior that may have prevented further impact\r\nfor end users.\r\nThe infrastructure registration and public artifacts (notably the GitHub page) suggests that the attacker had access to\r\nthe software provider at least as early December 2022, and perhaps as early as November 2022. It is not clear when\r\nthe first malicious update described in this post was downloaded by victims of this campaign, but the public\r\ndiscussions around detections suggest this could be as early as March 22, 2023. This does not rule out other\r\npotentially malicious activities having occurred before this time related to this software.\r\nTo detect and investigate these attacks such as these, Volexity recommends the following:\r\nUse the YARA rules provided here to detect related activity.\r\nUse the provided Suricata rules here to detect related activity. It should be noted that these requests take\r\nplace over HTTPs, meaning they are only effective if this traffic is being decrypted prior to matching.\r\nBlock the IOCs provided here.\r\nAppendix A – Third-Party Reporting\r\nThere is a great deal of third-party reporting on this subject covering various aspects of the campaign. A list of\r\nresources is provided below, note that this list was compiled on March 30, 2023, and inevitably more resources will\r\nbecome available after publication.\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 11 of 13\n\nSocial Media Posts\r\nhttps://twitter.com/cyb3rops/status/1641130326830333984\r\n(https://github.com/SigmaHQ/sigma/pull/4151/files, https://github.com/Neo23x0/signature-base/blob/master/yara/gen_mal_3cx_compromise_mar23.yar)\r\nhttps://twitter.com/cyb3rops/status/1641339448053858304\r\nhttps://twitter.com/patrickwardle/status/1641294247877021696\r\nhttps://twitter.com/fr0gger_/status/1641325932760948737\r\nhttps://twitter.com/donnymaasland/status/1641349104113524736\r\nhttps://twitter.com/jamesspi/status/1641262032870686721\r\nhttps://twitter.com/dez_/status/1641204732445478912\r\nhttps://twitter.com/vxunderground/status/1641261800594210817\r\nCrowdStrike\r\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nhttps://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\r\nSophos\r\nhttps://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack/\r\nSentinelOne\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nSymantec\r\nhttps://twitter.com/threatintel/status/1641339467398017024\r\n3CX\r\nhttps://www.3cx.com/blog/news/desktopapp-security-alert/\r\nObjective-See\r\nhttps://objective-see.org/blog/blog_0x73.html\r\nBleeping Computer\r\nhttps://www.bleepingcomputer.com/news/security/hackers-compromise-3cx-desktop-app-in-a-supply-chain-attack/\r\nHuntress\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 12 of 13\n\n* Beginning in December 2022, Volexity began to use the following schema to refer to smaller unclassified clusters\r\nof threat activity not significant enough to warrant their own name: UTAXXXX. In this schema, “UTA” refers to\r\n“Unclassified Threat Actor”, and the numbers that follow are a unique identifier for that group of activity.\r\nSource: https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/" ], "report_names": [ "3cx-supply-chain-compromise-leads-to-iconic-incident" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434539, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c27642024e5f2a0244488daab443c260eb5d7850.pdf", "text": "https://archive.orkl.eu/c27642024e5f2a0244488daab443c260eb5d7850.txt", "img": "https://archive.orkl.eu/c27642024e5f2a0244488daab443c260eb5d7850.jpg" } }