{ "id": "bde6c60c-b1ae-48a3-a123-f3dcd9133258", "created_at": "2026-04-06T01:32:09.691878Z", "updated_at": "2026-04-10T13:12:02.416889Z", "deleted_at": null, "sha1_hash": "c4eacec9dd2f4ab7f1e8aaeb42435bdc300d6748", "title": "The DPRK strikes using a new variant of RUSTBUCKET", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1856059, "plain_text": "The DPRK strikes using a new variant of RUSTBUCKET\r\nBy Salim Bitam, Ricardo Ungureanu, Colson Wilhoit, Seth Goodwin, Andrew Pease\r\nPublished: 2023-07-14 · Archived: 2026-04-06 00:22:39 UTC\r\nKey takeaways\r\nThe RUSTBUCKET malware family is in an active development phase, adding built-in persistence and focusing on\r\nsignature reduction.\r\nREF9135 actors are continually shifting their infrastructure to evade detection and response.\r\nThe DPRK continues financially motivated attacks against cryptocurrency service providers.\r\nIf you are running Elastic Defend, you are protected from REF9135\r\nPreamble\r\nThe Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been\r\npreviously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023.\r\nThis variant of RUSTBUCKET, a malware family that targets macOS systems, adds persistence capabilities not previously\r\nobserved and, at the time of reporting, is undetected by VirusTotal signature engines. Elastic Defend behavioral and prebuilt\r\ndetection rules provide protection and visibility for users. We have also released a signature to prevent this malware\r\nexecution.\r\nThe research into REF9135 used host, binary, and network analysis to identify and attribute intrusions observed by this\r\nresearch team, and other intelligence groups, with high confidence to the Lazarus Group; a cybercrime and espionage\r\norganization operated by the Democratic People’s Republic of North Korea (DPRK).\r\nThis research will describe:\r\nREF9135’s use of RUSTBUCKET for sustained operations at a cryptocurrency payment services provider\r\nReversing of an undetected variant of RUSTBUCKET that adds a built-in persistence mechanism\r\nHow victimology, initial infection, malware, and network C2 intersections from first and third-party collection align\r\nwith previous Lazarus Group reporting\r\nRUSTBUCKET code analysis\r\nOverview\r\nOur research has identified a persistence capability not previously seen in the RUSTBUCKET family of malware, leading us\r\nto believe that this family is under active development. Additionally, at the time of publication, this new variant has zero\r\ndetections on VirusTotal and is leveraging a dynamic network infrastructure methodology for command and control.\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 1 of 10\n\nExecution flow of REF9135\r\nStage 1\r\nDuring Stage 1, the process begins with the execution of an AppleScript utilizing the %2Fusr%2Fbin%2Fosascript\r\ncommand. This AppleScript is responsible for initiating the download of the Stage 2 binary from the C2 using cURL. This\r\nsession includes the string pd in the body of the HTTP request and cur1-agent as the User-Agent string which saves the\r\nStage 2 binary to %2Fusers%2Fshared%2F.pd,\r\n(7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8).\r\nStage 1 command line\r\nStage 2\r\nThe Stage 2 binary ( .pd ) is compiled in Swift and operates based on command-line arguments. The binary expects a C2\r\nURL to be provided as the first parameter when executed. Upon execution, it invokes the downAndExec function, which is\r\nresponsible for preparing a POST HTTP request. To initiate this request, the binary sets the User-Agent string as\r\nmozilla%2F4.0 (compatible; msie 8.0; windows nt 5.1; trident%2F4.0) and includes the string pw in the body of the\r\nHTTP request.\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 2 of 10\n\nSetting the HTTP parameters before sending the request\r\nDuring execution, the malware utilizes specific macOS APIs for various operations. It begins with NSFileManager's\r\ntemporaryDirectory function to obtain the current temporary folder, then generates a random UUID using NSUUID's\r\nUUID.init method. Finally, the malware combines the temporary directory path with the generated UUID to create a unique\r\nfile location and writes the payload to it.\r\nOnce the payload, representing Stage 3 of the attack is written to disk, the malware utilizes NSTask to initiate its execution.\r\nGenerating the Stage 3 file path\r\nStage 3\r\nIn Stage 3, the malware (9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747) is a FAT macOS\r\nbinary that supports both ARM and Intel architectures written in Rust. It requires a C2 URL to be supplied as a parameter.\r\nThe malware initiates its operations by dynamically generating a 16-byte random value at runtime. This value serves as a\r\ndistinctive identifier for the specific instance of the active malware. Subsequently, the malware proceeds to gather\r\ncomprehensive system information, including:\r\nComputer name\r\nList of active processes\r\nCurrent timestamp\r\nInstallation timestamp\r\nSystem boot time\r\nStatus of all running processes within the system\r\nThe malware establishes its initial connection to the C2 server by transmitting the gathered data via a POST request. The\r\nrequest is accompanied by a User-Agent string formatted as Mozilla%2F4.0 (compatible; MSIE 8.0; Windows NT 5.1;\r\nTrident%2F4.0).\r\nUpon receiving the request, the C2 server responds with a command ID, which serves as an instruction for the malware. The\r\nmalware is designed to handle only two commands.\r\nCommand ID 0x31\r\nThis command directs the malware to self-terminate.\r\nCommand ID 0x30\r\nThis command enables the operator to upload malicious Mach-O binaries or shell scripts to the system and execute them.\r\nThe payload is stored in a randomly generated temporary path and created within the current user TMP directory following\r\nthe naming convention of $TMPDIR%2F.\\\u003c8 random digits\\\u003e\r\nBelow is a summary of the command structure, indicating the constants, arguments, and payload components for easy\r\ncomprehension.\r\nCommand structure example\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 3 of 10\n\nThe malware proceeds by granting execution permissions to the uploaded file using the chmod API.\r\nAfter executing the payload, the malware sends a status update to the server, notifying it of the completed execution, and\r\nthen sleeps for 60 seconds. Following this delay, the malware loops to collect system information once again and remains in\r\na waiting state, anticipating the arrival of the next command from the server\r\nThe undetected version of RUSTBUCKET\r\nUsing code similarities from the sample in our telemetry, we searched VirusTotal and identified an undetected variant of\r\nRUSTBUCKET.\r\nAs of the publication of this research, the newly discovered version of the malware has not been flagged by any antivirus\r\nengines on VirusTotal. A thorough analysis of the sample brought to light the addition of a new persistence capability and C2\r\ninfrastructure. The behavioral rules for Elastic Defend prevent, and Elastic’s prebuilt detection rules identify, this activity.\r\nWe have also released a signature that will prevent this new variant of RUSTBUCKET.\r\nVirusTotal results at the time of publication\r\nPersistence\r\nA predominant method utilized by malware to achieve persistence on macOS is through the utilization of LaunchAgents. In\r\nmacOS, users have individual LaunchAgents folders within their Library directory, enabling them to define code that\r\nexecutes upon each user login. Additionally, a system-level LaunchAgents folder exists, capable of executing code for all\r\nusers during the login process. Elastic Defend monitors for the creation of LaunchAgents and LaunchDaemons containing\r\nmalicious or suspicious values as a way to detect these persistence techniques.\r\nIn the case of this updated RUSTBUCKET sample, it establishes its own persistence by adding a plist file at the path\r\n%2FUsers%2F\\\u003cuser\\\u003e%2FLibrary%2FLaunchAgents%2Fcom.apple.systemupdate.plist , and it copies the malware’s binary\r\nto the following path %2FUsers%2F\\\u003cuser\\\u003e%2FLibrary%2FMetadata%2FSystem Update .\r\nFile content of plist used for persistence\r\nThere are several elements of the plist file, using standard true%2Ffalse or string values:\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 4 of 10\n\nLabel: The key \"Label\" specifies the name of the LaunchAgent, which in this case is com.apple.systemupdate. This\r\nexpects a string value.\r\nRunAtLoad: This indicates that the LaunchAgent should execute its associated code immediately upon loading,\r\nspecifically during system startup or user login. This expects a true%2Ffalse value.\r\nLaunchOnlyOnce: This prevents the malware from being executed multiple times concurrently and expects a\r\ntrue%2Ffalse value.\r\nKeepAlive: This key instructs the system to keep the LaunchAgent running and relaunch it if it terminates\r\nunexpectedly. This expects a true%2Ffalse value.\r\nProgramArguments: The \"ProgramArguments\" key specifies an array of strings that define the program or script to\r\nbe executed by the LaunchAgent. This expects a string value and in this case, the LaunchAgent executes the file\r\nlocated at \" %2FUsers%2F\\\u003cuser\\\u003e%2FLibrary%2FMetadata%2FSystem Update \" and provides the C2 URL\r\n\"https:%2F%2Fwebhostwatto.work[.]gd\" as an argument to the malware.\r\nRUSTBUCKET and REF9135 analysis\r\nOverview\r\nThe RUSTBUCKET campaign has previously been associated with BlueNorOff by Jamf and Sekoia.io. BlueNorOff is\r\nbelieved to be operating at the behest of the DPRK for the purposes of financial gain in order to ease the strain of global\r\nsanctions. BlueNorOff is a sub-unit of the overarching DPRK offensive cyber attack organization, the Lazarus Group. The\r\n2016 Bangladesh Bank robbery stands out as BlueNorOff's most notorious attack, wherein their objective was to illicitly\r\ntransfer over $850M from the Federal Reserve Bank of New York account owned by Bangladesh Bank, the central bank of\r\nBangladesh, by exploiting the SWIFT network.\r\nAs an analyst note, if you’re interested in a tremendously verbose and detailed walkthrough of this intrusion,\r\nGeoff White and Jean Lee released a 19-part podcast through the BBC World Service that is an unbelievable\r\naccount of this event.\r\nNetworking infrastructure\r\nThe persistence mechanism identified previously calls out to https:%2F%2Fwebhostwatto.work[.]gd. Third-party\r\nresearch into this URL indicates that 12%2F89 VirusTotal vendors have identified it as malicious, and it exists within a\r\ncommunity collection documenting the DangerousPassword phishing campaign.\r\nVT detections and community collections for https://webhostwatto.work[.]gd\r\nVirusTotal last saw the domain pointing to 104.168.167[.]88. Which has been specifically identified in a Sekoia.io blog in\r\nMay as part of BlueNorOff’s RUSTBUCKET campaign.\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 5 of 10\n\nUpdated RUSTBUCKET IP (104.168.167[.]88) previously identified by Sekoia.io\r\nFurther connecting webhostwatto.work[.]gd to DangerousPassword, BlueNorOff, and the DPRK campaigns, this domain\r\nshares a TLS leaf certificate fingerprint hash (\r\n1031871a8bb920033af87078e4a418ebd30a5d06152cd3c2c257aecdf8203ce6 ) with another domain,\r\ncompanydeck[.]online.\r\ncompanydesk[.]online is included in the VirusTotal Graph (VirusTotal account required) for APT38, which is also known as\r\nDangerousPassword, BlueNorOff, etc.\r\nSelection from the VirusTotal Graph for DangerousPassword\r\nDangerousPassword and BlueNorOff are campaigns that have both been previously associated with the DPRK.\r\nUsing the IP address (64.44.141[.]15) for our initial C2 domain, crypto.hondchain[.]com, we uncovered 3 additional C2\r\ndomains:\r\nstarbucls[.]xyz\r\njaicvc[.]com\r\ndocsend.linkpc[.]net (dynamic DNS domain)\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 6 of 10\n\nWhile there are only 5 hosts (4 total domains) registered to the C2 IP address (indicating that this was not a high-capacity\r\nhosting server), we looked for additional relationships to increase the association confidence between the domains. To do\r\nthis, we replicated the same fingerprinting process previously used with webhostwatto.work[.]gd. The TLS fingerprint hash\r\nfor starbucls[.]xyz ( 788261d948177acfcfeb1f839053c8ee9f325bd6fb3f07637a7465acdbbef76a ) is the same fingerprint\r\nas jaicvc[.]com.\r\nWith these two domains having the same TLS fingerprint hash and the fact that they were both registered to the IP address,\r\nwe were able to cluster these atomic entities, and their siblings, together with high confidence:\r\nAll hosts were registered to 64.44.141[.]15\r\nstarbucls[.]xyz and crypto.hondchain[.]com were observed being used by our malware samples\r\nstarbucls[.]xyz and jaicvc[.]com shared a TLS fingerprint\r\nDomains registered to REF9135 C2 IP address\r\nLooking at the “First” column (when they were first observed through 3rd party passive DNS), these hosts are being created\r\nrapidly, likely as an attempt to stay ahead of detection efforts by research teams. We are associating the following domains\r\nand IP address to the REF9135 campaign with high confidence:\r\nstarbucls[.]xyz\r\njaicvc[.]com\r\ncrypto.hondchain[.]com\r\n64.44.141[.]15\r\nWe have not observed docsend.linkpc[.]net being used with the RUSTBUCKET samples we analyzed. However, its shared\r\nIP registration and host siblings lead us to state with a moderate degree of confidence that it is directly related to\r\nRUSTBUCKET and REF9135 as C2 infrastructure; and a high degree of confidence that it is malicious (shared\r\ninfrastructure as part of other campaigns).\r\nDefense evasion\r\nThe campaign owners used techniques to hinder the collection of Stage 2 and Stage 3 binaries by analysts who may have\r\noverlooked User-Agent strings in their investigations, as well as internet scanners and sandboxes focused on collecting\r\nmalicious binaries.\r\nAs outlined in the Stage 1 section, there is a specific User-Agent string ( cur1-agent ) that is expected when downloading\r\nthe Stage 2 binary, if you do not use the expected User-Agent, you will be provided with a 405 HTTP response status code\r\n(Method Not Allowed).\r\nIt also appears that the campaign owners are monitoring their payload staging infrastructure. Using the expected User-Agent\r\nfor the Stage 3 binary download (mozilla%2F4.0 (compatible; msie 8.0; windows nt 5.1; trident%2F4.0)), we were able\r\nto collect the Stage 3 binary.\r\nFinally, we observed REF9135 changing its C2 domain once we began to collect the Stage 2 and 3 binaries for analysis.\r\nWhen making subsequent requests to the original server (crypto.hondchain[.]com), we received a 404 HTTP response\r\nstatus code (Not Found) and shortly after, a new C2 server was identified (starbucls[.]xyz). This could be because we\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 7 of 10\n\ncaught the binary before it was rolled off as part of a normal operational security practice (don’t leave your valuable payload\r\nattached to the Internet to be discovered) or because they observed a connection to their infrastructure that was not from\r\ntheir targeted network.\r\nOf note, while the User-Agent strings above could initially appear to be the default cURL or Firefox User-Agents strings to\r\nan analyst, they are not. The default cURL User-Agent string is curl%2Fversion.number whereas the malware uses cur1-\r\nagent (using a 1 in place of the l in “curl”). Additionally, the “Firefox” string is all lowercase (mozilla%2F4.0 (compatible;\r\nmsie 8.0; windows nt 5.1; trident%2F4.0)), unlike actual Firefox User-Agent strings which are camel-cased.\r\nThis requirement to download payloads allows the attackers to restrict distribution to only requestors who know the correct\r\nUA string. This provides strong protection against both scanning services and researchers, who would otherwise have early\r\naccess to hosted malicious files for analysis and detection engineering.\r\nVictimology\r\nThe REF9135 victim is a venture-backed cryptocurrency company providing services to businesses such as payroll and\r\nbusiness-to-business transactions with a headquarters in the United States. This victim fits the mold from prior reporting on\r\nBlueNorOff targeting organizations with access to large amounts of cryptocurrency for theft.\r\nObserved adversary tactics and techniques\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nInitial access\r\nExecution\r\nDefense evasion\r\nDiscovery\r\nLateral movement\r\nCommand and control\r\nDiamond model\r\nElastic Security utilizes the Diamond Model to describe high-level relationships between adversaries, capabilities,\r\ninfrastructure, and victims of intrusions. While the Diamond Model is most commonly used with single intrusions, and\r\nleveraging Activity Threading (section 8) as a way to create relationships between incidents, an adversary-centered (section\r\n7.1.4) approach allows for a, although cluttered, single diamond.\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 8 of 10\n\nREF9135 Diamond Model\r\nDetection logic\r\nPrevention\r\nMacOS.Trojan.RustBucket\r\nPersistence via Suspicious Launch Agent or Launch Daemon\r\nHunting queries\r\nThe events for EQL are provided with the Elastic Agent using the Elastic Defend integration. Hunting queries could return\r\nhigh signals or false positives. These queries are used to identify potentially suspicious behavior, but an investigation is\r\nrequired to validate the findings.\r\nEQL queries\r\nUsing the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below EQL\r\nqueries to hunt for behaviors observed in REF9135.\r\nSuspicious Curl File Download via Osascript\r\nprocess where process.parent.name : \"osascript\" and process.name : \"curl\" and process.args : \"-o\"\r\nSuspicious URL as argument to Self-Signed Binary\r\nprocess where event.type == \"start\" and event.action == \"exec\" and\r\n process.code_signature.trusted == false and\r\n process.code_signature.signing_id regex~ \"\"\"[A-Za-z0-9\\_\\s]{2,}\\-[a-z0-9]{40}\"\"\" and\r\n process.args : \"http*\" and process.args_count \u003c= 3\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify the RUSTBUCKET\r\nmalware:\r\n rule MacOS_Trojan_RustBucket {\r\n meta:\r\n author = \"Elastic Security\"\r\n creation_date = \"2023-06-26\"\r\n last_modified = \"2023-06-26\"\r\n license = \"Elastic License v2\"\r\n os = \"MacOS\"\r\n arch = \"x86\"\r\n category_type = \"Trojan\"\r\n family = \"RustBucket\"\r\n threat_name = \"MacOS.Trojan.RustBucket\"\r\n reference_sample = \"9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747\"\r\n severity = 100\r\n strings:\r\n $user_agent = \"User-AgentMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\"\r\n $install_log = \"/var/log/install.log\"\r\n $timestamp = \"%Y-%m-%d %H:%M:%S\"\r\n condition:\r\n all of them\r\n}\r\nReferences\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 9 of 10\n\nThe following were referenced throughout the above research:\r\nhttps:%2F%2Fwww.jamf.com%2Fblog%2FBlueNorOff-apt-targets-macos-rustbucket-malware%2F\r\nhttps:%2F%2Fblog.sekoia.io%2FBlueNorOffs-rustbucket-campaign%2F\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format in a combined zip bundle.\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\nwebhostwatto.work[.]gd Domain N%2FA REF9135 C2\r\ncrypto.hondchain[.]com Domain N%2FA REF9135 C2\r\nstarbucls[.]xyz Domain N%2FA REF9135 C2\r\njaicvc[.]com Domain N%2FA REF9135 C2\r\ndocsend.linkpc[.]net Domain N%2FA REF9135 C2\r\ncompanydeck[.]online Domain N%2FA\r\nAssociated by\r\nTLS fingerpri\r\n104.168.167[.]88 ipv4 N%2FA REF9135 C2\r\n64.44.141[.]15 ipv4 N%2FA REF9135 C2\r\n788261d948177acfcfeb1f839053c8ee9f325bd6fb3f07637a7465acdbbef76a\r\nx509-\r\ncertificate\r\njaicvc[.]com\r\nREF9135 C2\r\nfingerprint ha\r\n1031871a8bb920033af87078e4a418ebd30a5d06152cd3c2c257aecdf8203ce6\r\nx509-\r\ncertificate\r\nwebhostwatto.work[.]gd\r\nREF9135 C2\r\nfingerprint ha\r\n9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747 SHA-256 N%2FA MacOS.Trojan\r\n7fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387 SHA-256 N%2FA MacOS.Trojan\r\nec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41 SHA-256 N%2FA MacOS.Trojan\r\nde81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500 SHA-256 ErrorCheck MacOS.Trojan\r\n4f49514ab1794177a61c50c63b93b903c46f9b914c32ebe9c96aa3cbc1f99b16 SHA-256 N%2FA MacOS.Trojan\r\nfe8c0e881593cc3dfa7a66e314b12b322053c67cbc9b606d5a2c0a12f097ef69 SHA-256 N%2FA MacOS.Trojan\r\n7887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8 SHA-256 %2FUsers%2FShared%2F.pd Stage 2\r\nSource: https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nhttps://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket" ], "report_names": [ "DPRK-strikes-using-a-new-variant-of-rustbucket" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439129, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c4eacec9dd2f4ab7f1e8aaeb42435bdc300d6748.pdf", "text": "https://archive.orkl.eu/c4eacec9dd2f4ab7f1e8aaeb42435bdc300d6748.txt", "img": "https://archive.orkl.eu/c4eacec9dd2f4ab7f1e8aaeb42435bdc300d6748.jpg" } }