{ "id": "1e123476-c9f2-4712-9191-9332b1246d7d", "created_at": "2026-04-06T00:13:19.252095Z", "updated_at": "2026-04-10T03:38:20.329132Z", "deleted_at": null, "sha1_hash": "c7fa57cc6ec733b35ed5d0e65bbd598fa19877fd", "title": "Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1641538, "plain_text": "Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) -\r\nASEC\r\nBy ATCP\r\nPublished: 2022-05-10 · Archived: 2026-04-05 19:17:22 UTC\r\nIn December last year, the vulnerability (CVE-2021-44228) of Java-based logging utility Log4j became a\r\nworldwide issue. It is a remote code execution vulnerability that can include the remote Java object address in the\r\nlog message and send it to the server using Log4j to run the Java object in the server.\r\nThe ASEC analysis team is monitoring the Lazarus group’s attacks on targets in Korea. In April, the team\r\ndiscovered an attack group suspected of being Lazarus distributing NukeSped by exploiting the vulnerability. The\r\nattacker used the log4j vulnerability on VMware Horizon products that were not applied with the security patch.\r\nThe products are virtual desktop solutions, used mainly by companies for remote working solutions and cloud\r\ninfrastructure operations. With the recent spread of Covid-19, it is likely that many companies are using the\r\nproducts for remote working.\r\nNukeSped\r\nThe following is AhnLab’s ASD (AhnLab Smart Defense) log for NukeSped being installed by the powershell\r\ncommand executed on VMware Horizon’s process ‘ws_tomcatservice.exe’.\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 1 of 7\n\nAnalysis of NukeSped\r\nNukeSped is a backdoor malware that can receive attacker commands from the C\u0026C server and perform the\r\nreceived commands. The malware type mentioned in this post is one of the variants of NukeSped, that have been\r\nused by the Lazarus group since 2020. The variant was discussed in detail in the ASEC blog post shown below.\r\nThis post will briefly introduce the NukeSped type used in the attack and compare it with the previous version.\r\nThe variant is developed with C++. As it uses virtual functions, class names are included in the binary (see Figure\r\n2).\r\nIt normally uses DES algorithm to decrypt internal strings including API names and the list of C\u0026C servers. To\r\ncommunicate with the C\u0026C server, it uses the RC4 algorithm. But there are some changes as well: the previous\r\nblog post had types that used the Xor encryption (CryptorXor class) instead of the RC4 algorithm to communicate\r\nwith the C\u0026C server. But for this attack, there was a type using the RC4 algorithm for internal strings, a list of\r\nC\u0026C servers, and C\u0026C server communication. Each process uses a different value for the RC4 key.\r\nRC4 Key 1 (decrypting strings): 7B CA D5 7E 1B AE 26 D8 60 1B 61 DA 83 80 11 72 01 6C 54 D8 8A\r\nE8 DE 7B 1A 0A\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 2 of 7\n\nRC4 Key 2 (C\u0026C communications): CD 80 5D D6 6C 1C 63 78 AF 13 7F 67 5B E9 B1 F4 87 27 EE 91\r\nF3 5F 17 EE 9B 6A 28 61 8C F4\r\nAfter the process for decrypting strings and API Resolving is complete, the malware starts communicating with\r\nthe C\u0026C server. NukeSped goes through an additional verification process after accessing the C\u0026C server by\r\nsending a string disguised as SSL communication. When the malware receives certain strings, it will recognize the\r\nserver as a normal C\u0026C server and proceeds with the routine. As shown in the previous analysis report, there are\r\ntwo types of strings used for the process.\r\n  C\u0026C Requests C\u0026C Responses\r\nType 1 HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7 HTTP 1.1 200 OK SSL2.1\r\nType 2 HTTP 1.1 /member.php SSL3.4 HTTP 1.1 200 OK SSL2.1\r\nTable 1. C\u0026C request and response values for each type\r\nThe malware then finds the MAC address of the user environment and sends it to the C\u0026C server after encrypting\r\nit with the RC4 algorithm. It will also encrypt packets with the algorithm in the subsequent communications.\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 3 of 7\n\nNukeSped can perform keylogging, taking screenshots, and file and shell tasks depending on the command it\r\nreceives. The features exist in the classes shown below. Note that ModuleUsbDump and ModuleWebCamera are\r\nnew features discovered in this attack.\r\nModuleUpdate\r\nModuleShell\r\nModuleFileManager\r\nModuleKeyLogger\r\nModuleSocksTunnel\r\nModuleScreenCapture\r\nModuleInformation\r\nModulePortForwarder\r\nModuleUsbDump\r\nModuleWebCamera\r\nAttacks using NukeSped\r\nInstalling INFOSTEALER\r\nThe attacker used NukeSped to additionally install infostealer. The 2 malware types discovered are both console\r\ntypes, not saving the leak result in separate files. As such, it is assumed that the attacker remotely controlled the\r\nGUI screen of the user PC or leaked data in the pipeline form. One of the 2 malwares is the same file used in the\r\nprevious attack.\r\nThe list of softwares and data for info-leakage is as follows:\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 4 of 7\n\nCollected Data: accounts and passwords saved in browsers, browser history\r\nTargeted Software: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale\r\nCollected Data: email account information\r\nTargeted Software: Outlook Express, MS Office Outlook, and Windows Live Mail\r\nCollected Data: Names of recently used files\r\nTargeted Software: MS Office (PowerPoint, Excel, and Word) and Hancom 2010\r\nNukeSped Use Commands\r\nThe attacker collected additional information by using backdoor malware NukeSped to send command line\r\ncommands. The following commands show the basic network and domain information of the environment that has\r\nthe infected system. The collected information can be used later in lateral movement attacks. If the attack\r\nsucceeds, the attacker can dominate the systems within the domain.\r\ncmd.exe /c “ping 11.11.11.1”\r\ncmd.exe /c “ipconfig /all”\r\ncmd.exe /c “query user”\r\ncmd.exe “net group “domain admins” /domain”\r\nnet user _smuser white1234!@#$\r\ncmd.exe “net localgroup administrators /add smi140199”\r\nJin Miner\r\nAnalyzing the ASD log for the infected system shows that before the Lazarus group installed NukeSped, other\r\nattackers had already exploited the vulnerability to install Jin Miner. Jin Miner is known as a malware strain\r\ndistributed through the Log4Shell vulnerability, as shown in the previous Sophos report.\r\nInstalled in the path shown above through the powershell command, Jin Miner is a CoinMiner that ultimately\r\nmines the Monero coin.\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 5 of 7\n\nMD5\r\n131fc4375971af391b459de33f81c253\r\n1875f6a68f70bee316c8a6eda9ebf8de\r\n47791bf9e017e3001ddc68a7351ca2d6\r\n7a19c59c4373cadb4556f7e30ddd91ac\r\n7ef97450e84211f9f35d45e1e6ae1481\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//185[.]29[.]8[.]18/htroy[.]exe\r\nhttp[:]//185[.]29[.]8[.]18[:]8888/\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 6 of 7\n\nhttp[:]//84[.]38[.]133[.]145[:]443/\r\nhttp[:]//84[.]38[.]133[.]16[:]8443/\r\nhttp[:]//iosk[.]org/pms/add[.]bat\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/34461/\r\nhttps://asec.ahnlab.com/en/34461/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/34461/" ], "report_names": [ "34461" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434399, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7fa57cc6ec733b35ed5d0e65bbd598fa19877fd.pdf", "text": "https://archive.orkl.eu/c7fa57cc6ec733b35ed5d0e65bbd598fa19877fd.txt", "img": "https://archive.orkl.eu/c7fa57cc6ec733b35ed5d0e65bbd598fa19877fd.jpg" } }