{ "id": "a9a7465a-31cb-45b8-b4a5-e2bbe38d3844", "created_at": "2026-04-06T00:20:11.370059Z", "updated_at": "2026-04-10T03:38:19.862843Z", "deleted_at": null, "sha1_hash": "cf93575e1ae2129f8ed6524d669c46b79269cc17", "title": "Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 118664, "plain_text": "Hunting Lazarus: Inside the Contagious Interview C2\r\nInfrastructure\r\nBy Red Asgard Threat Research Team\r\nPublished: 2026-01-12 · Archived: 2026-04-05 21:06:28 UTC\r\nHunting Lazarus: Inside the Contagious Interview C2 Infrastructure\r\nWe found North Korean malware in a client's Upwork project. Then we spent five days mapping the attackers'\r\ninfrastructure.\r\nWhen you vet enough freelancer code repositories, you develop instincts. A .vscode/tasks.json with runOn:\r\nfolderOpen . A getCookie() function that fetches from a Vercel domain. An errorHandler.js with\r\nFunction.constructor . These patterns don't belong in legitimate projects.\r\nIn early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard's threat\r\nresearch team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository.\r\nWhat followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what\r\nwe found.\r\nThree Attack Vectors\r\nThe repository contained three distinct infection mechanisms:\r\n1. VSCode Auto-Execution A .vscode/tasks.json file configured with runOn: folderOpen —meaning the\r\nmalicious code executes the moment a developer opens the project folder in VSCode or Cursor.\r\n2. Backend RCE via Function Constructor An errorHandler.js file containing:\r\nconst handler = new (Function.constructor)('require', errCode);\r\nreturn handler;\r\nhandlerFunc(require); // Execute with full Node.js access\r\n3. Cookie Payload Delivery (Vynlence variant) A getCookie() function that fetches malicious JavaScript from\r\nC2, disguised as benign cookie retrieval. The C2 returns { cookie: \"\u003cjavascript_code\u003e\" } which is then\r\nexecuted via Function.constructor .\r\nAll three vectors pointed to Vercel-hosted Stage 1 C2 servers. We set up an isolated analysis environment and\r\nfollowed the trail.\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 1 of 11\n\nThe Infrastructure We Mapped\r\nStage 1: Vercel Distribution\r\nDomain Endpoint Token\r\ntask-hrec.vercel.app /task/linux?token= f93a38103457\r\nkb102531x.vercel.app /api/x bc7302f71ff3\r\nbrantwork.vercel.app /c/{token} bc7302f71ff3\r\nStage 2: Dedicated C2 Servers\r\nIP Hostname ASN Role\r\n147.124.213.232 WR232 AS396073 (Majestic Hosting) Primary C2\r\n147.124.212.125 W9_125 AS396073 Secondary C2\r\n216.250.251.87 WIN-8OA3CCQAE4D AS396073 Backup\r\n45.43.11.199 WIN-4MOD9QVI0EN AS397423 (TIER-NET) Router (offline)\r\n66.235.63.55 - AS397423 MetaMask Injector\r\n66.235.168.238 Z238 AS397423 Chrome Stealer C2\r\n45.59.163.55 PS55 AS397423 Chrome Stealer C2\r\nAll servers run Windows Server 2019/2022 with Express.js on port 1244, pyftpdlib FTP on port 21, and\r\nRDP/WinRM for operator access.\r\nThe Timing Oracle\r\nDuring reconnaissance, we discovered a timing oracle that allows enumeration of valid campaign tokens:\r\nToken Type Response Time\r\nValid ~400ms\r\nInvalid ~6000ms (timeout)\r\nThis 15x timing differential reveals whether a token is actively serviced. We used this to enumerate three active\r\ncampaigns: hkMrMq7 , kmHgMq7 , and dGVhbTE1 (base64 for \"team15\").\r\nDetection opportunity: Monitor for sequential requests to /c/{token} with systematic token variations.\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 2 of 11\n\nThe Payload Chain\r\nThe C2 serves modular payloads via token-authenticated endpoints:\r\nEndpoint Module Purpose Size\r\n/c/{token} Chrome stealer Browser data extraction 13 KB\r\n/j/{token} Extended stealer Brave, Exodus wallets 27 KB\r\n/n/{token} Network module RAT + FTP exfil 25 KB\r\n/z/{token} Archive handler File enumeration 11 KB\r\n/dd/{token} MetaMask injector Extension hijacking 13 KB\r\n/bro/{token} Tsunami backdoor Full RAT + XMRig 153 KB\r\n/payl/{token} Main payload RAT controller 32 KB\r\nCracking 64 Layers of Obfuscation\r\nThe bro_*.js payload contains 64 nested obfuscation layers:\r\nLayer 1: Base85 + XOR (key: Vw1aGYoP)\r\nLayers 2-64: zlib + reversed base64\r\nFinal output: 175,733 bytes of Python\r\nLayer 1 was the hardest—Base85 encoding with an 8-byte XOR key ( Vw1aGYoP ) that had to be discovered\r\nthrough pattern analysis. Once cracked, layers 2-64 were mechanical: decompress with zlib, reverse the string,\r\nbase64 decode, repeat.\r\nThe final payload revealed something unexpected: a full-featured backdoor with XMRig cryptocurrency miner,\r\ndisguised as msedge.exe . The operators aren't just stealing credentials—they're also mining Monero on victim\r\nmachines.\r\nXOR Keys Recovered\r\nKey Purpose\r\nG01d*8@( File encryption (8 bytes, \"Gold\" leetspeak)\r\nG0Md*8@( Network module variant\r\nVw1aGYoP Base85 layer decryption\r\n!!!HappyPenguin1950!!! Tsunami URL encoding\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 3 of 11\n\nKey Purpose\r\nXt3rqfmL client/payl module\r\nZe4pq4iT dd module (MetaMask injector)\r\n0xcb Z238 binary protocol\r\nThe Tsunami Backdoor\r\nAfter deobfuscation, the 175KB Python payload reveals sophisticated persistence and monetization:\r\nPersistence Mechanisms\r\n1. Startup Folder: Windows Update Script.pyw\r\n2. Scheduled Task: \"Runtime Broker\" at logon\r\n3. Defender Exclusions: Added via PowerShell\r\nMasquerading\r\nReal Name Disguised As\r\nInstaller Runtime Broker.exe\r\nClient Runtime Broker.exe\r\nXMRig Miner msedge.exe\r\n1,000 Pastebin Dead Drops\r\nThe malware contains 1,000 encoded Pastebin profile URLs for dead drop resolution:\r\nhttps://pastebin.com/u/HolesGarmin3166_OnsitePoet2677\r\nhttps://pastebin.com/u/CrackEden1251_WaitsRenee9809\r\nhttps://pastebin.com/u/KerrWhale2274_KnowNtsc6785\r\n... (997 more)\r\nAs of January 2026, a sample of 100 accounts all return 404—indicating rotation or takedown.\r\nOperator RSA Public Key\r\n-----BEGIN PUBLIC KEY-----\r\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvRgxN5vWny1/dAc7s6KM\r\nZURyqQti1OE11PkaXPY32E39TKau6vD+QntWKNTFI53WmkvY6YbLGf06oiZ99uYd\r\nTkeL/gtKfnaPPOt1mADL9R3nFwyWABw7Q41NgYlu7XHMiTUuh/TRPvOiXL5yKx+4\r\nPnXsN+sE93pk2qNpB+cnJ1/b4re89xuNpD9HQjjsda3PNOD13s7OL7fq+74tY4oc\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 4 of 11\n\nMQ6BNFOq9J46xd/4jay8n/q33v3PgwwsL6TQR5grUdfblXZ8WZzxXVKEqMtqJtmR\r\nM8zjHoods0PoopOS6IzoYD+anchz5JCKHBrrMXd8g+A2hMq+W5lEkIytbe1dPXsn\r\nCQIDAQAB\r\n-----END PUBLIC KEY-----\r\nSHA256: 40b59567a2b580f1952dadae5dd586895b2316e590b84842f89aed1675f2d707\r\nThe Z238 Binary Protocol\r\nPort 22411-22412 on Z238 (66.235.168.238) runs a custom binary protocol—not HTTP.\r\nProtocol Structure\r\nField Size Description\r\nVersion 2 bytes Always 0x00 0x00\r\nType 1 byte Message type\r\nLength 1 byte Payload length\r\nPayload Variable Wide-char encoded, XOR 0xcb\r\nMessage Types\r\nType Function\r\n0x03 AUTH_CHALLENGE\r\n0x04 AUTH_RESPONSE\r\n0x05 CMD_SHELL\r\n0x06 CMD_UPLOAD\r\n0x07 CMD_DOWNLOAD\r\n0x08 CMD_LIST\r\n0x09 CMD_KILL\r\n0x0A CMD_STATUS\r\nCracking the Protocol\r\nWe captured the initial server greeting and noticed a repeating 0xcb pattern in the hex dump—a telltale sign of\r\nXOR encoding against null bytes. After XOR decoding, the MmmM magic bytes appeared, revealing the wide-https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 5 of 11\n\ncharacter encoding scheme.\r\nWe crafted authentication packets and tested from VPN exit nodes in Australia and Japan. The first packet was\r\naccepted (empty response, no error)—but subsequent probes triggered rate limiting. Within hours, all our VPN\r\nIPs were blocked. The operators had detected our testing.\r\nOperational Analysis\r\nThe Operators Responded to Our Probing\r\nDuring active reconnaissance, we observed real-time defensive responses:\r\nObservation Implication\r\n3 of 5 C2 services went offline mid-investigation Active monitoring or automated tripwires\r\nZ238 custom ports (22411-22412) closed after initial probes Operator detected enumeration\r\nRate limiting triggered after auth packet testing Anti-bruteforce measures in place\r\nPayload delivery disabled (all token endpoints returned empty) Possible campaign rotation\r\nThis isn't \"fire and forget\" infrastructure—someone is watching.\r\nCredential Compartmentalization\r\nWe attempted to reuse discovered XOR keys as server credentials:\r\nAttempt Result\r\nWinRM with G01d*8@( (XOR key) Failed\r\nFTP with campaign tokens Failed\r\nRDP with hostname-based users Failed\r\n37,800+ credential combinations All failed\r\nConclusion: Operators maintain strict separation between malware encryption keys and infrastructure credentials.\r\nThis is mature OPSEC.\r\nDatabase Access Revealed Infrastructure Reuse\r\nHardcoded MongoDB credentials in the malware gave us access to 32 databases (3.2GB):\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 6 of 11\n\nDatabase Size Contents\r\ntest 344 MB 91,346 synthetic wallet records (load testing)\r\nplaymate 233 KB Sports social app in development\r\nvadym_choryi 70 KB Developer test environment\r\n26x tenant_* 20-86 KB each University SaaS staging data\r\nThe same MongoDB Atlas cluster hosts both the C2 backend and legitimate-looking development projects. This\r\ninfrastructure blending provides cover—if investigated, operators can point to \"normal\" development activity.\r\nDecoy Endpoints\r\nThe C2 servers include non-functional endpoints designed to waste researcher time:\r\nDecoy Behavior\r\n/multiple-upload form in HTML Route returns 404 (not implemented)\r\nVarious upload field names All return MulterError: Unexpected field\r\n/ root page Fake file upload interface\r\nAttribution: HIGH Confidence\r\nEvidence Weight\r\nIP 147.124.212.125 flagged by 14 VT vendors Strong\r\nSame /24 subnet documented in Sekoia, Unit42 reports Strong\r\nTTP match: fake jobs -\u003e GitHub -\u003e VSCode -\u003e crypto theft Strong\r\nPort 1244 matches prior Contagious Interview campaigns Moderate\r\nMalware families (BeaverTail patterns) consistent Moderate\r\nUkrainian persona aligns with known DPRK front tactics Circumstantial\r\nWe assess with high confidence this is Lazarus Group infrastructure.\r\nWhat We Didn't Find\r\nGap Why It Matters\r\nOperator panel location Would reveal full victim scope\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 7 of 11\n\nGap Why It Matters\r\nFTP credentials Dynamically delivered via socket, never captured\r\nValid WinRM/RDP credentials Infrastructure remains inaccessible\r\nFull victim count Only saw partial database access\r\nMonero wallet address XMRig config not in deobfuscated payload\r\nDefensive Recommendations\r\nNetwork-Level\r\n1. Block C2 IPs: 147.124.213.232 , 147.124.212.125 , 216.250.251.87 , 45.43.11.199 , 66.235.63.55 ,\r\n66.235.168.238 , 45.59.163.55\r\n2. Alert on port 1244/tcp and 1249/tcp connections\r\n3. Monitor POST to /keys with JSON containing ts , type , hid , ss , cc\r\n4. Hunt FTP connections to /DAhkMrMq7/ path\r\n5. Monitor Pastebin profile access from non-browser processes\r\nHost-Level\r\n1. Alert on Windows Update Script.pyw in Startup folder\r\n2. Alert on Runtime Broker.exe in non-standard locations\r\n3. Alert on msedge.exe in %LOCALAPPDATA%/Microsoft/Windows/Applications\r\n4. Hunt scheduled task named \"Runtime Broker\"\r\n5. Monitor PowerShell Add-MpPreference exclusion commands\r\n6. Alert on files in ~/.vscode/pay or ~/.vscode/bow\r\n7. Alert on ~/.n2/ directory creation\r\nYARA Strings\r\n!!!HappyPenguin1950!!!\r\nTSUNAMI_INJECTOR\r\nTSUNAMI_PAYLOAD\r\nWindows Update Script.pyw\r\nG01d*8@(\r\nG0Md*8@(\r\nXt3rqfmL\r\nZe4pq4iT\r\nnkbihfbeogaeaoehlefnkodbefgpgknn\r\n.vscode/pay\r\n.vscode/bow\r\nChrome/secdata\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 8 of 11\n\nMITRE ATT\u0026CK Mapping\r\nID Technique Evidence\r\nT1566.003 Phishing via Service Fake job interviews on Upwork\r\nT1204.002 Malicious File Execution npm install trigger\r\nT1059.007 JavaScript Execution All payloads\r\nT1059.006 Python Execution Tsunami backdoor\r\nT1027.002 Software Packing 64 obfuscation layers\r\nT1547.001 Startup Folder Windows Update Script.pyw\r\nT1053.005 Scheduled Task \"Runtime Broker\"\r\nT1555 Credential Theft Browser data stealing\r\nT1539 Session Cookie Theft Cookie exfiltration\r\nT1562.001 Disable Security Tools Defender exclusions\r\nT1048.003 Exfil over FTP basic-ftp usage\r\nT1102.001 Dead Drop Resolver 1000 Pastebin accounts\r\nT1496 Resource Hijacking XMRig miner\r\nT1036.005 Masquerading Runtime Broker, msedge.exe\r\nT1573.001 Symmetric Encryption XOR keys\r\nT1573.002 Asymmetric Encryption RSA payload signing\r\nA Practitioner's Perspective\r\nThe \"Contagious Interview\" campaign isn't new—SentinelOne, Sekoia, and others have documented it\r\nextensively. What we're adding here is what happens when you don't just analyze the malware, but actively probe\r\nthe infrastructure.\r\nThe operators are competent. They compartmentalize credentials. They monitor for enumeration. They blend C2\r\ninfrastructure with legitimate-looking projects. They build decoys for researchers. This isn't amateur hour.\r\nBut they also make mistakes. Hardcoded MongoDB credentials. Timing oracles. XOR keys that follow predictable\r\npatterns. Pastebin account names that could theoretically be enumerated.\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 9 of 11\n\nThe BlockNovas front company was seized in April 2025. The infrastructure we documented in January 2026 is\r\nstill active. Takedowns slow them down; they don't stop them.\r\nFor organizations: if you're hiring crypto developers through Upwork, Fiverr, or similar platforms, you're in the\r\ntarget zone. Vet repositories before opening them. Disable VSCode auto-run tasks. Review package.json scripts\r\nbefore running npm install .\r\nFor threat hunters: the IOCs in this report are actionable. The timing oracle technique may apply to other\r\ncampaigns. The Z238 protocol details enable signature development.\r\nFor law enforcement: we have 36 malware samples and detailed infrastructure documentation available for\r\ncoordination.\r\nHow Red Asgard Can Help\r\nThis investigation originated from our freelancer code vetting practice—a service we offer to organizations that\r\noutsource development work.\r\nContractor Code Review\r\nRepository analysis before code integration\r\nMalware and backdoor detection\r\nSupply chain risk assessment\r\nFreelancer background verification\r\nThreat Intelligence\r\nAPT campaign tracking\r\nIOC feeds and alerting\r\nCustom threat hunting\r\nIncident response support\r\nSecurity Assessments\r\nApplication security testing\r\nInfrastructure penetration testing\r\nAI/ML security review\r\nRed team engagements\r\nIf you're outsourcing development work—especially in crypto or Web3—we'd welcome the opportunity to discuss\r\nyour security posture.\r\nContact: contact@redasgard.com\r\nReferences\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 10 of 11\n\nSentinelOne: Contagious Interview\r\nSekoia: ClickFake Interview Campaign\r\nANY.RUN: Lazarus Group Attacks 2025\r\nDark Reading: Contagious Interview npm Package Factory\r\nThe Hacker News: BlockNovas FBI Seizure\r\nMITRE ATT\u0026CK: Contagious Interview (G1052)\r\nShare this article\r\nHelp spread the word about security best practices.\r\nSource: https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nhttps://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure" ], "report_names": [ "hunting-lazarus-contagious-interview-c2-infrastructure" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434811, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf93575e1ae2129f8ed6524d669c46b79269cc17.pdf", "text": "https://archive.orkl.eu/cf93575e1ae2129f8ed6524d669c46b79269cc17.txt", "img": "https://archive.orkl.eu/cf93575e1ae2129f8ed6524d669c46b79269cc17.jpg" } }