Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 16:56:40 UTC
Home > List all groups > List all tools > List all groups using tool TOUCHSHIFT
 Tool: TOUCHSHIFT
Names TOUCHSHIFT
Category Malware
Type Dropper
Description
(Mandiant) TOUCHSHIFT is a malicious dropper that masquerades as mscoree.dll or
netplwix.dll. TOUCHSHIFT is typically created in the same directory and simultaneously as a
legitimate copy of a Windows binary. TOUCHSHIFT leverages DLL Search Order Hijacking
to use the legitimate file to load and execute itself. TOUCHSHIFT has been observed
containing one to two various payloads which it executes in-memory. Payloads that have been
seen include TOUCHSHOT, TOUCHKEY, HOOKSHOT, TOUCHMOVE, and SIDESHOW.
Information <https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970>
Malpedia <https://malpedia.caad.fkie.fraunhofer.de/details/win.touchshift>
Last change to this tool card: 22 June 2023
Download this tool card in JSON format
All groups using tool TOUCHSHIFT
Changed Name Country Observed
APT groups
  Lazarus Group, Hidden Cobra, Labyrinth Chollima 2007-May 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be93acee-c964-4340-bfb4-5bae20f52a2f
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=be93acee-c964-4340-bfb4-5bae20f52a2f
Page 1 of 1