{ "id": "5609af89-dcc2-4854-b2a3-cfdb7d29e3ad", "created_at": "2026-04-06T00:19:34.899203Z", "updated_at": "2026-04-10T03:38:19.491535Z", "deleted_at": null, "sha1_hash": "d9f35bf692aa5dc38758dbbd3a645bd3f4a000c7", "title": "Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4122492, "plain_text": "Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake\r\ninstaller and macOS malware\r\nBy GReAT\r\nPublished: 2018-08-23 · Archived: 2026-04-02 12:45:38 UTC\r\nOverview\r\nLazarus has been a major threat actor in the APT arena for several years. Alongside goals like cyberespionage and\r\ncybersabotage, the attacker has been targeting banks and other financial companies around the globe. Over the last few\r\nmonths, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges\r\nand fintech companies.\r\nKaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by\r\nLazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency\r\ntrading application, which had been recommended to the company over email. It turned out that an unsuspecting employee\r\nof the company had willingly downloaded a third-party application from a legitimate looking website and their computer\r\nhad been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been\r\nmultiple reports on the reappearance of Fallchill, including one from US-CERT.\r\nTo ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and\r\ndeveloped malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to\r\nthe website. It’s probably the first time we see this APT group using malware for macOS.\r\nThe fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.\r\nTrojanized cryptocurrency trading application\r\nThanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we\r\nwere able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of\r\nLazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the\r\nuser installed this program via a download link delivered over email.\r\nTrojanized trading application for Windows\r\nIncluding malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers\r\nwent for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.\r\nA legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and\r\nlooked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.\r\nScreenshot of Celas Trade Pro\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 1 of 15\n\nWhen we started this research, any user could download the trading application from the Celas website. Checking the\r\ninstallation package downloaded from the website confirmed the presence of a very suspicious updater.\r\nInstallation package download page\r\nWe have analyzed the following Windows version of the installation package:\r\nMD5: 9e740241ca2acdc79f30ad2c3f50990a\r\nFile name: celastradepro_win_installer_1.00.00.msi\r\nFile type: MSI installer\r\nCreation time: 2018-06-29 01:16:00 UTC\r\nAt the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate”\r\nparameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all,\r\nit even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.\r\nThe code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the\r\nupdater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked\r\nplatforms include Apple macOS, we decided to call this Operation AppleJeus.\r\nProperties of the shady updater tool included in the package are:\r\nMD5: b054a7382adf6b774b15f52d971f3799\r\nFile Type: PE32 executable (GUI) Intel 80386, for MS Windows\r\nKnown file name: %Program Files%\\CelasTradePro\\Updater.exe\r\nLink Time: 2018-06-15 10:56:27 UTC\r\nBuild path: Z:\\jeus\\downloader\\downloader_exe_vs2010\\Release\\dloader.pdb\r\nThe main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the\r\nmalware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a\r\nunique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System”\r\nprocesses and gets the exact OS version from the registry value at “HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and\r\ntested it on Windows 10.\r\nProductName: Windows OS version\r\nCurrentBuildNumber: Windows 10 build version\r\nReleaseID: Windows 10 version information\r\nUBR: Sub version of Windows 10 build\r\nBuildBranch: Windows 10 build branch information\r\nThe code encrypts the collected information with the hardcoded XOR key (“Moz\u0026Wie;#t/6T!2y“) before uploading it to\r\nthe server.\r\nData encryption routine\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 2 of 15\n\nThe code sends the victim’s information to a webserver using HTTP and the following URL:\r\nwww.celasllc[.]com/checkupdate.php\r\nThe server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not\r\nable to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat\r\nactor from the beginning. To learn more about the server, please read the “Infrastructure” section below.\r\nThe malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)”\r\nand fixed a multipart form data separator string “jeus“.\r\nUsing encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with\r\nthe context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF\r\nimage with a magic number in the header, definitely made us raise our eyebrows.\r\nCommunication with the C2 server\r\nAfter successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it\r\nmeans the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload\r\nwith base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an\r\nexecutable file that is prepended with the “MAX_PATHjeusD” string.\r\nDuring our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB\r\npath shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2,\r\n2018 according to the internal directory name.\r\nAdditional trojanized sample #1 Additional trojanized sample\r\nInstallation\r\npackage\r\nMD5\r\n4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb\r\nPackage\r\ncreation\r\ndate\r\n2018-08-03 09:57:29 2018-08-13 0:12:10\r\nDropped\r\nupdater\r\nMD5\r\nffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c33\r\nUpdater\r\ncreation\r\ndate\r\n2018-08-03 09:50:08 2018-08-11 7:28:08\r\nUpdater\r\nBuild path\r\nH:\\DEV\\TManager\\DLoader\\20180702\\dloader\\WorkingDir\\Output\\00000009\\Release\\dloader.pdb H:\\DEV\\TManager\\DLoader\\2\r\nNote the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.\r\nTrojanized trading program for macOS\r\nFor macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in\r\nthe background to start immediately after installation, and after each system reboot. It keeps contacting the command and\r\ncontrol (C2) server in order to download and run an additional executable from the server. The communication conforms to\r\nthe Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data\r\ninside.\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 3 of 15\n\nWe have analyzed the following installation file:\r\nMD5: 48ded52752de9f9b73c6bf9ae81cb429\r\nFile Size: 15,020,544 bytes\r\nFile Type: DMG disk image\r\nKnown file name: celastradepro_mac_installer_1.00.00.dmg\r\nDate of creation: 13 July 2018\r\nOnce the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named\r\n“.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default\r\nTerminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.\r\nCelas Trade Pro app plist file (Apple Property List)\r\nThe command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument\r\nthat the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to\r\ntrick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a\r\n“secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or\r\nadministrator looking into running processes.\r\nThe trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a\r\ncross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-\r\n%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT\r\nclasses:\r\nHost name\r\nOS type and version\r\nSystem architecture\r\nOS kernel type and version\r\nThe process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted\r\nwith hardcoded 16-byte static key “Moz\u0026Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via\r\nHTTP POST and the following URL:\r\nhttps://www.celasllc[.]com/checkupdate.php\r\nPOST request template strings\r\nThe module relies on a hardcoded User-Agent string for macOS:\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/66.0.3359.139 Safari/537.36\r\nOnce the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for\r\nthe updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 4 of 15\n\nthe response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key\r\n“W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored\r\ninside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location\r\n“/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line\r\nargument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious\r\nfunctionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group\r\nin 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.\r\nDownloaded payload\r\nAccording to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the\r\nshadowy updaters described above. We found a malicious file created at the same host:\r\nMD5: 0a15a33844c9df11f12a4889ae7b7e4b\r\nFile Size: 104,898,560 bytes\r\nFile Type: PE32+ executable (GUI) x86-64, for MS Windows\r\nKnown file name: C:\\Recovery\\msn.exe\r\nLink time: 2018-04-19 13:30:19\r\nNote the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy\r\ndownload or transfer over the internet.\r\nSearching for the reason for the malware’s appearance on the system revealed that there was an additional process\r\nresponsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main\r\nfunction of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks\r\none of the command-line arguments passed to it. The malware chooses one of the service names located in the following\r\nregistry value as a disguise:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\netsvcs\r\nThis value includes a list of several dozen standard system service names.\r\nThe randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to\r\nthis randomly chosen service name as [service]. The malware contains references to several files inside:\r\nThe file passed as argument: contains a 16-byte key\r\nmsncf.dat: Encrypted configuration data\r\nmsndll.tmp: Encrypted Fallchill loader\r\nmsndll.dat: Encrypted Fallchill backdoor (payload for the loader)\r\n[service]svc.dll: Fallchill backdoor loader\r\n[service].dat: Copy of msndll.dat\r\nA mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical\r\nspecialists is as follows:\r\n1. 1 Check whether the command-line argument points to a file of 16 byte size.\r\n2. 2 Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will\r\ncall the main key.\r\n3. 3 Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.\r\n4. 4 Open msndll.tmp file and decrypt it using the main key.\r\n5. 5 Create the [service]svc.dll file and fill it with pseudo-random data.\r\n1. 5.1 The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240)\r\ntimes. This is why it produces files which are at least 104,851,000 bytes.\r\n6. 6 Copy the 16-byte main key at the end of the [service]svc.dll file.\r\n7. 7 Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.\r\n8. 8 Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.\r\n9. 9 Move msndll.dat file to [service].dat.\r\n10. 10 Delete temporary files: msndll.tmp, msncf.dat, msndll.log.\r\n11. 11 Timestamp [service]svc.dll and [service].dat files.\r\n12. 12 Register [service]svc.dll as a Windows service.\r\n13. 13 Save a copy of data from msncf.dat file in the following registry value\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskConfigs\\Description.\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 5 of 15\n\nInfection process diagram\r\nFallchill backdoor loader\r\nWe confirmed that the following malware was created on the infected host using the method described above:\r\nFallchill backdoor loader:\r\nMD5: e1ed584a672cab33af29114576ad6cce\r\nFile Size: 104,878,356 bytes\r\nFile Type: PE32+ executable (DLL) (console) x86-64, for MS Windows\r\nKnown file name: C:\\Windows\\system32\\uploadmgrsvc.dll\r\nLink time: 2018-01-18 01:56:32\r\nEncrypted Fallchill backdoor:\r\nMD5: d8484469587756ce0d10a09027044808\r\nFile Size: 143,872 bytes\r\nFile Type: encrypted data\r\nKnown file name: C:\\Windows\\system32\\uploadmgr.dat\r\nUpon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte\r\ndata are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.\r\nData at the end of the loader module\r\nAfter decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor\r\nbody in encrypted form.\r\nDecrypted file name in the end of loader module\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 6 of 15\n\nThe malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of\r\nthe backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final\r\npayload in memory:\r\nMD5: d7089e6bc8bd137a7241a7ad297f975d\r\nFile Size: 143,872 bytes\r\nFile Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nLink Time: 2018-03-16 07:15:31\r\nWe can summarize the Fallchill backdoor loading process as follows:\r\nLoading the Fallchill backdoor\r\nAs mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT\r\ngroup. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from\r\nthe registry value created during the installation stage:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\TaskConfigs\\Description\r\nIf there is no configuration value, the malware falls back to a default C2 server address.\r\n196.38.48[.]121\r\n185.142.236[.]226\r\nThis is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network\r\nprotocol commands are described below.\r\nCommand ID Description\r\n0x8000 Write current time and configuration data to registry key\r\n0x8001 Send configuration data\r\n0x8002 Replace configuration data in the fixed registry value\r\n0x8003 Execute Windows command, store output in temp file and upload contents to C2\r\n0x8006 Show current working directory\r\n0x8007 Change current working directory\r\n0x8008 Collect process information\r\n0x8009 Terminate process\r\n0x8010 Start new process\r\n0x8011 Create process with security context of the current user\r\n0x8012 Connect to specified host/port\r\n0x8013 Get drive information\r\n0x8014 Directory listing\r\n0x8015 Search a file\r\n0x8019 Write data to a specified file\r\n0x8020 Read contents of specified file and upload to C2 server\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 7 of 15\n\n0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2\r\n0x8023 Wipe specific file\r\n0x8025 Copy file time from another file time (timestamping)\r\n0x8026 Shutdown malware service and self-delete\r\n0x8043 Send “Not Service” unicode string to C2 server (communication test?).\r\nThis set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks\r\nand financial industry in the past years.\r\nInfrastructure\r\nWhile working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas\r\nLLC company that developed this trojanized trading application.\r\nCelas LLC main homepage.\r\nThe website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver\r\nmentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean\r\nvalidation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities\r\nissue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused\r\nin certain ways.\r\n1\r\n2\r\n3\r\n4\r\n5\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            22:a6:49:c1:ae:61:3f:58:5a:a5:e3:cb:8b:23:f0:61\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 8 of 15\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA\r\nDomain Validation Secure Server CA\r\n        Validity\r\n            Not Before: May 29 00:00:00 2018 GMT\r\n            Not After : May 29 23:59:59 2019 GMT\r\n        Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=celasllc.com\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (2048 bit)\r\n                Modulus:\r\n                    00:de:0f:58:f2:68:07:d2:0f:43:5a:07:c6:53:b7:\r\n                    4a:b4:1c:4c:71:4f:a1:4e:80:e3:5a:ec:3b:90:a7:\r\n                    91:ca:42:49:71:ba:da:33:4c:e4:4f:1f:86:d9:30:\r\n                    32:a0:b1:f4:b2:f2:9c:28:97:7c:81:0f:02:d0:9c:\r\n                    36:f6:9c:d6:f9:b5:ca:23:ba:1b:84:e4:0d:8c:9f:\r\n         -- Redacted --\r\nBelow is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John\r\nBroox” with registrant email address “johnbroox200@gmail[.]com”.\r\nRegistrant Name: John Broox\r\nRegistrant Organization:\r\nRegistrant Street: 2141 S Archer Ave  \r\nRegistrant City: Chicago\r\nRegistrant State/Province: Illinois\r\nRegistrant Postal Code: 60601\r\nRegistrant Country: US\r\nRegistrant Phone: +1.8133205751\r\nRegistrant Email: johnbroox200@gmail[.]com\r\n…..\r\nName Server: 1a7ea920.bitcoin-dns.hosting\r\nName Server: a8332f3a.bitcoin-dns.hosting\r\nName Server: ad636824.bitcoin-dns.hosting\r\nName Server: c358ea2d.bitcoin-dns.hosting\r\nThe same name of “John Broox” was used inside the installation package of the macOS version of the trading application.\r\nThe Info.plist properties file describes the package as follows:\r\n1\r\n2\r\n3\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\r\n\u003c!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"\u003e\r\n\u003cplist version=\"1.0\"\u003e\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 9 of 15\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n\u003cdict\u003e\r\n     \u003ckey\u003eCFBundleVersion\u003c/key\u003e\r\n     \u003cstring\u003e1.00.00\u003c/string\u003e\r\n     \u003ckey\u003eCFBundleName\u003c/key\u003e\r\n     \u003cstring\u003eCelas Trade Pro\u003c/string\u003e\r\n     \u003ckey\u003eCFBundleIconFile\u003c/key\u003e\r\n     \u003cstring\u003eCelasTradePro\u003c/string\u003e\r\n     \u003ckey\u003eCFBundlePackageType\u003c/key\u003e\r\n     \u003cstring\u003eAPPL\u003c/string\u003e\r\n     \u003ckey\u003eCFBundleGetInfoString\u003c/key\u003e\r\n     \u003cstring\u003eDeveloped by John Broox. CELAS LLC\u003c/string\u003e\r\n     \u003ckey\u003eCFBundleSignature\u003c/key\u003e\r\n     \u003cstring\u003eQTCELASTRADE\u003c/string\u003e\r\n     \u003ckey\u003eCFBundleExecutable\u003c/key\u003e\r\n     \u003cstring\u003eCelasTradePro\u003c/string\u003e\r\n     \u003ckey\u003eCFBundleIdentifier\u003c/key\u003e\r\n     \u003cstring\u003ecom.celasllc.CelasTradePro\u003c/string\u003e\r\n     \u003ckey\u003eNSPrincipalClass\u003c/key\u003e\r\n     \u003cstring\u003eNSApplication\u003c/string\u003e\r\n     \u003ckey\u003eNSHighResolutionCapable\u003c/key\u003e\r\n     \u003cstring\u003eTrue\u003c/string\u003e\r\n     \u003ckey\u003eLSMinimumSystemVersion\u003c/key\u003e\r\n     \u003cstring\u003e10.10.0\u003c/string\u003e\r\n\u003c/dict\u003e\r\n\u003c/plist\u003e\r\nIt looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com\r\nwas the only domain registered with this email address and was exclusively used for domain registration.\r\nThe registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According\r\nto open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a\r\ncryptocurrency exchange software development studio on the side.\r\nView of the location referred in the WHOIS record. Image source: Google Maps.\r\nThe server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 10 of 15\n\nWHOIS record of cellasllc.com server\r\nCoincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server.\r\nMoreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network\r\nsegment of this ISP:\r\nCelas LLC infrastructure:\r\n185.142.236.213: Netherlands Blackhost Ltd. AS174 COGENT-174\r\nFallchill malware C2 server:\r\n196.38.48[.]121: South Africa Internet Solutions AS3741\r\n185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174\r\nAdditional attacker’s server from telemetry\r\n80.82.64[.]91: Seychelles Incrediserve Ltd AS29073\r\n185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174\r\nHowever, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that\r\nthis certificate was also issued by Comodo CA, which refers to a company address in the United States.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            9a:73:55:0b:83:76:86:3b:d9:43:0f:aa:8b:5a:29:87\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code\r\nSigning CA\r\n        Validity\r\n            Not Before: May 21 00:00:00 2018 GMT\r\n            Not After : May 21 23:59:59 2019 GMT\r\n        Subject: C=US/postalCode=49319, ST=Michigan, L=Cedar Springs/street=15519 WHITE CREEK AVE NE,\r\nO=CELAS LLC, CN=CELAS LLC\r\n        Subject Public Key Info:\r\n            Public Key Algorithm: rsaEncryption\r\n                Public-Key: (2048 bit)\r\n                Modulus:\r\n                    00:b6:31:7a:c6:68:2f:d2:03:f2:e9:61:c4:86:4f:\r\n                    46:62:e7:a6:d7:7c:bd:e6:9f:a8:83:2c:a6:44:43:\r\n                    92:da:b7:ea:cc:3d:3e:35:20:3f:9c:57:46:1c:d1:\r\n                    65:b8:28:50:29:cd:29:11:e8:56:59:85:e5:0f:19:\r\nAccording to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small\r\nforest and small real estate offering nearby.\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 11 of 15\n\nLocation of Cellas LLC, according to its digital certificate\r\nReal estate history of that address\r\nPivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two\r\nIPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.\r\nCellas LLC linked infrastructure\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 12 of 15\n\nThe owners of the linked infrastructural elements preferred to use several interesting services for hosting domain\r\nregistration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins\r\nas a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate\r\nbusiness.\r\nHosting services linked to Celas LLC:\r\nBlackhost (https://black.host/)\r\nLiberty VPS (https://libertyvps.net/)\r\nDomain registration services linked to Celas LLC:\r\nDomains4Bitcoins (https://www.domains4bitcoins.com/)\r\nNameCheap (https://www.namecheap.com/)\r\nChangeIP (https://www.changeip.com/)\r\nNjalla (https://njal.la/)\r\nAll the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this\r\nbusiness. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.\r\nAttribution\r\nKaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector\r\naround the world. It was also confirmed by other security vendors, and the national CERT of US.\r\nRC4 key from the older Fallchill\r\nFallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the\r\nFallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.\r\nCurrent RC4 key of Fallchill\r\nWe were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill\r\nmalware samples that used the same key (the compilation timestamp may indicate the date of malware creation).\r\nMD5 Timestamp\r\n81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04\r\n6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30\r\n21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19\r\n5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11\r\nc501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43\r\ncafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33\r\ncea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31\r\n6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06\r\n56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51\r\ncd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56\r\nSame C2 server with older Fallchill\r\nWe have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by\r\nthe older variant of Fallchill.\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 13 of 15\n\nMD5 Timestamp\r\n94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18\r\n14b6d24873f19332701177208f85e776 2017-06-07 06:41:27\r\nabec84286df80704b823e698199d89f7 2017-01-18 04:29:29\r\nOverlap of C2 infrastructure\r\nApparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over\r\nagain.\r\nAccording to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another\r\nbackdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was\r\ncreated on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe\r\napplication from the Cellas Trading Pro suite:\r\nH:\\DEV\\TManager\\all_BOSS_troy\\T_4.2\\T_4.2\\Server_\\x64\\Release\\ServerDll.pdb\r\nSecond, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden\r\nin hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language\r\ncode associated with North Korea. In our experience, this is something we normally don’t see in malware.\r\nAccept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2\r\nAccept-Language HTTP header value in the body of the backdoor\r\nConclusions\r\nThe Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research\r\nhas been done and published about such attacks. However, we think this case makes a difference. Recent investigation\r\nshows how aggressive the group is and how its strategies may evolve in the future.\r\nFirst of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary\r\nusers, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase\r\nafter advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have\r\nmacOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are\r\nusing as a base platform, because compromising developers opens many doors at once.\r\nWe cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware\r\nthrough an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies\r\nsuggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has\r\nfound an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking”\r\nsoftware update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 14 of 15\n\nThis should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically\r\ntrust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates\r\nguarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!\r\nAppendix I – Indicators of Compromise\r\nFile Hashes (malicious documents, trojans, emails, decoys)\r\nTrojanized installer and payload\r\n9e740241ca2acdc79f30ad2c3f50990a celastradepro_win_installer_1.00.00.msi\r\n4126e1f34cf282c354e17587bb6e8da3 celastradepro_win_installer_1.00.00.msi\r\n0bdb652bbe15942e866083f29fb6dd62 CelasTradePro-Installer.msi\r\n48ded52752de9f9b73c6bf9ae81cb429 celastradepro_mac_installer_1.00.00.dmg\r\nb054a7382adf6b774b15f52d971f3799 Updater.exe\r\nffae703a1e327380d85880b9037a0aeb Updater.exe\r\nbbbcf6da5a4c352e8846bf91c3358d5c Updater.exe\r\n0a15a33844c9df11f12a4889ae7b7e4b msn.exe\r\nE1ed584a672cab33af29114576ad6cce uploadmgrsvc.dll\r\nD8484469587756ce0d10a09027044808 uploadmgr.dat\r\nD7089e6bc8bd137a7241a7ad297f975d\r\nSame RC4 key Fallchill\r\n81c3a3c5a0129477b59397173fdc0b01\r\n6cb34af551b3fb63df6c9b86900cf044\r\n21694c8db6234df74102e8b5994b7627\r\n5ad7d35f0617595f26d565a3b7ebc6d0\r\nc501ea6c56ba9133c3c26a7d5ed4ce49\r\ncafda7b3e9a4f86d4bd005075040a712\r\ncea1a63656fb199dd5ab90528188e87c\r\n6b061267c7ddeb160368128a933d38be\r\n56f5088f488e50999ee6cced1f5dd6aa\r\ncd6796f324ecb7cf34bc9bc38ce4e649\r\nSame C\u0026C server Fallchill\r\n94dfcabd8ba5ca94828cd5a88d6ed488\r\n14b6d24873f19332701177208f85e776\r\nabec84286df80704b823e698199d89f7\r\nFile path\r\nC:\\Recovery\\msn.exe\r\nC:\\Recovery\\msndll.log\r\nC:\\Windows\\msn.exe\r\nC:\\WINDOWS\\system32\\uploadmgrsvc.dll\r\nC:\\WINDOWS\\system32\\uploadmgr.dat\r\nDomains and IPs\r\nwww.celasllc[.]com/checkupdate.php (malware distribution URL)\r\n196.38.48[.]121\r\n185.142.236[.]226\r\n80.82.64[.]91\r\n185.142.239[.]173\r\nSource: https://securelist.com/operation-applejeus/87553/\r\nhttps://securelist.com/operation-applejeus/87553/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/operation-applejeus/87553/" ], "report_names": [ "87553" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434774, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d9f35bf692aa5dc38758dbbd3a645bd3f4a000c7.pdf", "text": "https://archive.orkl.eu/d9f35bf692aa5dc38758dbbd3a645bd3f4a000c7.txt", "img": "https://archive.orkl.eu/d9f35bf692aa5dc38758dbbd3a645bd3f4a000c7.jpg" } }