{ "id": "488bcba6-6e60-499d-a661-185997e1444e", "created_at": "2026-04-06T00:09:23.716717Z", "updated_at": "2026-04-10T03:38:19.750365Z", "deleted_at": null, "sha1_hash": "dbfb3b2735795656b85bee484a2b5c834b300909", "title": "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 91669, "plain_text": "HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure |\r\nCISA\r\nPublished: 2017-08-23 · Archived: 2026-04-05 16:45:27 UTC\r\nSystems Affected\r\nNetworked Systems\r\nOverview\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security\r\n(DHS) and the Federal Bureau of Investigation (FBI). This alert provides technical details on the tools and\r\ninfrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and\r\ncritical infrastructure sectors in the United States and globally. Working with U.S. Government partners, DHS and\r\nFBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to\r\nmanage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of\r\ncompromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders\r\ndetect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber\r\nactivity by the North Korean government as HIDDEN COBRA. For more information related to HIDDEN\r\nCOBRA activity, go to https://www.us-cert.gov/hiddencobra.\r\nIf users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be\r\nimmediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center\r\n(NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation. This alert\r\nidentifies IP addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the\r\nmalware and associated malware signatures. DHS and FBI are distributing these IP addresses to enable network\r\ndefense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that\r\nHIDDEN COBRA actors are using the IP addresses for further network exploitation.\r\nThis alert includes technical indicators related to specific North Korean government cyber operations and provides\r\nsuggested response actions to those indicators, recommended mitigation techniques, and information on reporting\r\nincidents to the U.S. Government.\r\nFor a downloadable copy of IOCs, see:\r\nIOCs (.csv)\r\nIOCs (.stix)\r\nOn August 23, 2017, DHS published a Malware Analysis Report (MAR-10132963) that examines malware\r\nfunctionality to provide detailed code analysis and insight into specific tactics, techniques, and procedures (TTPs)\r\nobserved in the malware.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 1 of 8\n\nFor a downloadable copy of the MAR, see:\r\nMAR (.pdf)\r\nMAR IOCs (.stix)\r\nSince 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of\r\nvictims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature.\r\nCommercial reporting has referred to this activity as Lazarus Group[1] and Guardians of Peace.[2] DHS and\r\nFBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s\r\nmilitary and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to\r\ndetect signs of malicious network activity.\r\nTools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools\r\n(RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover,[3]\r\n Wild Positron/Duuzer,[4] and Hangman.[5] DHS has previously released Alert TA14-353A,[6] which\r\ncontains additional details on the use of a server message block (SMB) worm tool employed by these actors.\r\nFurther research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS\r\nrecommends that more research should be conducted on the North Korean cyber activity that has been reported by\r\ncybersecurity and threat research firms.\r\nHIDDEN COBRA actors commonly target systems running older, unsupported versions of Microsoft operating\r\nsystems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation.\r\nThese actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.\r\nHIDDEN COBRA is known to use vulnerabilities affecting various applications. These vulnerabilities include:\r\nCVE-2015-6585: Hangul Word Processor Vulnerability\r\nCVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability\r\nCVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability\r\nCVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability\r\nCVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability\r\nDHS recommends that organizations upgrade these applications to the latest version and patch level. If Adobe\r\nFlash or Microsoft Silverlight is no longer required, DHS recommends that those applications be removed from\r\nsystems.\r\nThe IOCs provided with this alert include IP addresses determined to be part of the HIDDEN COBRA botnet\r\ninfrastructure, identified as DeltaCharlie. The DeltaCharlie DDoS bot was originally reported by Novetta in their\r\n2016 Operation Blockbuster Malware Report.[7] This malware has used the IP addresses identified in the\r\naccompanying .csv and .stix files as both source and destination IPs. In some instances, the malware may have\r\nbeen present on victims’ networks for a significant period.\r\nTechnical Details\r\nDeltaCharlie is a DDoS tool used by HIDDEN COBRA actors, and is referenced and detailed in Novetta’s\r\nOperation Blockbuster Destructive Malware report. The information related to DeltaCharlie from the Operation\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 2 of 8\n\nBlockbuster Destructive Malware report should be viewed in conjunction with the IP addresses listed in the .csv\r\nand .stix files provided within this alert. DeltaCharlie is a DDoS tool capable of launching Domain Name System\r\n(DNS) attacks, Network Time Protocol (NTP) attacks, and Carrier Grade NAT (CGN) attacks. The malware\r\noperates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its\r\nown configuration, updating its own binaries, terminating its own processes, and activating and terminating\r\ndenial-of-service attacks. Further details on the malware can be found in Novetta’s report available at the\r\nfollowing URL:\r\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf\r\nDetection and Response\r\nHIDDEN COBRA IOCs related to DeltaCharlie are provided within the accompanying .csv and .stix files of this\r\nalert. DHS and FBI recommend that network administrators review the IP addresses, file hashes, network\r\nsignatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity\r\nhas been observed within their organization.\r\nWhen reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these\r\nIP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system\r\nowners may find that some traffic corresponds to malicious activity and some to legitimate activity. System\r\nowners are also advised to run the YARA tool on any system they suspect to have been targeted by HIDDEN\r\nCOBRA actors. Additionally, the appendices of this report provide network signatures to aid in the detection and\r\nmitigation of HIDDEN COBRA activity.\r\nNetwork Signatures and Host-Based Rules\r\nThis section contains network signatures and host-based rules that can be used to detect malicious activity\r\nassociated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility\r\nof false positives always remains. These signatures and rules should be used to supplement analysis and should\r\nnot be used as a sole source of attributing this activity to HIDDEN COBRA actors.\r\nNetwork Signatures\r\nalert tcp any any -\u003e any any (msg:\"DPRK_HIDDEN_COBRA_DDoS_HANDSHAKE_SUCCESS\"; dsize:6;\r\nflow:established,to_server; content:\"|18 17 e9 e9 e9 e9|\"; fast_pattern:only; sid:1; rev:1;)\r\n________________________________________________________________\r\nalert tcp any any -\u003e any any (msg:\"DPRK_HIDDEN_COBRA_Botnet_C2_Host_Beacon\";\r\nflow:established,to_server; content:\"|1b 17 e9 e9 e9 e9|\"; depth:6; fast_pattern; sid:1; rev:1;)\r\n________________________________________________________________\r\nYARA Rules\r\n{\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 3 of 8\n\nmeta:\r\ndescription = “RSA Key”\r\nstrings:\r\n$rsaKey = {7B 4E 1E A7 E9 3F 36 4C DE F4 F0 99 C4 D9 B7 94\r\nA1 FF F2 97 D3 91 13 9D C0 12 02 E4 4C BB 6C 77\r\n48 EE 6F 4B 9B 53 60 98 45 A5 28 65 8A 0B F8 39\r\n73 D7 1A 44 13 B3 6A BB 61 44 AF 31 47 E7 87 C2\r\nAE 7A A7 2C 3A D9 5C 2E 42 1A A6 78 FE 2C AD ED\r\n39 3F FA D0 AD 3D D9 C5 3D 28 EF 3D 67 B1 E0 68\r\n3F 58 A0 19 27 CC 27 C9 E8 D8 1E 7E EE 91 DD 13\r\nB3 47 EF 57 1A CA FF 9A 60 E0 64 08 AA E2 92 D0}\r\ncondition:\r\nany of them\r\n}\r\n________________________________________________________________\r\n{\r\nmeta:\r\ndescription = “DDoS Misspelled Strings”\r\nstrings:\r\n$STR1 = \"Wating\" wide ascii\r\n$STR2 = \"Reamin\" wide ascii\r\n$STR3 = \"laptos\" wide ascii\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or\r\nuint32(1) == 0x6674725C) and 2 of them\r\n}\r\n________________________________________________________________\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 4 of 8\n\n{\r\nmeta:\r\ndescription = “DDoS Random URL Builder”\r\nstrings:\r\n$randomUrlBuilder = { 83 EC 48 53 55 56 57 8B 3D ?? ?? ?? ?? 33 C0 C7 44 24 28 B4 6F 41 00 C7 44 24 2C B0\r\n6F 41 00 C7 44 24 30 AC 6F 41 00 C7 44 24 34 A8 6F 41 00 C7 44 24 38 A4 6F 41 00 C7 44 24 3C A0 6F 41 00\r\nC7 44 24 40 9C 6F 41 00 C7 44 24 44 94 6F 41 00 C7 44 24 48 8C 6F 41 00 C7 44 24 4C 88 6F 41 00 C7 44 24\r\n50 80 6F 41 00 89 44 24 54 C7 44 24 10 7C 6F 41 00 C7 44 24 14 78 6F 41 00 C7 44 24 18 74 6F 41 00 C7 44 24\r\n1C 70 6F 41 00 C7 44 24 20 6C 6F 41 00 89 44 24 24 FF D7 99 B9 0B 00 00 00 F7 F9 8B 74 94 28 BA 9C 6F 41\r\n00 66 8B 06 66 3B 02 74 34 8B FE 83 C9 FF 33 C0 8B 54 24 60 F2 AE 8B 6C 24 5C A1 ?? ?? ?? ?? F7 D1 49 89\r\n45 00 8B FE 33 C0 8D 5C 11 05 83 C9 FF 03 DD F2 AE F7 D1 49 8B FE 8B D1 EB 78 FF D7 99 B9 05 00 00\r\n00 8B 6C 24 5C F7 F9 83 C9 FF 33 C0 8B 74 94 10 8B 54 24 60 8B FE F2 AE F7 D1 49 BF 60 6F 41 00 8B D9\r\n83 C9 FF F2 AE F7 D1 8B C2 49 03 C3 8B FE 8D 5C 01 05 8B 0D ?? ?? ?? ?? 89 4D 00 83 C9 FF 33 C0 03 DD\r\nF2 AE F7 D1 49 8D 7C 2A 05 8B D1 C1 E9 02 F3 A5 8B CA 83 E1 03 F3 A4 BF 60 6F 41 00 83 C9 FF F2 AE\r\nF7 D1 49 BE 60 6F 41 00 8B D1 8B FE 83 C9 FF 33 C0 F2 AE F7 D1 49 8B FB 2B F9 8B CA 8B C1 C1 E9 02\r\nF3 A5 8B C8 83 E1 03 F3 A4 8B 7C 24 60 8D 75 04 57 56 E8 ?? ?? ?? ?? 83 C4 08 C6 04 3E 2E 8B C5 C6 03 00\r\n5F 5E 5D 5B 83 C4 48 C3 }\r\ncondition:\r\n$randomUrlBuilder\r\n}\r\n________________________________________________________________\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public and\r\nsensitive information is exposed. Possible impacts include:\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nSolution\r\nMitigation Strategies\r\nNetwork administrators are encouraged to apply the following recommendations, which can prevent as many as\r\n85 percent of targeted cyber intrusions. The mitigation strategies provided may seem like common sense.\r\nHowever, many organizations fail to use these basic security measures, leaving their systems open to compromise:\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 5 of 8\n\n1. Patch applications and operating systems – Most attackers target vulnerable applications and operating\r\nsystems. Ensuring that applications and operating systems are patched with the latest updates greatly\r\nreduces the number of exploitable entry points available to an attacker. Use best practices when updating\r\nsoftware and patches by only downloading updates from authenticated vendor sites.\r\n2. Use application whitelisting – Whitelisting is one of the best security strategies because it allows only\r\nspecified programs to run while blocking all others, including malicious software.\r\n3. Restrict administrative privileges – Threat actors are increasingly focused on gaining control of\r\nlegitimate credentials, especially credentials associated with highly privileged accounts. Reduce privileges\r\nto only those needed for a user’s duties. Separate administrators into privilege tiers with limited access to\r\nother tiers.\r\n4. Segment networks and segregate them into security zones – Segment networks into logical enclaves\r\nand restrict host-to-host communications paths. This helps protect sensitive information and critical\r\nservices, and limits damage from network perimeter breaches.\r\n5. Validate input – Input validation is a method of sanitizing untrusted input provided by users of a web\r\napplication. Implementing input validation can protect against the security flaws of web applications by\r\nsignificantly reducing the probability of successful exploitation. Types of attacks possibly averted include\r\nStructured Query Language (SQL) injection, cross-site scripting, and command injection.\r\n6. Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the\r\nmost aggressive setting possible. Some anti-virus products can limit execution to only the highest\r\nreputation files, stopping a wide range of untrustworthy code from gaining control.\r\n7. Understand firewalls – Firewalls provide security to make your network less susceptible to attack. They\r\ncan be configured to block data and applications from certain locations (IP whitelisting), while allowing\r\nrelevant and necessary data through.\r\nResponse to Unauthorized Network Access\r\nEnforce your security incident response and business continuity plan. It may take time for your organization’s\r\nIT professionals to isolate and remove threats to your systems and restore normal operations. Meanwhile, you\r\nshould take steps to maintain your organization’s essential functions according to your business continuity plan.\r\nOrganizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity\r\nprocedures.\r\nContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident\r\nresponse or technical assistance, you are encouraged to contact CISA Central (SayCISA@cisa.dhs.gov or 1-844-\r\nSay-CISA), the FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-\r\n3937).\r\nProtect Against SQL Injection and Other Attacks on Web Services\r\nTo protect against code injections and other attacks, system operators should routinely evaluate known and\r\npublished vulnerabilities, periodically perform software updates and technology refreshes, and audit external-facing systems for known web application vulnerabilities. They should also take the following steps to harden\r\nboth web applications and the servers hosting them to reduce the risk of network intrusion via this vector.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 6 of 8\n\nUse and configure available firewalls to block attacks.\r\nTake steps to secure Windows systems, such as installing and configuring Microsoft’s Enhanced Mitigation\r\nExperience Toolkit (EMET) and Microsoft AppLocker.\r\nMonitor and remove any unauthorized code present in any www directories.\r\nDisable, discontinue, or disallow the use of Internet Control Message Protocol (ICMP) and Simple\r\nNetwork Management Protocol (SNMP) as much as possible.\r\nRemove unnecessary HTTP verbs from web servers. Typical web servers and applications only require\r\nGET, POST, and HEAD.\r\nWhere possible, minimize server fingerprinting by configuring web servers to avoid responding with\r\nbanners identifying the server software and version number.\r\nSecure both the operating system and the application.\r\nUpdate and patch production servers regularly.\r\nDisable potentially harmful SQL-stored procedure calls.\r\nSanitize and validate input to ensure that it is properly typed and does not contain escaped code.\r\nConsider using type-safe stored procedures and prepared statements.\r\nAudit transaction logs regularly for suspicious activity.\r\nPerform penetration testing on web services.\r\nEnsure error messages are generic and do not expose too much information.\r\nPermissions, Privileges, and Access Controls\r\nSystem operators should take the following steps to limit permissions, privileges, and access controls.\r\nReduce privileges to only those needed for a user’s duties.\r\nRestrict users’ ability (permissions) to install and run unwanted software applications, and apply the\r\nprinciple of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware\r\nfrom running or limit its capability to spread through the network.\r\nCarefully consider the risks before granting administrative rights to users on their own machines.\r\nScrub and verify all administrator accounts regularly.\r\nConfigure Group Policy to restrict all users to only one login session, where possible.\r\nEnforce secure network authentication, where possible.\r\nInstruct administrators to use non-privileged accounts for standard functions such as web browsing or\r\nchecking webmail.\r\nSegment networks into logical enclaves and restrict host-to-host communication paths. Containment\r\nprovided by enclaving also makes incident cleanup significantly less costly.\r\nConfigure firewalls to disallow Remote Desktop Protocol (RDP) traffic coming from outside of the\r\nnetwork boundary, except for in specific configurations such as when tunneled through a secondary virtual\r\nprivate network (VPN) with lower privileges.\r\nAudit existing firewall rules and close all ports that are not explicitly needed for business. Specifically,\r\ncarefully consider which ports should be connecting outbound versus inbound.\r\nEnforce a strict lockout policy for network users and closely monitor logs for failed login activity. Failed\r\nlogin activity can be indicative of failed intrusion activity.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 7 of 8\n\nIf remote access between zones is an unavoidable business need, log and monitor these connections\r\nclosely.\r\nIn environments with a high risk of interception or intrusion, organizations should consider supplementing\r\npassword authentication with other forms of authentication such as challenge/response or multifactor\r\nauthentication using biometric or physical tokens.\r\nLogging Practices\r\nSystem operators should follow these secure logging practices.\r\nEnsure event logging, including applications, events, login activities, and security attributes, is turned on or\r\nmonitored for identification of security issues.\r\nConfigure network logs to provide adequate information to assist in quickly developing an accurate\r\ndetermination of a security incident.\r\nUpgrade PowerShell to new versions with enhanced logging features and monitor the logs to detect usage\r\nof PowerShell commands, which are often malware-related.\r\nSecure logs in a centralized location and protect them from modification.\r\nPrepare an incident response plan that can be rapidly administered in case of a cyber intrusion.\r\nReferences\r\n[1] IBM. Actor Lazarus Group – Blog Post by IBM X-Force Exchange.\r\n[2] AlienVault. Operation Blockbuster Unveils the Actors Behind the Sony Attacks.\r\n[3] Symantec. Destover: Destructive Malware has links back to attacks on South Korea.\r\n[4] Symantec. Duuzer back door Trojan targets South Korea to take over computers.\r\n[5] FireEye. Zero-Day HWP Exploit.\r\n[7] Novetta. Operation Blockbuster Destructive Malware Report.\r\nRevisions\r\nJune 13, 2017: Initial Release|August 23, 2017: Updated YARA Rules and included MAR-10132963 (.pdf and\r\n.stix files)\r\nSource: https://www.us-cert.gov/ncas/alerts/TA17-164A\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-164A\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.us-cert.gov/ncas/alerts/TA17-164A" ], "report_names": [ "TA17-164A" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434163, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbfb3b2735795656b85bee484a2b5c834b300909.pdf", "text": "https://archive.orkl.eu/dbfb3b2735795656b85bee484a2b5c834b300909.txt", "img": "https://archive.orkl.eu/dbfb3b2735795656b85bee484a2b5c834b300909.jpg" } }