{ "id": "c67b17b5-00ca-45f0-9f0e-8c2d558c02eb", "created_at": "2026-04-06T00:09:53.685902Z", "updated_at": "2026-04-10T03:38:19.174288Z", "deleted_at": null, "sha1_hash": "e139527bfceae9a06b3cb191103eeb6ed127bda3", "title": "Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 687206, "plain_text": "Lazarus luring employees with trojanized coding challenges: The case of\r\na Spanish aerospace company\r\nBy Peter Kálnai\r\nArchived: 2026-04-05 17:24:31 UTC\r\nESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed\r\nseveral tools, most notably a publicly undocumented backdoor we named LightlessCan. Lazarus operators obtained initial\r\naccess to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta –\r\nthe company behind Facebook, Instagram, and WhatsApp.\r\nThe fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social\r\nnetworking platform, and sent two coding challenges required as part of a hiring process, which the victim downloaded and\r\nexecuted on a company device. The first challenge is a very basic project that displays the text “Hello, World!”, the second\r\none prints a Fibonacci sequence – a series of numbers in which each number is the sum of the two preceding ones. ESET\r\nResearch was able to reconstruct the initial access steps and analyze the toolset used by Lazarus thanks to cooperation with\r\nthe affected aerospace company.\r\nIn this blogpost, we describe the method of infiltration and the tools deployed during this Lazarus attack. We will also\r\npresent some of our findings about this attack at the Virus Bulletin conference on October 4, 2023.\r\nKey points of the blogpost:\r\nEmployees of the targeted company were contacted by a fake recruiter via LinkedIn and tricked into\r\nopening a malicious executable presenting itself as a coding challenge or quiz.\r\nWe identified four different execution chains, delivering three types of payloads via DLL side-loading .\r\nThe most notable payload is the LightlessCan backdoor, implementing techniques to hinder detection by\r\nreal-time security monitoring software and analysis by cybersecurity professionals; this presents a major\r\nshift in comparison with its predecessor BlindingCan, a flagship HTTP(S) Lazarus RAT.\r\nWe attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to\r\nOperation DreamJob.\r\nThe final goal of the attack was cyberespionage.\r\nLazarus delivered various payloads to the victims’ systems; the most notable is a publicly undocumented and sophisticated\r\nremote access trojan (RAT) that we named LightlessCan, which represents a significant advancement compared to its\r\npredecessor, BlindingCan. LightlessCan mimics the functionalities of a wide range of native Windows commands, enabling\r\ndiscreet execution within the RAT itself instead of noisy console executions. This strategic shift enhances stealthiness,\r\nmaking detecting and analyzing the attacker’s activities more challenging.\r\nAnother mechanism used to minimize exposure is the employment of execution guardrails; Lazarus made sure the payload\r\ncan only be decrypted on the intended victim’s machine. Execution guardrails are a set of protective protocols and\r\nmechanisms implemented to safeguard the integrity and confidentiality of the payload during its deployment and execution,\r\neffectively preventing unauthorized decryption on unintended machines, such as those of security researchers. We describe\r\nthe implementation of this mechanism in the Execution chain 3: LightlessCan (complex version) section.\r\nAttribution to the Lazarus group\r\nThe Lazarus group (also known as HIDDEN COBRA) is a cyberespionage group linked to North Korea that has been active\r\nsince at least 2009. It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, the 3CX and X_TRADER\r\nsupply-chain attacks, and a long history of disruptive attacks against South Korean public and critical infrastructure since at\r\nleast 2011. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that\r\nit performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain.\r\nAerospace companies are not an unusual target for North Korea-aligned advanced persistent threat (APT) groups. The\r\ncountry has conducted multiple nuclear tests and launched intercontinental ballistic missiles, which violate United Nations\r\n(UN) Security Council resolutions. The UN monitors North Korea’s nuclear activities to prevent further development and\r\nproliferation of nuclear weapons or weapons of mass destruction, and publishes biannual reports tracking such activities.\r\nAccording to these reports, North Korea-aligned APT groups attack aerospace companies in attempts to access sensitive\r\ntechnology and aerospace know-how, as intercontinental ballistic missiles spend their midcourse phase in the space outside\r\nof Earth’s atmosphere. These reports also claim that money gained from cyberattacks accounts for a portion of North\r\nKorea’s missile development costs.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 1 of 16\n\nWe attribute the attack in Spain to the Lazarus group, specifically to Operation DreamJob, with a high level of confidence.\r\nThe name for Operation DreamJob was coined in a blogpost by ClearSky from August 2020, describing a Lazarus campaign\r\ntargeting defense and aerospace companies, with the objective of cyberespionage. Since then, we have loosely used the term\r\nto denote various Lazarus operations leveraging job-offering lures but not deploying tools clearly similar to those involved\r\nin its other activities, such as Operation In(ter)ception. For example, the campaign involving tools signed with 2 TOY\r\nGUYS certificates (see ESET Threat Report T1 2021, page 11), and the case of Amazon-themed lures in the Netherlands and\r\nBelgium published in September 2022.\r\nOur attribution is based on the following factors, which show a relationship mostly with the previously mentioned Amazon-themed campaign:\r\n1. Malware (the intrusion set):\r\nInitial access was obtained by making contact via LinkedIn and then convincing the target to execute malware,\r\ndisguised as a test, in order to succeed in a hiring process. This is a known Lazarus tactic, used at least since\r\nOperation DreamJob.\r\nWe observed new variants of payloads that were previously identified in the Dutch case from last year, such as\r\nintermediate loaders and the BlindingCan backdoor linked with Lazarus.\r\nMultiple types of strong encryption were leveraged in the tools of this Lazarus campaign – AES-128 and RC6 with a\r\n256-bit key – that were also used in the Amazon-themed campaign.\r\n2. Infrastructure:\r\nFor the first-level C\u0026C servers (listed in the Network section at the end of this blogpost), the attackers do not set up\r\ntheir own servers, but compromise existing ones, usually those having poor security and that host sites with neglected\r\nmaintenance. This is a typical, yet weak-confidence behavior, of Lazarus.\r\n3. Cui bono:\r\nPilfering the know-how of an aerospace company is aligned with long-term goals manifested by Lazarus.\r\nInitial access\r\nThe group targeted multiple company employees via LinkedIn Messaging. Masquerading as a Meta recruiter, the attacker\r\nused a job offer lure to attract the target’s attention and trust; a screenshot of this conversation, which we obtained during\r\nour cooperation with the Spanish aerospace company, is depicted in Figure 1.\r\nFigure 1. The initial contact by the attacker impersonating a recruiter from Meta\r\nAt the beginning of Lazarus attacks, the unaware targets are usually convinced to recklessly self-compromise their systems.\r\nFor this purpose, the attackers employ different strategies; for example, the target is lured to execute an attacker-provided\r\n(and trojanized) PDF viewer to see the full content of a job offer. Alternately, the target is encouraged to connect with a\r\ntrojanized SSL/VPN client, being provided with an IP address and login details. Both scenarios are described in a Microsoft\r\nblogpost published in September 2022. The narrative in this case was the scammer’s request to prove the victim’s\r\nproficiency in the C++ programming language.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 2 of 16\n\nTwo malicious executables, Quiz1.exe and Quiz2.exe, were provided for that purpose and delivered via the Quiz1.iso and\r\nQuiz2.iso images hosted on a third-party cloud storage platform. Both executables are very simple command line\r\napplications asking for input.\r\nThe first one is a Hello World project, which is a very basic program, often consisting of just a single line of code, that\r\ndisplays the text “Hello, World!” when executed. The second prints a Fibonacci sequence up to the largest element smaller\r\nthan the number entered as input. A Fibonacci sequence is a series of numbers in which each number is the sum of the two\r\npreceding ones, typically starting with 0 and 1; however, in this malicious challenge, the sequence starts with 1 and 2. Figure\r\n2 displays example output from the Fibonacci sequence challenge. After the output is printed, both executables trigger the\r\nmalicious action of installing additional payloads from the ISO images onto the target’s system. The task for a targeted\r\ndeveloper is to understand the logic of the program and rewrite it in the C++ programming language.\r\nFigure 2. The output of the decoy program Quiz2.exe\r\nThe chain of events that led to the initial compromise is sketched in Figure 3. The first payload delivered to the target’s\r\nsystem is an HTTP(S) downloader that we have named NickelLoader. The tool allows the attackers to deploy any desired\r\nprogram into the memory of the victim’s computer.\r\nFigure 3. The chain of events completing the initial access\r\nPost-compromise toolset\r\nOnce NickelLoader is running on the target’s system, the attackers use it to deliver two types of RATs. One of these RATs is\r\nalready known to be part of the Lazarus toolkit, specifically a variant of the BlindingCan backdoor with limited functionality\r\nbut identical command processing logic. To distinguish it, we put the prefix mini- in front of the variant’s name.\r\nAdditionally, the attackers introduced a RAT not previously undocumented publicly, which we have named LightlessCan.\r\nThe RATs are deployed as the final step of chains of stages with varying levels of complexity and are preceded by helper\r\nexecutables, like droppers and loaders. We denote an executable as a dropper if it contains an embedded payload, even if it’s\r\nnot dropped onto the file system but instead loaded directly into memory and executed. Malware that doesn’t have an\r\nencrypted embedded data array, but that loads a payload from the file system, we denote as a loader.\r\nBesides the initial quiz-related lures, Table 1 summarizes the executable files (EXEs) and dynamic link libraries (DLLs)\r\ndelivered to the victim’s system. All the malware samples in the third column are trojanized open-source applications (see\r\nthe fourth column for the underlying project), with a legitimate executable side-loading a malicious DLL. For example, the\r\nmalicious mscoree.dll is a trojanized version of the legitimate NppyPluginDll; the DLL contains an embedded NickelLoader\r\nand is loaded by a legitimate PresentationHost.exe, both located in the C:\\ProgramShared directory.\r\nTable 1. Summary of binaries involved in the attack\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 3 of 16\n\nLocation directory\r\nLegitimate parent\r\nprocess\r\nMalicious side-loaded\r\nDLL\r\nTrojanized project\r\n(payload)\r\nC:\\ProgramShared\\ PresentationHost.exe mscoree.dll\r\nNppyPluginDll\r\n(NickelLoader)\r\nC:\\ProgramData\\Adobe\\ colorcpl.exe colorui.dll\r\nLibreSSL 2.6.5\r\n(miniBlindingCan)\r\nC:\\ProgramData\\Oracle\\Java\\ fixmapi.exe mapistub.dll\r\nLua plugin for Notepad++\r\n1.4.0.0\r\n(LightlessCan)\r\nC:\\ProgramData\\Adobe\\ARM\\ tabcal.exe HID.dll\r\nMZC8051 for Notepad++\r\n3.2\r\n(LightlessCan)\r\nLightlessCan – new backdoor\r\nThe most interesting payload used in this campaign is LightlessCan, a successor of the group’s flagship HTTP(S) Lazarus\r\nRAT named BlindingCan. LightlessCan is a new complex RAT that has support for up to 68 distinct commands, indexed in a\r\ncustom function table, but in the current version, 1.0, only 43 of those commands are implemented with some functionality.\r\nThe remaining commands are present but have a formal implementation in the form of placeholders, lacking actual\r\nfunctionality. The project behind the RAT is definitely based on the BlindingCan source code, as the order of the shared\r\ncommands is preserved significantly, even though there may be differences in their indexing.\r\nThe most significant update is mimicked functionality of many native Windows commands like ping, ipconfig, systeminfo,\r\nsc, net, etc. The hardcoded string “The operation completed successfully.”, the standard system message for the\r\nERROR_SUCCESS result, brought us to that idea. Table 2 contains a list of those commands that are implemented in\r\nLightlessCan. In previously reported Lazarus attacks, as documented in blogposts by Positive Technologies in April 2021\r\nand HvS Consulting in December 2020, these native commands are often executed in many instances after the attackers\r\nhave gotten a foothold in the target’s system. However, in this case, these commands are executed discreetly within the RAT\r\nitself, rather than being executed visibly in the system console. This approach offers a significant advantage in terms of\r\nstealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools. The internal\r\nversion number (1.0) indicates that this represents a new development effort by the attackers.\r\nAs the core utilities of Windows are proprietary and not open-source, the developers of LightlessCan faced a choice: either\r\nto reverse engineer the closed-source system binaries or to get inspired by the code available via the Wine project, where\r\nmany programs are rewritten in order to mimic their execution on other platforms like Linux, macOS, or ChromeOS. We are\r\ninclined to believe the developers chose the first option, as the corresponding Wine programs they mimicked in\r\nLightlessCan were implemented a little bit differently or not at all (e.g., netsh).\r\nInterestingly, in one of the cases we analyzed, the LightlessCan payload is stored in an encrypted file on the compromised\r\nmachine, which can only be decrypted using an environment-dependent key. More details about this can be found in the\r\nExecution chain 3: LightlessCan (complex version) section. This is to ensure that the payload can only be decrypted on the\r\ncomputer of the intended victim and not, for example, on a device of a security researcher.\r\nTable 2. The list of LightlessCan commands mimicking those for Windows prompt\r\nIndex Description\r\n33 Mimic the ipconfig command from the Windows command prompt; see Figure 4.\r\n34 Mimic the net command from the Windows prompt; see Figure 5.\r\n35 Mimic the netshadvfirewall firewall command from the Windows prompt; see Figure 4.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 4 of 16\n\nIndex Description\r\n36 Mimic the netstat command from the Windows prompt.\r\n37 Mimic the ping -6 command from the Windows prompt.\r\n38 Mimic the reg command from the Windows prompt; see Figure 7.\r\n39 Mimic the sc command from the Windows prompt; see Figure 8.\r\n40 Mimic the ping command from the Windows prompt.\r\n41 Mimic the tasklist command from the Windows prompt.\r\n42 Mimic the wmic process call create command from the Windows prompt; see Figure 9.\r\n43 Mimic the nslookup command from the Windows Server prompt.\r\n44 Mimic the schstasks command from the Windows prompt; see Figure 10.\r\n45 Mimic the systeminfo command from the Windows prompt.\r\n46 Mimic the arp command from the Windows prompt.\r\n47 Mimic the mkdir command from the Windows prompt.\r\nFigure 4. Hardcoded strings revealing the subset of the ipconfig functionality\r\nFigure 5. Hardcoded strings revealing the subset of the net functionality\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 5 of 16\n\nFigure 6. Hardcoded strings revealing the netsh firewall functionality\r\nFigure 7. Hardcoded strings revealing the (partial) reg functionality\r\nFigure 8. Hardcoded strings revealing the (partial) sc functionality\r\nFigure 9. Hardcoded strings revealing the wmic process call create functionality\r\nFigure 10. Hardcoded strings revealing the (partial) schtasks functionality\r\nFurthermore, an examination of the RAT’s internal configuration suggests that, in comparison to BlindingCan, Lazarus\r\nincreased the code sophistication in LightlessCan.\r\nTechnical analysis\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 6 of 16\n\nIn this section, we provide technical details about the compromise chain that delivers the NickelLoader downloader, and the\r\nthree execution chains Lazarus used to deliver its payloads on the compromised system.\r\nCompromise chain: NickelLoader\r\nNickelLoader is an HTTP(S) downloader executed on the compromised system via DLL side-loading, which is later used to\r\ndeliver other Lazarus payloads.\r\nThe process of delivering NickelLoader unfolds in a series of stages, commencing with the execution of\r\nPresentationHost.exe, which is triggered automatically after the target manually executes the initial quiz challenges; the\r\nQuiz1 case is depicted in Figure 3. A malicious dynamically linked library, mscoree.dll, is then side-loaded by the legitimate\r\nPresentationHost.exe – both located in C:\\ProgramShared\\. This DLL is a trojanized NppyPluginDll.dll, from the inactive\r\nGeneral Python Plugins DLL for Notepad++ project from 2011. It serves as a dropper and has various exports: all the\r\nexports copied from the original NppyPluginDll.dll plus all the exports from the legitimate mscoree.dll. One of these\r\nlegitimate exports, CorExitProcess, contains the malicious code responsible for the decryption and execution of the next\r\nmalware stage.\r\nTo successfully decrypt an encrypted data array embedded in the dropper, three 16-character-long keywords are required by\r\nthe dropper. These keywords are as follows:\r\n1. the name of the parent process (PresentationHost),\r\n2. the internal parameter hardcoded in the binary (9zCnQP6o78753qg8), and\r\n3. the external parameter passed on the command line (‑embeddingObject), which is inherited from the parent process\r\nof PresentationHost.exe, being provided by Quiz1.exe or Quiz2.exe.\r\nThe keywords are XOR-ed byte by byte and the output forms the AES-128 decryption key.\r\nThe payload is an HTTP(S) downloader that recognizes four commands, all five letters long, shown in Table 3. Because of\r\nthose five letter commands, we chose to name this payload “NickelLoader”, drawing inspiration from the colloquial term for\r\nthe US five-cent coin – a nickel. The most important commands are avdrq and gabnc. When these commands are issued,\r\neach of them loads data received from the C\u0026C server as a DLL. For this purpose, the attackers probably used\r\nMemoryModule, a library that can be used to load a DLL completely from memory.\r\nTable 3. The list of magic keywords recognized in received buffers\r\nKeyword Description\r\nabcde\r\nRequests another immediate command without the usual long sleep delay that separates the execution of\r\nthe commands.\r\navdrq Loads a DLL contained in the received buffer and executes its hardcoded export info.\r\ngabnc Loads a DLL contained in the received buffer.\r\ndcrqv Terminates itself.\r\nExecution chain 1: miniBlindingCan\r\nOne of the payloads downloaded and executed by NickelLoader is miniBlindingCan, a simplified version of the group’s\r\nflagship BlindingCan RAT. It was reported for the first time by Mandiant in September 2022, under the name AIRDRY.V2.\r\nTo load miniBlindingCan, a 64-bit malicious dynamically linked library colorui.dll is side-loaded by a legitimate\r\ncolorcpl.exe executed from C:\\ProgramData\\Adobe\\ and serves as a dropper. The DLL is obfuscated using VMProtect and\r\ncontains thousands of exports from which LaunchColorCpl is the most important, as it handles the execution of the next\r\nstage. There’s an encrypted data array in the DLL’s dumped body, together with multiple debug symbols revealing the root\r\ndirectory and the project from which it was built:\r\nW:\\Develop\\aTool\\ShellCodeLoader\\App\\libressl-2.6.5\\\r\nAs the name ShellCodeLoader suggests, the main purpose of this initial stage is to decrypt and load the data array from its\r\nbody, which contains shellcode. At the beginning of its execution, ShellCodeLoader employs anti-debugging techniques by\r\ninspecting the BeingDebugged value within the Process Environment Block (PEB) structure to determine if it’s being\r\nscrutinized or analyzed by debugging tools, and utilizes anti-sandbox techniques to avoid detection within sandboxed\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 7 of 16\n\nenvironments designed for security analysis. The malware also explicitly checks whether its parent process is colorcpl.exe;\r\nif not, it exits immediately.\r\nThe decrypted data array is not a complete DLL, but forms an intermediate blob with two parts: shellcode followed by\r\nanother encrypted data array, which represents the last step of the chain. The shellcode seems to be produced by an instance\r\nof the open-source project ShellcodeRDI – in particular, the ShellcodeRDI.c code. It was probably produced by executing\r\nthe Python script ConvertToShellcode.py from this project on a payload DLL acting as a source for reflective DLL injection.\r\nThe final payload is extracted and decrypted using XOR with a long key, which is a string built by concatenating the name\r\nof the parent process (colorcpl.exe), the filename of the dropper (colorui.dll), and the external command line parameter – in\r\nthis case resulting in COLORCPL.EXECOLORUI.DLL669498484488D3F22712CC5BACA6B7A7. This process is akin to\r\nwhat we observed with BlindingCan backdoor in the Dutch case we previously described in this WeLiveSecurity blogpost.\r\nThe decryption reveals an executable with download-and-execute functionality, whose internal logic of sending and parsing\r\ncommands is strongly reminiscent of BlindingCan, a flagship HTTP(S) Lazarus RAT. Unlike the case in the Netherlands, it\r\nis not VMProtect-ed and it supports only a small subset of commands available previously: compare Table 4in this blogpost\r\nand Table 3 in the blogpost on the Dutch case from September 2022. Because the features of this RAT are notably scaled\r\ndown compared to those in BlindingCan, and yet they seem to share the same server-side infrastructure, we have chosen to\r\ndistinguish it by appending the prefix “mini-“ to its name, highlighting its reduced functionality compared to its fully-featured RAT counterpart.\r\nTable 4. Commands of miniBlindingCan\r\nCommand ID Description\r\n8201 Send system information like computer name, Windows version, and code page.\r\n8232 Update the current communication interval with a value provided by the C\u0026C server.\r\n8233 Discontinue the command execution.\r\n8241 Send the current configuration of size 9,392 bytes to the C\u0026C server.\r\n8242 Update the configuration of size 9,392 bytes, stored encrypted on the file system.\r\n8247 Wait for the next command.\r\n8248 Update the current communication interval with a value stored in the configuration.\r\n8274 Download and decrypt a file from the C\u0026C server.\r\n8279 Execute shellcode passed as a parameter.\r\nFigure 11 shows the decrypted state of a 9,392-byte-long configuration embedded in the RAT. It contains five URLs, in this\r\ncase compromised websites, each limited by a maximum size of 260 wide characters.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 8 of 16\n\nFigure 11. A configuration of the miniBlindingCan backdoor. The highlighted value is the count of URLs, but\r\nonly the first and the last of the five URLs are shown here. The purpose of the last two wide strings is not\r\nknown\r\nExecution chain 2: LightlessCan (simple version)\r\nAnother payload we have seen executed by NickelLoader is LightlessCan, a new Lazarus backdoor. We have observed two\r\ndifferent chains loading this backdoor.\r\nIn the simple version of the chain, the dropper of this payload is the malicious dynamically linked library mapistub.dll that is\r\nside-loaded by the legitimate fixmapi.exe executed from C:\\ProgramData\\Oracle\\Java\\. The DLL is a trojanized Lua plugin,\r\nversion 1.4, with all the exports copied from the legitimate Windows mapi32.dll. The export FixMAPI contains malicious\r\ncode responsible for decrypting and loading the next stage; all the other exports contain benign code sourced from a publicly\r\navailable MineSweeper sample project. This mapistub.dll dropper has persistence established via a scheduled task.\r\nUnfortunately, we lack additional details about this task, except that its parent process appears as\r\n%WINDOWS%\\system32\\svchost.exe -k netsvcs -p -s Schedule.\r\nTo successfully decrypt the embedded data array, the dropper needs three keywords to be provided correctly:\r\n1. the name of the parent process (fixmapi.exe),\r\n2. the internal parameter hardcoded in the binary (IP7pdINfE9uMz63n), and\r\n3. the external parameter passed in the command line (AudioEndpointBuilder).\r\nThe keywords are XOR-ed byte by byte and the output forms a 128-bit AES key to be used for decryption. Note that the\r\nlength of the keywords are not all exactly 16 bytes, but the decryption process will still work if the oversized string is\r\ntruncated to a 16-byte length (for instance, AudioEndpointBuilder to AudioEndpointBui), and the undersized string,\r\nfixmapi.exe, is treated as fixmapi.exe\\x00\\x00\\x00\\x00\\x00, because the string was initialized as 260 instances of the NUL\r\ncharacter.\r\nExecution chain 3: LightlessCan (complex version)\r\nThe most complex chain we observed on the compromised system also delivers LightlessCan, with various components\r\ninvolved in the complete chain of installation stages: a legitimate application, an initial dropper, a complete dropper (which\r\ncontains the configuration), an intermediate dropper, a configuration file, a file with system information (for the decryption\r\nof encrypted payloads on the file system), an intermediate loader and the final step, the LightlessCan RAT. The connections\r\nand relationships among these files are illustrated in Figure 12.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 9 of 16\n\nFigure 12. A complex chain of stages delivering the fourth payload\r\nThe initial dropper of the fourth chain is a malicious dynamically linked library HID.dll that is side-loaded by a legitimate\r\nexecutable, tabcal.exe, executed from C:\\ProgramData\\Adobe\\ARM\\. The DLL is a trojanized version of MZC8051.dll, a\r\nlegitimate file from the 8051 C compiler plugin project for Notepad++. It contains all the exports from the original project,\r\nbut also the necessary exports from the legitimate Hid User Library by Microsoft, so that the side-loading by tabcal.exe will\r\nbe successful. The export HidD_GetHidGuid contains the malicious code responsible for dropping the next stage and, as in\r\nthe case of the dropper of the previous chain (Execution chain 2), all the other exports contain the benign MineSweeper\r\ncode.\r\nAs in the previous cases, three long keywords must be provided to decrypt the embedded payload:\r\n1. the name of the parent process (tabcal.exe),\r\n2. the internal parameter hardcoded in the binary (9zCnQP6o78753qg8), and\r\n3. the external parameter (LocalServiceNetworkRestricted) – this time not expressed as a command line parameter, but\r\ninstead as the content of a file located at %WINDOWS%\\system32\\thumbs.db.\r\nAgain, the keywords are XOR-ed byte by byte and the output forms a 128-bit AES key to be used for the decryption. As in\r\nthe previous case, the lengths of the keywords are not all exactly 16 bytes, but the decryption will still work if the oversized\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 10 of 16\n\nstring is truncated (for instance, to LocalServiceNetw) and the undersized string is extended with nulls (for instance, to\r\ntabcal.exe\\x00\\x00\\x00\\x00\\x00\\x00).\r\nThe executable produced by the above recipe is the complete dropper from Figure 12 and has the InternalName resource\r\nAppResolver.dll (found in the VERSIONINFO resource). It contains two encrypted data arrays: a small one of 126 bytes,\r\nand a large one of 1,807,464 bytes (which contains three subparts). First, it decrypts the small array using the RC6 algorithm\r\nwith the hardcoded 256-bit key DA 48 A3 14 8D BF E2 D2 EF 91 12 11 FF 75 59 A3 E1 6E A0 64 B8 78 89 77 A0 37 91 58\r\n5A FF FF 07. The output represents paths to which the first two subparts of the large blob are dropped (i.e., LightlessCan\r\nand the intermediate dropper), and yields the strings C:\\windows\\system32\\oci.dll and C:\\windows\\system32\\grpedit.dat.\r\nNext, it continues with decrypting the second data array – the large blob – using the same encryption key as before. The\r\nresult is a decrypted blob containing three subparts: a DLL corresponding to grpedit.dat (LightlessCan), a DLL\r\ncorresponding to oci.dll (the intermediate dropper), and a 14,948 byte encrypted file dropped to\r\n%WINDOWS%\\System32\\wlansvc.cpl (configuration); as depicted in Figure 13.\r\nFigure 13. The decrypted configuration stored in wlansvc.cpl\r\nMoreover, the complete dropper also stores several characteristics identifying the compromised system in the file\r\n%WINDOWS%\\System32\\4F59FB87DF2F, whose name is hardcoded in the binary. These characteristics are primarily\r\nretrieved from the Computer\\HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS registry path. Here are the specific\r\nvalues of these characteristics, along with a PowerShell command provided in brackets that can be used to display the\r\ncorresponding value on any Windows machine:\r\nSystemBIOSDate (Get-ItemProperty \"HKLM:\\HARDWARE\\Description\\System\\BIOS\" -Name BIOSReleaseDate |\r\nSelect-Object -Property BIOSReleaseDate)\r\nSystemBIOSVersion (Get-CimInstance -ClassName Win32_Bios | Select-Object -Property Version)\r\nSystemManufacturer (Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object -Property\r\nManufacturer)\r\nSystemProductName (Get-CimInstance -ClassName Win32_ComputerSystemProduct | Select-Object -Property\r\nName)\r\nIdentifier in\r\nComputer\\HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\MultifunctionAdapter\\0\\DiskController\\0\\DiskPeripheral\\0\r\nThe concatenation of the values is required for decryption of the encrypted grpedit.dat from the file system. On a test\r\nmachine running an image of Windows 10 on VMWare, the output can be:\r\n11/12/20INTEL - 6040000VMware, Inc.VMware Virtual Platform656ba047-20b25a2a-A\r\nThe oci.dll file is another dropping layer – the intermediate dropper that drops the intermediate loader, which is a payload\r\nsimilar to the one described in the previously mentioned Dutch case. Again, the attackers used an open-source project, the\r\nFlashing Tip plugin for Notepad++, which is no longer available online. Unlike the previous cases, only two long keywords\r\nmust be provided in order to decrypt the embedded payload successfully using AES-128:\r\n1. the name of the parent process (msdtc.exe), and\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 11 of 16\n\n2. the internal parameter hardcoded in the binary (fb5XPNCr8v83Y85P).\r\nBoth keywords are XOR-ed byte by byte (the parent process name is truncated, or padded with NULLs, as necessary to fill\r\n16 bytes). The product of the decryption is the intermediate loader (LLTMapperAPI.dll). It uses the system information\r\n(same as the values stored in 4F59FB87DF2F) to decrypt the configuration file wlansvc.cpl and to locate, decrypt, and load\r\nthe encrypted grpedit.dat, which is LightlessCan, the new full-featured RAT.\r\nConclusion\r\nWe have described a new Lazarus attack that originated on LinkedIn where fake recruiters approached their potential\r\nvictims, who were using corporate computers for personal purposes. Even though public awareness of these types of attacks\r\nshould be high, the success rates of these campaigns have still not dropped to zero.\r\nThe most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that\r\nexhibits a high level of sophistication in its design and operation, representing a significant advancement in malicious\r\ncapabilities compared to its predecessor, BlindingCan.\r\nThe attackers can now significantly limit the execution traces of their favorite Windows command line programs that are\r\nheavily used in their post-compromise activity. This maneuver has far-reaching implications, impacting the effectiveness of\r\nboth real-time monitoring solutions and of post-mortem digital forensic tools.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection\r\nC273B244EA7DFF20B1D6B1C7FD97F343201984B3 %TEMP%\\7zOC35416EE\\Quiz1.exe Win64/NukeSped.KT\r\n38736CA46D7FC9B9E5C74D192EEC26F951E45752 %TEMP%\\7zOCB3CC96D\\Quiz2.exe Win64/NukeSped.KT\r\nC830B895FB934291507E490280164CC4234929F0 %ALLUSERSPROFILE%\\Adobe\\colorui.dll Win64/NukeSped.KV\r\n8CB37FA97E936F45FA8ECD7EB5CFB68545810A22 N/A Win64/NukeSped.KU\r\n0F33ECE7C32074520FBEA46314D7D5AB9265EC52 %ALLUSERSPROFILE%\\Oracle\\Java\\mapistub.dll Win64/NukeSped.KW\r\nC7C6027ABDCED3093288AB75FAB907C598E0237D N/A Win64/NukeSped.KW\r\nC136DD71F45EAEF3206BF5C03412195227D15F38 C:\\ProgramShared\\mscoree.dll Win64/NukeSped.KT\r\nE61672B23DBD03FE3B97EE469FA0895ED1F9185D N/A Win64/NukeSped.KT\r\nE18B9743EC203AB49D3B57FED6DF5A99061F80E0 %ALLUSERSPROFILE%\\Adobe\\ARM\\HID.dll Win64/NukeSped.KX\r\n10BD3E6BA6A48D3F2E056C4F974D90549AED1B96 N/A Win64/NukeSped.KT\r\n3007DDA05CA8C7DE85CD169F3773D43B1A009318 %WINDIR%\\system32\\grpedit.dat Win64/NukeSped.KW\r\n247C5F59CFFBAF099203F5BA3680F82A95C51E6E %WINDIR%\\system32\\oci.dll @Trojan.Win64/NukeSped.MI\r\nEBD3EF268C71A0ED11AE103AA745F1D8A63DDF13 N/A Win64/NukeSped.KT\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 12 of 16\n\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n46.105.57[.]169 bug.restoroad[.]com OVH SAS 2021‑10‑10\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttp://bug.restoroad[.]com/admin/view_status.php\r\n50.192.28[.]29 hurricanepub[.]com\r\nComcast Cable\r\nCommunications,\r\nLLC\r\n2020‑01‑06\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttps://hurricanepub[.]com/include/include.php\r\n67.225.140[.]4 turnscor[.]com\r\nLiquid Web,\r\nL.L.C\r\n2020‑01‑03\r\nA compromised legitimate WordPress-based site hosting\r\nthe C\u0026C server:\r\nhttps://turnscor[.]com/wp-includes/contacts.php\r\n78.11.12[.]13 mantis.quick.net[.]pl Netia SA 2021‑03‑22\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttp://mantis.quick.net[.]pl/library/securimage/index.php\r\n89.187.86[.]214 www.radiographers[.]org Coreix Ltd 2020‑10‑23\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttps://www.radiographers[.]org/aboutus/aboutus.php\r\n118.98.221[.]14\r\nkapata-arkeologi.kemdikbud.go[.]id\r\nPustekkom 2020‑01‑02\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttps://kapata-arkeologi.kemdikbud.go[.]id/pages/payment/payment.php\r\n160.153.33[.]195 barsaji.com[.]mx\r\nGoDaddy.com,\r\nLLC\r\n2020‑03‑27\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttp://barsaji.com[.]mx/src/recaptcha/index.php\r\n175.207.13[.]231 www.keewoom.co[.]kr Korea Telecom 2021‑01‑17\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttp://www.keewoom.co[.]kr/prod_img/201409/prod.php\r\n178.251.26[.]65\r\nkerstpakketten.horesca-meppel[.]nl\r\nInterRacks B.V. 2020‑11‑02\r\nA compromised legitimate WordPress-based site hosting\r\nthe C\u0026C server:\r\nhttps://kerstpakketten.horesca-meppel[.]nl/wp-content/plugins/woocommerce/lib.php\r\n185.51.65[.]233 kittimasszazs[.]hu\r\nDoclerNet\r\nOperations,\r\nORG-DHK1-\r\nRIPE\r\n2020‑02‑22\r\nA compromised legitimate site hosting the C\u0026C server:\r\nhttps://kittimasszazs[.]hu/images/virag.php\r\n199.188.206[.]75 nrfm[.]lk Namecheap, Inc. 2021‑03‑13\r\nA compromised legitimate WordPress-based site hosting\r\nthe C\u0026C server:\r\nhttps://nrfm[.]lk/wp-includes/SimplePie/content.php\r\nMITRE ATT\u0026CK techniques\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 13 of 16\n\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nReconnaissance T1593.001\r\nSearch Open\r\nWebsites/Domains: Social\r\nMedia\r\nLazarus attackers used LinkedIn to identify and\r\ncontact specific employees of a company of\r\ninterest.\r\nResource\r\nDevelopment\r\nT1584.004\r\nAcquire Infrastructure:\r\nServer\r\nCompromised servers were used by the Lazarus\r\nHTTP(S) backdoors and the downloader for\r\nC\u0026C.\r\nT1585.001\r\nEstablish Accounts: Social\r\nMedia Accounts\r\nLazarus attackers created a fake LinkedIn identity\r\nof a headhunter from Meta.\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nLazarus attackers had to create an account on a\r\nthird-party cloud storage in order to deliver the\r\ninitial ISO images.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nCustom tools from the attack are likely developed\r\nby the attackers. Some exhibit highly specific\r\nkernel development capacities seen earlier in\r\nLazarus tools.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nLazarus attackers uploaded the initial ISO images\r\nto a cloud storage.\r\nInitial Access\r\nT1566.002 Phishing: Spearphishing Link\r\nThe target received a link to a third-party remote\r\nstorage with malicious ISO images.\r\nT1566.003\r\nPhishing: Spearphishing via\r\nService\r\nThe target was contacted via LinkedIn Messaging.\r\nExecution\r\nT1106 Native API\r\nWindows APIs are essential for miniBlindingCan\r\nand LightlessCan to function and are resolved\r\ndynamically at runtime.\r\nT1053 Scheduled Task/Job\r\nBased on the parent process, a scheduled task was\r\nprobably created to trigger thesimple chain of the\r\nLightlessCan execution.\r\nT1129 Shared Modules\r\nNickelLoader can load and execute an arbitrary\r\nDLL within memory.\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nLazarus attackers relied on the execution of\r\nQuiz1.exe and Quiz2.exe from the ISO files.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nOne of the LightlessCan commands allows\r\ncreation of a new process via WMI.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 14 of 16\n\nTactic ID Name Description\r\nPersistence T1053 Scheduled Task/Job\r\nBased on the parent process, a scheduled task was\r\nprobably created to trigger the simple chain of the\r\nLightlessCan execution. Moreover, LightlessCan\r\ncan mimic the schtasks command.\r\nDefense Evasion\r\nT1134.002\r\nAccess Token Manipulation:\r\nCreate Process with Token\r\nLightlessCan can create a new process in the\r\nsecurity context of the user represented by the\r\nspecified token and collect the output.\r\nT1622 Debugger Evasion\r\nThere’s an anti-debug check in the dropper of\r\nminiBlindingCan.\r\nT1480 Execution Guardrails\r\nThere’s a parent process check in the\r\nminiBlindingCan dropper. The concatenation of\r\nthe values is required for decryption of the\r\nencrypted LightlessCan from the file system.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nMany of these Lazarus tools and configurations\r\nare encrypted on the file system, e.g.,\r\nLightlessCan in grpedit.dat and its configuration\r\nin wlansvc.cpl.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nMany of the Lazarus droppers and loaders use a\r\nlegitimate program for their loading.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nLazarus obfuscated several executables by\r\nVMProtect in this attack, e.g., colorui.dll\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic API\r\nResolution\r\nBoth LightlessCan and miniBlindingCan resolve\r\nWindows APIs dynamically.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nThe droppers of all malicious chains contain an\r\nembedded data array with an additional stage.\r\nT1562.003\r\nImpair Defenses: Impair\r\nCommand History Logging\r\nNew features of LightlessCan mimic the most\r\nuseful Windows command line utilities, to avoid\r\nexecuting the original console utilities.\r\nT1562.004\r\nImpair Defenses: Disable or\r\nModify System Firewall\r\nLightlessCan can mimic the netsh command and\r\ninteract with firewall rules.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nLightlessCan has the ability to delete files\r\nsecurely.\r\nT1070.006\r\nIndicator Removal:\r\nTimestomp\r\nLightlessCan can alter the modification\r\ntimestamps of files.\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nT1202 Indirect Command Execution\r\nLightlessCan bypasses command execution by\r\nimplementing their functionality.\r\nT1055 Process Injection\r\nLightlessCan and miniBlindingCan use various\r\ntypes of process injection.\r\nT1497.003\r\nVirtualization/Sandbox\r\nEvasion: Time Based Evasion\r\nThe miniBlindingCan dropper has an intentional\r\ninitial execution delay.\r\nT1620 Reflective Code Loading Most of the droppers use reflective DLL injection.\r\nDiscovery\r\nT1083 File and Directory Discovery LightlessCan can locate a file by its name.\r\nT1135 Network Share Discovery LightlessCan can mimic the net share command.\r\nT1057 Process Discovery LightlessCan identifies processes by name.\r\nT1012 Query Registry\r\nLightlessCan queries the registry for various\r\nsystem information it uses for encryption.\r\nT1018 Remote System Discovery LightlessCan can mimic the net view command.\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nLightlessCan can mimic the arp and ipconfig\r\ncommands.\r\nT1049\r\nSystem Network Connections\r\nDiscovery\r\nLightlessCan can mimic the netstat command.\r\nT1007 System Service Discovery\r\nLightlessCan can mimic the sc query and tasklist\r\ncommands.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nNickelLoader, LightlessCan, and\r\nminiBlindingCan use HTTP and HTTPS for\r\nC\u0026C.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nLightlessCan and miniBlindingCan encrypt C\u0026C\r\ntraffic using the AES-128 algorithm.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nLightlessCan and miniBlindingCan encode C\u0026C\r\ntraffic using base64.\r\nExfiltration T1041 Exfiltration Over C2 Channel LightlessCan can exfiltrate data to its C\u0026C server.\r\nSource: https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\r\nPage 16 of 16\n\nFiles SHA-1 Filename Detection\nC273B244EA7DFF20B1D6B1C7FD97F343201984B3 %TEMP%\\7zOC35416EE\\Quiz1.exe Win64/NukeSped.KT\n38736CA46D7FC9B9E5C74D192EEC26F951E45752 %TEMP%\\7zOCB3CC96D\\Quiz2.exe Win64/NukeSped.KT\nC830B895FB934291507E490280164CC4234929F0 %ALLUSERSPROFILE%\\Adobe\\colorui.dll Win64/NukeSped.KV\n8CB37FA97E936F45FA8ECD7EB5CFB68545810A22 N/A Win64/NukeSped.KU\n0F33ECE7C32074520FBEA46314D7D5AB9265EC52 %ALLUSERSPROFILE%\\Oracle\\Java\\mapistub.dll Win64/NukeSped.KW\nC7C6027ABDCED3093288AB75FAB907C598E0237D N/A Win64/NukeSped.KW\nC136DD71F45EAEF3206BF5C03412195227D15F38 C:\\ProgramShared\\mscoree.dll Win64/NukeSped.KT\nE61672B23DBD03FE3B97EE469FA0895ED1F9185D N/A Win64/NukeSped.KT\nE18B9743EC203AB49D3B57FED6DF5A99061F80E0 %ALLUSERSPROFILE%\\Adobe\\ARM\\HID.dll Win64/NukeSped.KX\n10BD3E6BA6A48D3F2E056C4F974D90549AED1B96 N/A Win64/NukeSped.KT\n3007DDA05CA8C7DE85CD169F3773D43B1A009318 %WINDIR%\\system32\\grpedit.dat Win64/NukeSped.KW\n247C5F59CFFBAF099203F5BA3680F82A95C51E6E %WINDIR%\\system32\\oci.dll @Trojan.Win64/NukeSped.MI\nEBD3EF268C71A0ED11AE103AA745F1D8A63DDF13 N/A Win64/NukeSped.KT\n Page 12 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" ], "report_names": [ "lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434193, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e139527bfceae9a06b3cb191103eeb6ed127bda3.pdf", "text": "https://archive.orkl.eu/e139527bfceae9a06b3cb191103eeb6ed127bda3.txt", "img": "https://archive.orkl.eu/e139527bfceae9a06b3cb191103eeb6ed127bda3.jpg" } }