{ "id": "7d34295c-aae1-4494-83c0-8a9a8e3ab2d5", "created_at": "2026-04-06T00:11:38.673467Z", "updated_at": "2026-04-10T13:12:22.294131Z", "deleted_at": null, "sha1_hash": "fcab9d88011a77a420dd7c8ac4ab068e555bad67", "title": "Taiwan Heist: Lazarus Tools and Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 414301, "plain_text": "Taiwan Heist: Lazarus Tools and Ransomware\r\nArchived: 2026-04-05 12:44:19 UTC\r\nWritten by Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, and James Wong\r\nBACKGROUND\r\nReports emerged just over a week ago of a new cyber-enabled bank heist in Asia. Attackers targeting Far Eastern\r\nInternational Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas\r\nbeneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank’s\r\nsystem connected to the SWIFT network and used this to perform the transfers.\r\nIn recent days, various malware samples have been uploaded to malware repositories which appear to originate from\r\nthe intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called ‘Hermes’\r\nwhich may have been used as a distraction or cover-up for the security team whilst the heist was occurring.\r\nThe timeline below provides an overview of the key events:\r\nLittle information is available at present about when or how the attackers compromised the bank, but it is likely more\r\ndetails will emerge in the coming weeks. This blogpost seeks to summarise what is in the public domain at the\r\nmoment, as well as analyse the samples uploaded to malware repositories.\r\nANALYSIS\r\nSeveral files have been uploaded to malware databases which appear to be related to this attack, including an archive\r\ntitled “FEIB_Samples” submitted from Taiwan on 12th Oct 2017. These and other samples are listed below:\r\n# MD5 Filenames\r\nSubmitted\r\nFrom\r\nFirst\r\nSeen\r\nCompile\r\nTime\r\n1 9563e2f443c3b4e1b00f25be0a30d56e FEIB_Samples_pwd(Virus).zi_ TW\r\n2017-\r\n10-12\r\n02:50:16\r\nN/A\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 1 of 11\n\n2 d08f1211fe0138134e822e31a47ec5d4 bitsran.exe TW\r\n2017-\r\n10-03\r\n01:01:31\r\n2017-\r\n10-01\r\n15:37:31\r\n3 b27881f59c8d8cc529fa80a58709db36 RSW7B37.tmp -\r\n2017-\r\n10-03\r\n01:01:37\r\n2017-\r\n10-01\r\n11:34:07\r\n4 3c9e71400b72cc0213c9c3e4ab4df9df msmpeng.exe US\r\n2017-\r\n10-07\r\n08:58:00\r\n2017-\r\n02-20\r\n11:09:30\r\n5 0edbad9e6041d43f97c7369439a40138 FileTokenBroker.dll TW\r\n2017-\r\n10-12\r\n02:50:15\r\n2017-\r\n01-05\r\n01:11:33\r\n6 97aaf130cfa251e5207ea74b2558293d splwow32.exe TW\r\n2017-\r\n10-12\r\n02:50:15\r\n2017-\r\n02-20\r\n11:09:30\r\n7 62217af0299d6e241778adb849fd2823 N/A GB\r\n2017-\r\n10-08\r\n03:32:47\r\n2017-\r\n09-21\r\n09:27:43\r\n8 0dd7da89b7d1fe97e669f8b4156067c8 N/A MY\r\n2017-\r\n03-14\r\n02:13:01\r\n2017-\r\n03-06\r\n17:32:58\r\n9 61075faba222f97d3367866793f0907b N/A MY\r\n2017-\r\n02-16\r\n03:25:00\r\n2017-\r\n02-10\r\n15:03:30\r\nFile #1 is the ZIP file containing samples #2-6 inside. Samples #2-4 were also separately uploaded by users in Taiwan\r\nand the US on the dates given above.\r\nSamples #7-9 are older versions of the Hermes ransomware.\r\nMalware Analysis – Sample #2; Bitsran loader / spreader\r\nSample #2 is designed to run and spread a malicious payload on the victim's network. On execution, the malware\r\nplaces a copy of itself into the location:\r\nC:\\Windows\\Temp\\bitsran.exe\r\nNext, the file establishes a persistence mechanism with the registry key:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nIt sets the value of ‘BITSRAN’ to point to the executable in the Temp location above.\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 2 of 11\n\nThe malware then enumerates all processes, searching for specific anti-virus processes and attempts to kill these using\r\nthe command line tool taskkill .\r\nProcess Name Process Description\r\ntmbmsrv.exe Trend Micro Unauthorized Change Prevention Service\r\ntmccsf.exe Trend Micro OfficeScan Common Client Solution Framework\r\ncntaosmgr.exe Trend Micro OfficeScan Add-on Service Client Management Service\r\nntrtscan.exe Trend Micro OfficeScan NT RealTime Scan\r\npccntmon.exe Trend Micro OfficeScan Antivirus real-time scan monitor\r\ntmlisten.exe Trend Micro OfficeScan NT Listener\r\ntmpfw.exe Trend Micro OfficeScan NT Firewall\r\nNext, the process attempts to find an embedded ‘IMAGE’ resource with offset #110 . If successful, this file is loaded\r\ninto memory. When manually extracting this file, it can be seen to represent a pixelated bitmap (BMP) file.\r\nHowever, further investigation reveals that the file is what is known as a ‘Polyglot’ file, whereby a file is contained\r\nwithin another file. Using a HEX viewer, it is possible to see that this file also contains a ZIP file (beginning at the\r\n‘PK’ header), with the pixelated image above referencing the bytes of the file to be RGB values.\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 3 of 11\n\nThe contents of this resource is decompressed from offset 54, with the last 4 bytes of the file specifying the ZIP’s file\r\nsize in bytes. When successfully decrypted, the file is saved into the same directory as the initial executable. This takes\r\nthe filename ‘RSWXXXX.tmp’ , where ‘XXXX’ is randomly generated through the GetTempFileName function. Once\r\nwritten to disk, this process is created through the CreateProcess function. Sample #3 ( RSW7B37.tmp ) is an example\r\nof this file.\r\nWhilst this additional payload is executing, the initial malware attempts to copy itself to other devices on the network.\r\nTwo user accounts are hardcoded into the malware, and are used to establish connections to the C$ SMB shares on\r\nWindows devices. These are the accounts:\r\nAccount Name Account Password\r\nFEIB\\SPUSER14 #ED{REMOVED}\r\nFEIB\\scomadmin !it{REMOVED}\r\nBoth accounts clearly relate to FEIB, though we couldn’t confirm whether the credentials are valid or not. The\r\nSPUSER14 may be a Sharepoint user account whilst scomadmin likely corresponds to System Center Operations\r\nManager admin – an account for managing machines in a data centre.\r\nInstead of enumerating all devices on the network, the malware iterates through a hardcoded list of 5357 IP addresses,\r\nin the ranges:\r\n•10.49.*\r\n•10.50.*\r\n•10.51.*\r\n•10.59.*\r\nIt is assumed that previous reconnaissance was conducted by the actors on the internal network to identify active and\r\nresponding devices, as well as capturing admin credentials for the network.\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 4 of 11\n\nIf a device successfully responds to a SMB packet on port 445, the malware copies itself to the C$ network share\r\nusing the provided credentials, writing the file to the location:\r\nC:\\Windows\\Temp\\bitsran.exe\r\nIf successful, a further command is executed using the same credentials, to create a scheduled task on the remote\r\ndevice with the name ‘BITSRAN’. The full command executed is:\r\ncmd.exe /c schtasks /create /tn “BITSRAN” /tr /s /u /p /st 00:00 /et 23:59 /sc minute /mo 1 /ru system\r\n/f\r\nMalware Analysis – Sample #3, Dropped file / Hermes Ransomware\r\nThe dropped file is a variant of the Hermes ransomware.\r\nThe ransomware calls GetSystemDefaultLangID() to obtain language identifier for the system locale. It contains a list\r\nof three system language codes: 0x0419 (Russian), 0x0422 (Ukrainian), and 0x0423 (Belarusian). However, it\r\nonly checks against the last two, and, if matching, the malware quits. Whether this is a false-flag or not is unknown.\r\nThe ransomware deletes the Volume Shadow Copies (a type of backup on Windows), using command:\r\nvssadmin Delete Shadows /all /quiet\r\nFollowing that, it deletes all VSS (Volume Shadow Copy Service) backup files (which include System Restore files)\r\nand orphaned shadows, by running commands below for the drives from C: , D: , E: , F: , G: , and H:\r\nvssadmin resize shadowstorage /for=%DRIVE% /on=%DRIVE% /maxsize=401MB vssadmin resize shadowstorage\r\n/for=%DRIVE% /on=%DRIVE% /maxsize=unbounded\r\nThe trick above is called \"pulling the carpet\" as it forces Windows to voluntarily dump all shadows due to lack of\r\nspace.\r\nThe ransomware then recursively deletes all backup files from the drives C: , D: , E: , F: , G: , and H: , having\r\nthe following extensions:\r\n•*.VHD\r\n•*.bac\r\n•*.bak\r\n•*.wbcat\r\n•*.bkf\r\n•Backup*.*\r\n•backup*.*\r\n•*.set\r\n•*.win\r\n•*.dsk\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 5 of 11\n\nUsing Windows CryptoAPI platform, the malware creates an exchange key pair, and then exports the 2,048-bit public\r\nRSA key into an external file called PUBLIC .\r\nThe ransomware then enumerates both local and network resources, and encrypts files using AES256 algorithm.\r\nEach encrypted directory will have a ransom note left in it:\r\nHERMES 2.1 RANSOMWARE radical edition\r\nAll your important files are encrypted\r\nYour files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.\r\nThere is only one way to get your files back: contact with us, pay, and get decryptor software.\r\nYou have \"UNIQUE_ID_DO_NOT_REMOVE\" file on your desktop also it duplicated in some folders,\r\nits your unique idkey, attach it to letter when contact with us. Also you can decrypt 3 files for test.\r\nWe accept Bitcoin, you can find exchangers on https://www.bitcoin.com/buy-bitcoin and others.\r\nContact information: BM-2cVcZL1xfve1yGGKwEBgG1ge6xJ5PYGfGw@bitmessage.ch\r\nreserve: BM-2cT4U1vBdjfqKDeWMEXgCWs9SfnMK1GLTF@bitmessage.ch\r\nMalware Analysis – Samples #4 and #6, Lazarus malware\r\nSample #4 ( msmpeng.exe ) is packed with Themida to hamper analysis under a debugger, a monitoring application, or\r\na virtual machine.\r\nOnce fully unpacked in memory, it appears to be an x86 variant of the fdsvc.dll backdoor described in our\r\nFebruary blogpost “Lazarus’ False Flag Malware”. This malware was discovered on networks in Poland and Mexico,\r\nfollowing a series of watering-hole attacks.\r\nJust like before, the backdoor uses several transliterated Russian words to either indicate the state of its\r\ncommunication or issue backdoor commands:\r\nState/Command Translation from Russian Meaning\r\nNachalo beginning start communication session\r\nustanavlivat to set handshake state\r\npoluchit to receive receive data\r\npereslat to send send data\r\nderzhat to maintain maintain communication session\r\nvykhodit to exit exit communication session\r\nkliyent2podklyuchit client to connect client is ready to connect\r\nSample #6 ( splwow32.exe ) is the same backdoor, only it’s not packed.\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 6 of 11\n\nBoth sample #4 and #6 have the same time stamp: 20 February 2017, 11:09:30. It appears that sample #6 was actually\r\nobtained by packing sample #4 with Themida (potentially, to avoid detection), as code/data found in both samples is\r\nidentical.\r\nThe backdoor expects a command line parameter that specifies remote C\u0026C address and port number. If it is executed\r\nwith no command-line parameters, it quits.\r\nThe specified command-line parameter is decrypted, using some basic character manipulations and applying XOR\r\nwith 2 keys:\r\n0x517A4563 ( “QzEc” )\r\n0x77506F66 ( “wPof” )\r\nThe decrypted string is expected to delimit C\u0026C address and port number with the “:” character. Multiple C\u0026Cs\r\ncan be delimited with the “|” character.\r\nIf the backdoor finds no valid pair of C\u0026C address and port number delimited with the “:” character, it quits.\r\nOtherwise, it starts polling the remote C\u0026C for a remote task to execute. Each polling attempt starts from a state\r\n“Nachalo” (“start communication session”), with a 3 second delay between each attempt to connect to the C\u0026C.\r\nEach connection attempt starts from a state called “kliyent2podklyuchit” (“client is ready to connect”).\r\nIf the backdoor fails to connect five times, or if it connects, but the task it receives is “vykhodit” (“exit\r\ncommunication session”), then the backdoor will quit. Otherwise, it will execute the remote command, effectively\r\ngiving the attackers full control over the compromised system. After the execution, the polling cycle continues.\r\nMalware Analysis – Sample #5\r\nFileTokenBroker.dll is a DLL, installed as a service under the svchost.exe ( netsvcs ) service host.\r\nOnce loaded as a service DLL, the DLL's export ServiceMain() is called. The DLL then constructs a file name that\r\nconsists of the host process name, formatted as:\r\n%SYSTEM%\\en-US\\[HOST_PROCESS_NAME_NO_EXTENSION].dll.mui\r\nFor example, if the DLL is loaded into the address space of svchost.exe , the constructed filename will be:\r\nc:\\windows\\system32\\en-US\\svchost.dll.mui\r\nAnother possible name is:\r\nc:\\windows\\system32\\en-US\\netsvc.dll.mui\r\nThe DLL then reads this file, and decrypts it with a running XOR mask. Once decrypted, it further reads an RC4 key\r\nfrom it, and decrypts it with the RC4 algorithm.\r\nThe decrypted file will contain a hash, so the DLL checks the hash as well to make sure the integrity of the decrypted\r\nfile is intact.\r\nA fully decrypted file is then parsed as a PE file, and loaded as a DLL.\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 7 of 11\n\nHence, FileTokenBroker.dll decrypts and executes a payload that is created by an external dropper or is implanted\r\nby the attackers.\r\nThe %SYSTEM%\\en-US directory will have multiple system files in it, so it is chosen to blend the encrypted payload file\r\nwith the other legitimate system files. Unlike other *.dll.mui files in %SYSTEM%\\en-US directory that are MZ files,\r\nthe encrypted payload is not an MZ file.\r\nMalware Analysis – Samples #7, #8, and #9, Further Hermes malware\r\nSamples #7, #8, and #9 relate to previous instances of Hermes ransomware.\r\nMalware of this category is typically widespread, but in the case of Hermes it seems relatively rare. This is suspicious\r\nin itself and reminds us of WannaCry – another rarely observed ransomware. Further analysis is on-going to\r\nunderstand the history of this malware variant.\r\nTransactions\r\nThrough working with trusted partners, we have been able to get insight into the transactions made as part of the heist.\r\nThe transactions consisted of two common SWIFT message types, MT103 and MT202COV .\r\nMT103 messages are used for normal, cross border, cash transfers which would typically request funds be transferred\r\ninto a personal or company beneficiary account. MT103 messages can be used on their own, or can be coupled with a\r\ncover message; MT202COV is used to order the movement of funds to the beneficiary institution via another financial\r\ninstitution/Intermediary Bank.\r\nIn this heist the attackers created MT103 messages to transfer funds to Cambodia, the US, and Sri Lanka. In addition\r\nto the MT103 messages, the attackers created MT202COV messages; the content of these messages was syntactically\r\ncorrect but the values in specific fields were wrong. As a result, they were received by the intermediary bank but had\r\nno further influence on the funds transferred to the beneficiary accounts.\r\nReports of $60M being stolen appear to be due to confusion over these latter messages, and the amounts actually\r\nstolen were considerably lower. Most of these appear to have been recovered.\r\nFurther details of the destination accounts within Sri Lanka have emerged in open source. The money had been\r\ntransferred to the Bank of Ceylon in Sri Lanka on 3 October. The following day, an individual in Sri Lanka allegedly\r\nwithdrew RS 30m (about $195K). Two days after that, the same individual returned to withdraw a further RS 8m, but\r\nwas arrested when he arrived at the bank. Sri Lankan police have since arrested another individual and a further\r\nsuspect is wanted by Sri Lankan law enforcement.\r\nCONCLUSIONS\r\nIt has been over a year since the last activity on a payments system from the attackers behind the infamous Bangladesh\r\nBank heist. Lazarus, the prime suspects, have been busy nonetheless – targeting Bitcoin in various ways, as well as\r\nother intrusions into banks such as in Poland and Mexico (albeit without evidence of targeting payment systems). In\r\none of these cases we and other researchers were able to observe infrastructure in North Korea controlling the malware\r\n– further clues as to the origins of these attackers.\r\nThe attack this month on Taiwanese Far Eastern International Bank has some of the hallmarks of the Lazarus group:\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 8 of 11\n\n•  Destination beneficiary accounts in Sri Lanka and Cambodia – both countries have been used previously as\r\ndestinations for Lazarus’ bank heist activity;\r\n  •   Use of malware previously seen in Lazarus’ Poland and Mexico bank attacks. Where these files were found\r\nand the context of their use needs to be confirmed, but could provide a crucial attributive link;\r\n  •   Use of unusual ransomware, potentially as a distraction.\r\nDespite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the\r\ncash in the end, with payments being reversed soon after the attacks are uncovered. The group may be trying new\r\ntricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of\r\nransomware across the victim’s network as a smokescreen for their other activity. It’s likely they’ll continue their heist\r\nattempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new\r\nways of disrupting victims (and possibly the wider community) from responding.\r\nMore work needs to be done to identify how FEIB was attacked, whether further custom tools were involved, confirm\r\nthe context of the Lazarus malware in the intrusion, and where else this Hermes ransomware has been seen.\r\nAssuming Lazarus are indeed back to targeting bank payment systems, this will serve to emphasize the importance of\r\nnetwork hardening and controls frameworks being pushed by the industry at present.\r\nRECOMMENDATIONS\r\nSome general network hardening and monitoring lessons can be taken from this:\r\n  •  Firewall off SMB (445) for internal computers. If access to this service is required, it should be permitted\r\nonly for those IP’s that require access. i.e. 445 is required for SCOM to push an agent install, therefore 445\r\nshould only be allowed from that source server;\r\n  •   Application blacklisting should be implemented to prevent the use of tools such as vssadmin.exe ,\r\ncmd.exe , powershell.exe and similar;\r\n  •   File Integrity Monitoring should be considered and configured to monitor file creations in “trusted”\r\nlocations such as the System32 directory. This can also be used to monitor deletes, with an alert configured to\r\nfire on excessive deletes in a row;\r\n  •   Windows Security Event logs should be monitored to capture Scheduled Task creation events – Event ID\r\n4698 ;\r\n  •   Registry Auditing should be enabled and monitored to capture any additions to\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run ;\r\n  •   Excessive use of known administrative privilege accounts should be alerted on – specifically in a “one to\r\nmany” behavioural configuration. i.e. is one specific IP connecting to a large number of devices using the same\r\ncredentials in a short period of time;\r\n  •   Ensure privileged accounts have a complex password that does not include any part of the username, or\r\napplication it relates to.\r\nAdditional longer term recommendations for financial institutions:\r\n  •  Practice incident response scenarios which include complex attacks combining covert payment fraud and\r\novert network disruption through ransomware, DDoS, network downtime, etc.\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 9 of 11\n\n•   Ensure that you are progressing towards being able to attest against the SWIFT 27 controls.\r\nFor more information see:\r\nhttp://www.baesystems.com/en/cybersecurity/swift-customer-security-programme\r\nAPPENDIX A – INDICATORS OF ATTACK\r\nMD5 Hashes d08f1211fe0138134e822e31a47ec5d4\r\nb27881f59c8d8cc529fa80a58709db36\r\n3c9e71400b72cc0213c9c3e4ab4df9df\r\n0edbad9e6041d43f97c7369439a40138\r\n97aaf130cfa251e5207ea74b2558293d\r\n62217af0299d6e241778adb849fd2823\r\n0dd7da89b7d1fe97e669f8b4156067c8\r\n61075faba222f97d3367866793f0907b\r\nFile / Process name bitsran.exe\r\nAPPENDIX B – YARA RULE\r\nrule Hermes2_1 {\r\nmeta:\r\ndate=\"2017/10/11\"\r\nauthor=\"BAE\"\r\nhash=\"b27881f59c8d8cc529fa80a58709db36\"\r\nstrings:\r\n$magic={4D5A}\r\n//inbothversion2.1andsampleinFeb\r\n$s1=\"SYSTEM\\\\CurrentControlSet\\\\Control\\\\Nls\\\\Language\\\\\"\r\n$s2=\"0419\"\r\n$s3=\"0422\"\r\n$s4=\"0423\"\r\n//inversion2.1only\r\n$S1=\"HERMES\"\r\n$S2=\"vssadminn\"\r\n$S3=\"finishwork\"\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 10 of 11\n\n$S4=\"testlib.dll\"\r\n$S5=\"shadowstorageiet\"\r\n//maybeuniqueinthefile\r\n$u1=\"ALKnvfoi4tbmiom3t40iomfr0i3t4jmvri3tb4mvi3btv3rgt4t777\"\r\n$u2=\"HERMES2.1TESTBUILD,pressok\"\r\n$u3=\"hnKwtMcOadHwnXutKHqPvpgfysFXfAFTcaDHNdCnktA\"//RSAKeypart\r\ncondition:\r\n$magicat0andallof($s*)and3of($S*)and1of($u*)\r\n}\r\nSource: https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nhttps://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html" ], "report_names": [ "taiwan-heist-lazarus-tools.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434298, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fcab9d88011a77a420dd7c8ac4ab068e555bad67.pdf", "text": "https://archive.orkl.eu/fcab9d88011a77a420dd7c8ac4ab068e555bad67.txt", "img": "https://archive.orkl.eu/fcab9d88011a77a420dd7c8ac4ab068e555bad67.jpg" } }