{ "id": "7fa23833-f17b-435a-810d-84211bfa6e0c", "created_at": "2026-04-06T00:08:17.833435Z", "updated_at": "2026-04-10T03:38:20.164974Z", "deleted_at": null, "sha1_hash": "fe979927bb84b55aec105755f0903728bcccd9ff", "title": "Lazarus on the hunt for big game", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 273677, "plain_text": "Lazarus on the hunt for big game\r\nBy Ivan Kwiatkowski\r\nPublished: 2020-07-28 · Archived: 2026-04-05 12:44:02 UTC\r\nWe may only be six months in, but there’s little doubt that 2020 will go down in history as a rather unpleasant\r\nyear. In the field of cybersecurity, the collective hurt mostly crystallized around the increasing prevalence of\r\ntargeted ransomware attacks. By investigating a number of these incidents and through discussions with some of\r\nour trusted industry partners, we feel that we now have a good grasp on how the ransomware ecosystem is\r\nstructured.\r\nStructure of the ransomware ecosystem\r\nCriminals piggyback on widespread botnet infections (for instance, the infamous Emotet and Trickbot malware\r\nfamilies) to spread into the network of promising victims and license ransomware “products” from third-party\r\ndevelopers. When the attackers have a good understanding of the target’s finances and IT processes, they deploy\r\nthe ransomware on all the company’s assets and enter the negotiation phase.\r\nThis ecosystem operates in independent, highly specialized clusters, which in most cases have no links to each\r\nother beyond their business ties. This is why the concept of threat actors gets fuzzy: the group responsible for the\r\ninitial breach is unlikely to be the party that compromised the victim’s Active Directory server, which in turn is\r\nnot the one that wrote the actual ransomware code used during the incident. What’s more, over the course of two\r\nhttps://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\r\nPage 1 of 5\n\nincidents, the same criminals may switch business partners and could be leveraging different botnet and/or\r\nransomware families altogether.\r\nBut of course, no complex ecosystem could ever be described by a single, rigid set of rules and this one is no\r\nexception. In this blog post, we describe one of these outliers over two separate investigations that occurred\r\nbetween March and May 2020.\r\nCase #1: The VHD ransomware\r\nThis first incident occurred in Europe and caught our attention for two reasons: it features a ransomware family\r\nwe were unaware of, and involved a spreading technique reminiscent of APT groups (see the “spreading utility”\r\ndetails below). The ransomware itself is nothing special: it’s written in C++ and crawls all connected disks to\r\nencrypt files and delete any folder called “System Volume Information” (which are linked to Windows’ restore\r\npoint feature). The program also stops processes that could be locking important files, such as Microsoft Exchange\r\nand SQL Server. Files are encrypted with a combination of AES-256 in ECB mode and RSA-2048. In our initial\r\nreport published at the time we noted two peculiarities with this program’s implementation:\r\nThe ransomware uses Mersenne Twister as a source of randomness, but unfortunately for the victims the\r\nRNG is reseeded every time new data is consumed. Still, this is unorthodox cryptography, as is the decision\r\nto use the “electronic codebook” (ECB) mode for the AES algorithm. The combination of ECB and AES is\r\nnot semantically secure, which means the patterns of the original clear data are preserved upon encryption.\r\nThis was reiterated by cybersecurity researchers who analyzed Zoom security in April 2020.\r\nVHD implements a mechanism to resume operations if the encryption process is interrupted. For files\r\nlarger than 16MB, the ransomware stores the current cryptographic materials on the hard drive, in clear\r\ntext. This information is not deleted securely afterwards, which implies there may be a chance to recover\r\nsome of the files.\r\nThe Mersenne Twister RNG is reseeded every time it is called.\r\nhttps://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\r\nPage 2 of 5\n\nTo the best of our knowledge, this malware family was first discussed publicly in this blog post.\r\nA spreading utility, discovered along the ransomware, propagated the program inside the network. It contained a\r\nlist of administrative credentials and IP addresses specific to the victim, and leveraged them to brute-force the\r\nSMB service on every discovered machine. Whenever a successful connection was made, a network share was\r\nmounted, and the VHD ransomware was copied and executed through WMI calls. This stood out to us as an\r\nuncharacteristic technique for cybercrime groups; instead, it reminded us of the APT campaigns Sony SPE,\r\nShamoon and OlympicDestroyer, three previous wipers with worming capabilities.\r\nWe were left with more questions than answers. We felt that this attack did not fit the usual modus operandi of\r\nknown big-game hunting groups. In addition, we were only able to find a very limited number of VHD\r\nransomware samples in our telemetry, and a few public references. This indicated that this ransomware family\r\nmight not be traded widely on dark market forums, as would usually be the case.\r\nCase #2: Hakuna MATA\r\nA second incident, two months later, was handled by Kaspersky’s Incident Response team (GERT). That meant we\r\nwere able to get a complete picture of the infection chain leading to the installation of the VHD ransomware.\r\nIn this instance, we believe initial access was achieved through opportunistic exploitation of a vulnerable VPN\r\ngateway. After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised\r\nsystem and were able to take over the Active Directory server. They then deployed the VHD ransomware to all the\r\nmachines in the network. In this instance, there was no spreading utility, but the ransomware was staged through a\r\ndownloader written in Python that we still believe to be in development. The whole infection took place over the\r\ncourse of 10 hours.\r\nA more relevant piece of information is that the backdoor used during this incident is an instance of a\r\nmultiplatform framework we call MATA (some vendors also call it Dacls). On July 22, we published a blog article\r\nhttps://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\r\nPage 3 of 5\n\ndedicated to this framework. In it, we provide an in-depth description of its capabilities and provide evidence of\r\nits links to the Lazarus group. Other members of the industry independently reached similar conclusions.\r\nThe forensics evidence gathered during the incident response process is strong enough that we feel comfortable\r\nstating with a high degree of confidence that there was only a single threat actor in the victim’s network during the\r\ntime of the incident.\r\nConclusion\r\nThe data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf\r\nproduct; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude\r\nthat the VHD ransomware is also owned and operated by Lazarus.\r\nCircling back to our introduction, this observation is at odds with what we know about the cybercrime ecosystem.\r\nLazarus has always existed at a special crossroads between APT and financial crime, and there have long been\r\nrumors in the threat intelligence community that the group was a client of various botnet services. We can only\r\nspeculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the\r\ncybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties.\r\nIt’s obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to\r\ntargeted ransomware. Could they really set an adequate ransom price for their victim during the 10 hours it took to\r\ndeploy the ransomware? Were they even able to figure out where the backups were located? In the end, the only\r\nthing that matters is whether these operations turned a profit for Lazarus.\r\nOnly time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment.\r\nIndicators of compromise\r\nThe spreader utility contains a list of administrative credentials and IP addresses specific to the victim, which is\r\nwhy it’s not listed in the IoC section.\r\nAs the instance of the MATA framework was extracted from memory, no relevant hashes can be provided for it in\r\nthe IoC section.\r\nVHD ransomware\r\n6D12547772B57A6DA2B25D2188451983\r\nD0806C9D8BCEA0BD47D80FA004744D7D\r\nDD00A8610BB84B54E99AE8099DB1FC20\r\nCCC6026ACF7EADADA9ADACCAB70CA4D6\r\nEFD4A87E7C5DCBB64B7313A13B4B1012\r\nDomains and IPs\r\n172.93.184[.]62                  MATA C2\r\n23.227.199[.]69                  MATA C2\r\n104.232.71[.]7                     MATA C2\r\nhttps://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\r\nPage 4 of 5\n\nmnmski.cafe24[.]com       Staging endpoint for the ransomware (personal web space hosted at a legit web service\r\nand used                                                as a redirection to another compromised legit website).\r\nSource: https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\r\nhttps://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" ], "report_names": [ "97757" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434097, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe979927bb84b55aec105755f0903728bcccd9ff.pdf", "text": "https://archive.orkl.eu/fe979927bb84b55aec105755f0903728bcccd9ff.txt", "img": "https://archive.orkl.eu/fe979927bb84b55aec105755f0903728bcccd9ff.jpg" } }