Lazarus campaigns and backdoors in 2022-23
Show in Graph
Image Description
Common Information
Type Value
UUID 7b051a8a-b970-45af-a5f7-6921895115aa
Fingerprint f66e0b7a601642250776a668026ed89f958c1a92bd22b30f1dc937c39d5b9c42
Analysis status DONE
Considered CTI value 1
Text language
Published Oct. 19, 2023, 5:46 p.m.
Added to db April 14, 2024, 1:30 a.m.
Last updated Aug. 31, 2024, 6:23 a.m.
Headline Lazarus campaigns and backdoors in 2022-23
Title Lazarus campaigns and backdoors in 2022-23
Detected Hints/Tags/Attributes 277/4/180
Source URLs
Redirection Url
Details Source https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf
URL Provider
Details Provider Source level domain
Details virusbulletin.com www.virusbulletin.com
Attributes
Details Type #Events CTI Value
Details CVE 2 
cve-2021-26606
Details Domain 114 
eset.com
Details Domain 247 
www.virusbulletin.com
Details Domain 3 
lm-career.com
Details Domain 3 
markettrendingcenter.com
Details Domain 1 
shopapppro.com
Details Domain 1 
techdesignshop.com
Details Domain 1 
designautocad.org
Details Domain 1 
shopwebstudio.com
Details Domain 1 
topnewsagent.com
Details Domain 1 
designlabshop.com
Details Domain 1 
dailynewsagent.com
Details Domain 1 
freewaremail.com
Details Domain 1 
webhosttech.org
Details Domain 2 
concrecapital.com
Details Domain 70 
crypto.com
Details Domain 1 
cloudfly.org
Details Domain 1 
timecashlive.com
Details Domain 1 
datacentre.center
Details Domain 1 
doc.filesaves.cloud
Details Domain 1 
word.azure
Details Domain 1 
www.googlesheet.info
Details Domain 1 
dps.shconstmarket.com
Details Domain 2 
docs.azurehosting.co
Details Domain 1 
verify.azure
Details Domain 2 
doc.gdocshare.one
Details Domain 5 
safe.doc-share.cloud
Details Domain 1 
cryptyk.ddns.net
Details Domain 4 
www.tradingtechnologies.com
Details Domain 51 
icloud.com
Details Domain 287 
yahoo.com
Details Domain 1174 
gmail.com
Details Domain 396 
protonmail.com
Details Domain 167 
tutanota.com
Details Domain 119 
yandex.ru
Details Domain 74 
proton.me
Details Domain 25 
mail.ee
Details Domain 7 
apdl.cf
Details Domain 1 
mfds.ax
Details Domain 1 
www.takegawahelmet.com.tw
Details Domain 111 
www.justice.gov
Details Domain 55 
blog.google
Details Domain 262 
www.welivesecurity.com
Details Domain 3 
threatbook.cn
Details Domain 71 
blogs.jpcert.or.jp
Details Domain 403 
securelist.com
Details Domain 57 
www.clearskysec.com
Details Domain 261 
blog.talosintelligence.com
Details Domain 3 
www.hvs-consulting.de
Details Domain 3 
cn.ahnlab.com
Details Domain 17 
vblocalhost.com
Details Domain 397 
www.microsoft.com
Details Domain 182 
www.mandiant.com
Details Domain 469 
www.cisa.gov
Details Domain 72 
symantec-enterprise-blogs.security.com
Details Domain 1 
trading-tech.medium.com
Details Domain 189 
asec.ahnlab.com
Details Domain 434 
medium.com
Details Domain 243 
cve.mitre.org
Details Domain 11 
blog.virustotal.com
Details Domain 4127 
github.com
Details Domain 3 
git.ghostscript.com
Details Domain 1 
pdfium.googlesource.com
Details Domain 53 
developer.apple.com
Details Domain 66 
www.malwarebytes.com
Details Domain 96 
malpedia.caad.fkie.fraunhofer.de
Details Email 2 
peter.kalnai@eset.com
Details Email 1 
goldenbook2021@icloud.com
Details Email 1 
harryifrost@yahoo.com
Details Email 3 
lucasvcastillo.x@gmail.com
Details Email 1 
raymondjburkett@protonmail.com
Details Email 1 
bernardmking@tutanota.com
Details Email 1 
baltkod@yandex.ru
Details Email 1 
alexander132@protonmail.com
Details Email 1 
damions112@proton.me
Details Email 1 
scan-trader@mail.ee
Details Email 1 
rezulbrown@protonmail.com
Details File 4 
safe.doc
Details File 208 
setup.exe
Details File 20 
scskapplink.dll
Details File 30 
ftp.exe
Details File 9 
tabcal.exe
Details File 1 
quartz.pdf
Details File 1 
disneypdf.iso
Details File 1 
disneypdf.exe
Details File 1 
jd.pdf
Details File 8 
vnc.exe
Details File 1260 
explorer.exe
Details File 146 
wininet.dll
Details File 9 
ncobjapi.dll
Details File 1 
ipv4.php
Details File 2125 
cmd.exe
Details File 748 
kernel32.dll
Details File 19 
msconfig.exe
Details File 1 
c:\users\public\videos\officeintegrator.dat
Details File 1 
c:\users\public\videos\fav.dat
Details File 1 
c:\windows\assembly\pubvak16.dat
Details File 1 
operation_interception.pdf
Details File 1 
%e2%80%9cdangerouspassword%e2%80%9d%20of%20the%20apt%20organization.pdf
Details File 3 
spear-phishing-against-cryptocurrency-businesses.html
Details File 3 
dream-job-campaign.pdf
Details File 2 
threatreport-lazarus.pdf
Details File 1 
windows-core.pdf
Details File 2 
defending_against_software_supply_chain_attacks_508_1.pdf
Details File 1 
not-dream-job-hunting-for-malicious-job.html
Details File 2 
lazarus_malware2.html
Details File 1 
10135536-b_white.pdf
Details File 1 
blindingcan.html
Details File 2 
vb2020-takai-etal.pdf
Details File 17 
en.pdf
Details Github username 1 
sumatrapdfreader
Details Github username 1 
vfr
Details Github username 1 
ocornut
Details Github username 1 
fancycode
Details Github username 1 
winlibs
Details Github username 26 
eset
Details IPv4 3 
1.0.0.17
Details IPv4 11 
1.2.0.0
Details IPv4 1 
0.1.1.0
Details IPv4 10 
1.4.0.0
Details IPv4 2 
2.6.1.0
Details IPv4 1 
2.4.2.0
Details Mandiant Uncategorized Groups 44 
UNC2970
Details Pdb 4 
2.pdb
Details Url 1 
https://www.justice.gov/opa/pr/three-north-korean-
Details Url 1 
https://www.virusbulletin.com/conference/vb2018/abstracts/lazarus-group-one-mahjong-game-played-different-
Details Url 1 
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers.
Details Url 1 
https://www.welivesecurity.com/wp-content/uploads/2020/06/eset_
Details Url 1 
https://threatbook.cn/ppt/the%20
Details Url 2 
https://blogs.jpcert.or.jp
Details Url 1 
https://securelist.com/bluenoroff-methods-bypass-motw/108383/.
Details Url 1 
https://www.jamf
Details Url 2 
https://www.clearskysec.com/wp-content/uploads/2020/08/dream-job-campaign.pdf
Details Url 1 
https://blog.talosintelligence.com/fake-korean-job-posting/.
Details Url 2 
https://www.hvs-consulting.de/media/downloads/threatreport-lazarus.pdf
Details Url 1 
https://cn.ahnlab.com/global/upload/download
Details Url 1 
https://vblocalhost.com/conference/presentations/multi-universe-of-adversary-multiple-
Details Url 1 
https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/.
Details Url 1 
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing.
Details Url 1 
https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/vb2022-lazarus-and-byovd-evil-to-the-
Details Url 1 
https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-
Details Url 1 
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/.
Details Url 1 
https://www.cisa.gov/sites/default/files/publications
Details Url 1 
https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/.
Details Url 2 
https://blog.google/threat-analysis-
Details Url 2 
https://www.mandiant.com
Details Url 5 
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence
Details Url 1 
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-
Details Url 1 
https://trading-tech.medium.com/the-end-of-an-era-x-trader-s-final-sunset-8208832ec058.
Details Url 1 
https://asec.ahnlab.com/en/33801/.
Details Url 252 
https://medium.com
Details Url 1 
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical.
Details Url 106 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve
Details Url 1 
https://asec.ahnlab.com/en/40830/.
Details Url 1 
https://asec.ahnlab.com/en/23717/.
Details Url 1 
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/.
Details Url 1 
https://blog.virustotal.com/2022/11/not-dream-job-hunting-for-malicious-job.html
Details Url 1 
https://github.com/sumatrapdfreader/sumatrapdf.
Details Url 1 
https://git.ghostscript.com/?p=mupdf.git
Details Url 1 
https://github.com/vfr/uxreader-windows.
Details Url 1 
https://pdfium.googlesource.com/pdfium/.
Details Url 1 
https://developer.apple.com/documentation/quartz/pdfkit.
Details Url 1 
https://github.com/ocornut/imgui.
Details Url 1 
https://www.malwarebytes.com/blog/threat-intelligence/2022/01/north-koreas-
Details Url 1 
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-
Details Url 1 
https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/.
Details Url 1 
https://github.com/fancycode/memorymodule.
Details Url 1 
https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970.
Details Url 1 
https://github.com/winlibs/libmcrypt/blob/master/modules/algorithms/panama.c
Details Url 13 
https://securelist.com
Details Url 1 
https://web.archive.org/web/20220124183620/https://www.cisa.gov/uscert/sites/default/files/publications/mar-
Details Url 1 
https://www.cisa.gov/news-events/analysis-
Details Url 2 
https://www.cisa.gov/news-events/analysis-reports
Details Url 1 
https://securelist.com/gopuram-backdoor-deployed-through-3cx-
Details Url 1 
https://www.cisa.gov/news-events/analysis-reports/ar20-232a.
Details Url 1 
https://blogs.jpcert.or.jp/en/2020/09/blindingcan.html
Details Url 1 
https://vblocalhost.com/uploads/vb2020-takai-etal.pdf
Details Url 1 
https://ics-cert.kaspersky.com/media/kaspersky-ics-cert-lazarus-targets-defense-industry-with-threatneedle-
Details Url 1 
https://github.com/eset/malware-ioc/tree/master/nukesped_lazarus.
Details Url 1 
https://malpedia.caad.fkie.fraunhofer.de/actor/lazarus_group.