JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows:
pycryptoenv
pycryptoconf
quasarlib
swapmempool
The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious packages to target users’ typos in installing Python packages. This article provides details on these malicious Python packages.
Figure 1: Python packages released by Lazarus attack group
File structure of the malicious Python packages
Since the multiple malicious Python packages confirmed this time have almost the same file structure, this article uses pycryptoenv as an example in the following sections. The malicious Python package has the file structure shown in Figure 2. The main body of the malware is a file named test.py. This file itself is not Python but binary data, which is an encoded DLL file.
Figure 2: File structure of pycryptoenv
The code to decode and execute test.py is contained in __init__.py, as shown in Figure 3. The test.py is simply an XOR-encoded DLL file, and it is decoded, saved as a file, and then executed by __init__.py.
Figure 3: Code to decode and execute test.py
This type of malware, called Comebacker, is the same type as that used by Lazarus to target security researchers in an attack reported by Google [1] in January 2021. The following sections describe the details of test.py.
Details of test.py
Since the code which calls the function to decode and execute test.py (the crypt function in Figure 3) does not exist in pycryptoenv, the malware cannot be executed simply by installing pycryptoenv. Therefore, the attacker probably runs the Python script that executes the crypt function on the target machine in some way. The following section describes the behavior when a function that decodes and executes test.py is run. Figure 4 shows the process from pycryptoenv to the execution of the malware main body.
Figure 4: Flow up to Comebacker execution
After test.py is XOR-decoded, it is saved as output.py and then executed as a DLL file by the following command.
$ rundll32 output.py,CalculateSum
The DLL files IconCache.db and NTUSER.DAT are created and executed by the following command. NTUSER.DAT is encoded, and the decoded data is executed on memory, and this data is the main body of Comebacker.
The samples confirmed this time have a fixed decode key as shown in Figure 5, and they are used to decode each file.
Figure 5: Decode Keys and Decode Functions
In addition, the NOP code used in this sample has a unique characteristic. As shown in Figure 6, there is a command starting with 66 66 66 66 in the middle of the code. This is often used, especially in the decode and encode functions. This characteristic is also found in other types of malware used by Lazarus, including malware BLINDINGCAN.
Figure 6: Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN
Details of Comebacker
Comebacker sends the following HTTP POST request to its C2 servers.
[2 random characters]=[command (determined by string length)]&[random character]=[device ID (base64 encoded)]&[random character]=[not used (base64 encoded)]&[random character]=[number (initially 0 and after receiving data, it becomes the value in the received data.)]&[random character]=[length of the next value]&[random character]=[yyyy-MM-dd hh:mm:ss(base64 encoded)*]
*After receiving data from the server, it becomes "yyyy-MM-dd hh:mm:ss|command (same as the first one sent)|number of bytes received"
In response to the above data sent, the server sends back a Windows executable file (see Appendix A for details of the received data format). Comebacker has a function to execute the received Windows executable file on memory.
Associated Attacks
Phylum has reported [2] a similar case to this attack in the past. In this case, a npm package contains Comebacker, and thus the attack is considered to have been conducted by Lazarus as well. In this way, the attacker aims to spread malware infections in multiple package repositories.
Figure 7: npm package released by Lazarus attack group
In Closing
The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times (Figure 8). Attackers may be targeting users’ typos to have the malware downloaded. When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages. For C2 and other information on the malware described in this article, please refer to the Appendix.
Figure 8: Number of pycryptoenv downloads
Shusei Tomonaga (Translated by Takumi Nakano)
References
[1] Google: New campaign targeting security researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
[2] Phylum: Crypto-Themed npm Packages Found Delivering Stealthy Malware https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
Appendix A: Format of the received data
Offset
Content
Notes
0x00
Hex string
Command
0x05
Hex string
End flag ( reception ends if it is 3)
0x07
Hex string
Data length
0x10
Data
Base64 data with “+” replaced with space
The data format is as follows:
[number(number to be included in the next POST data)]|[number(data size to receive)]|[Export function to be called by the downloaded Windows executable file]|[argument for the Export function]|[MD5 hash value]
Nowadays, many people probably recognize exploit of vulnerabilities in publicly exposed assets such as VPN and firewalls as the attack vector. In fact, many security incidents reported to JPCERT/CC also involve such devices. This is because vulnerabilities in VPN devices are exploited not only by APT groups but also by many other groups such as ransomware actors and cyber crime actors, and the number of incidents is high accordingly. As the number of security incidents arising from these specific attack vectors increases, on the other hand, people tend to forget about countermeasures for other attack vectors. Attackers use a variety of methods to conduct attacks, including email, websites, and social networking services. Figure 1 shows a timeline of security incidents related to targeted attacks that JPCERT/CC has confirmed.
Figure 1: Targeted attacks confirmed by JPCERT/CC between 2023 and 2024
As you can see from this figure, there are many methods used for penetrating networks. In this article, we will introduce two cases of watering hole attacks in Japan that received little attention in recent years. We hope that you will find these security incidents useful when planning your security measures. Part 1 covers a case in which the website of a university research laboratory was exploited in 2023.
Flow of the attack
Figure 2 shows the flow of the watering hole attack. When a user accesses a tampered website, a fake Adobe Flash Player update screen is displayed, and if the user downloads and executes the file as instructed, their computer becomes infected with malware.
Figure 2: Flow of the attack
The infected website has JavaScript embedded, as shown in Figure 3, and when the user accesses the site, a Japanese pop-up message is displayed.
Figure 3: Malicious code embedded in the tampered website
One of the characteristics of this watering hole attack is that it did not exploit vulnerabilities for malware infection but used a social engineering technique to trick users who accessed the site into downloading and executing the malware by themselves.
Malware used in the attack
FlashUpdateInstall.exe, the malware downloaded in this attack, displays a decoy document as shown in Figure 4, and has the function to create and execute the core malware (system32.dll). The decoy document is a text file, and it contains a string of text indicating that the update of Adobe Flash Player was successful.
Figure 4: Example of malware code
The created system32.dll is injected into the Explorer process (Early Bird Injection). This DLL file was distinctive as it had been tampered by Cobalt Strike Beacon (version 4.5) to have a watermark of 666666. For detailed configuration information on Cobalt Strike, please see Appendix D.
Examples of attacks by the same group
The attack group involved in this watering hole attack is unknown. The C2 server was hosted on Cloudflare Workers, Cloudflare’s edge serverless service. In addition, we have confirmed that the same attacker is conducting other attacks. Figure 5 shows the behavior of other types of malware confirmed through our investigation of C2 servers.
Figure 5: Malware possibly used by the same attacker
Look at Figure 5. In the first example, the attacker disguised the file name as a file from the Ministry of Economy, Trade and Industry, and a document released by the Ministry was used as a decoy. In addition, the malware (Tips.exe) used in the second example had the feature to allow options to be specified on execution. Options that can be specified are as follows.
This sample used a rarely seen technique: using EnumWindows and EnumUILanguages functions when executing the DLL file.
Figure 6: DLL injection technique
Furthermore, the malware can stop antivirus software (process name: avp.exe) and has a function to detect the following as an anti-analysis function.
Whether there are more than 40 processes
Whether the memory size is larger than 0x200000000 (approx. 8G)
Whether any of the following are included in the physical drive name
VBOX
Microsoft Virtual Disk
VMWare
In Closing
We hope this article will be helpful for you to consider your security measures. In Part 2, we will continue to introduce cases of watering hole attacks.
Figure 1 shows the flow of the watering hole attack. When someone accesses the tampered website, an LZH file is downloaded, and when they execute the LNK file in the LZH file, their PC becomes infected with malware.
Figure 1: Flow of the attack
The infected website had JavaScript embedded in it, as shown in Figure 3, and the malware is downloaded to users who login to the website with a specific account (Basic authentication).
Figure 2: Malicious code embedded in the tampered website (1)
The webpage that starts the download of the malware displays a message, as shown in Figure 3, indicating that the site is undergoing maintenance, and the LZH file is downloaded automatically. In addition, in case the user cannot extract the LZH file, a link to download the legitimate decompression software Lhaplus is included in the webpage.
Figure 3: Malicious code embedded in the tampered website (2)
Malware used in the attack
The malware downloaded by this attack is contained in an LNK file, as shown in Figure 4.
Figure 4: Flow of malware infection
As shown in Figure 5, inside the LNK file there is a ZIP file containing the actual malware and a VBS file for extracting it, which are Base64-encoded and extracted when the LNK file is executed.
Figure 5: Malicious code contained in the LNK file
The ZIP file contains the legitimate file iusb3mon.exe and two DLLs. iusb3mon.dll is loaded into the legitimate file iusb3mon.exe, but as shown in Figure 6, a session called newimp is added, and the actual malware dmiapi32.dll (malware name: SQRoot) is loaded in that session.
Figure 6: The newimp section added to iusb3mon.dll
SQRoot(dmiapi32.dll)
SQRoot is malware that downloads plugins from the C2 server to extend its functionality. The plugins it downloads are listed in Table 1.
8015ba282c.tmp
Download and execute RAT disguised as an image file
abb8fcc3b5.tmp
Download and execute shell code
8714c42184.tmp
Unknown
6eadde753d.tmp
Unknown
SQRoot sends client information when communicating with the C2 server. The data sent is encrypted using ChaCha20. In addition, a unique ID is set at the end of the User-Agent header, and a random string (aq[BASE64-encoded 12-byte nonce]) is set in the x-auth header.
SQRoot limits the time of communication with the C2 server from 9:00 to 18:00, Monday to Friday. Furthermore, it regularly sends fake communication to disguise real communication with the C2 server as normal web access.
When the plugin 8015ba282c.tmp is downloaded, malware disguised as a BPM file (SQRoot RAT) is downloaded as shown in Figure 7. This malware is also set to communicate with the C2 server only between 9:00 and 18:00, Monday to Friday.
Figure 7: A part of the SQRoot RAT disguised as a BPM file
SQRoot RAT encrypts data with RC4 and sends it to the C2 server. For the list of commands that the malware can execute, please see Appendix C.
POST /weekly/img/new/paper.php?hid=[fixed value]&uid=[unique ID]&cid=[command] HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54
Content-Length: [size]
Host: [server name]
[RC4 data]
SQRoot Stealer
Furthermore, another malware (SQRoot Stealer) has been found on hosts infected with SQRoot, which is designed to steal information. Figure 8 shows the flow of SQRoot Stealer execution.
Figure 8: Flow of SQRoot Stealer execution
The actual malware is nvprojects.dll, but like SQRoot, it runs after being loaded into the legitimate file nvSmart.exe, and it operates by loading plugins, also similar to SQRoot. The following are the example of plugins.
jtpa_record_4_0.tmp: keylogger
jtpa_snap_2_0_1.tmp: screen capture
jtpa_un_cat.tm: send file
Attribution
The attack group involved in the watering hole attack discussed in this article is unknown. We have confirmed that the malware file names used in this attack (nvSmart.exe, nvsmartmax.dll, iusb3mon.exe, iusb3mon.dll) have been used by APT10 in the past. In addition, a Web shell called Weevely was installed on the website used in the attack.
In closing
In this and the previous blog posts, we have covered cases of watering hole attacks, and in both cases, the attackers aimed to infect the targets with malware through social engineering, rather than exploiting vulnerabilities. Current security measures tend to focus on addressing vulnerabilities in publicly accessible assets, but it is also important to remain aware of social engineering attacks like this.
*Please note that this article is a translation of the Japanese version published on January 20, 2025, and may not reflect the latest information on threat trends.
“Lazarus”[1] no longer refer to a single APT group but a collection of many sub-groups. Originally, it referred to a single group or activities by some small groups. I suppose that, as the scale of their activities expanded, the group branched out into multiple units. Now it is realistic to consider that “Lazarus” is no longer an applicable label. When I start talking about Lazarus’ subgroup-level identification or attribution, many people look skeptical or uninterested. However, this kind of analysis, which may seem overly obsessive, is actually crucial to addressing attacks against the entire Japan, and this blog post explains the reasons.
Characteristics of Lazarus subgroups
There are already a number of labels that refer to activities/campaigns and groups of Lazarus, and the number is growing. In addition, although it is not limited to Lazarus, various security vendors use different names for the same group, subgroup, and malware, making it more difficult to grasp the whole picture. Furthermore, some authors focus on the names of attack groups (or subgroups) in their analysis reports, while others focus on the names of attack campaigns, which makes the terminology even more confusing. There was even a case where a label used as the name of an attack campaign in one report was cited as that of an attack group in another. *I have organized the labels as follows. Any suggestions or information about the classification are welcome.
Labels for the entire APT activity: Hidden Cobra, TraderTraitor
Labels for individual (or intermittent) campaigns[2]: Operation Dreamjob, Operation In(ter)ception, AppleJeus, Dangerous Password, CryptoCore, SnatchCrypto, Contagious Interview, Operation Jtrack *Dangerous Password and CryptoCore initially appeared as attack group names, but later they are also used as attack campaign names in many cases.
Labels for attack groups (subgroups): TEMP.Hermit, Selective Pisces, Diamond Sleet, Zinc, UNC577, Black Artemis, Labyrinth Chollima, NICKEL ACADEMY APT38, Bluenoroff, Stardust chollima, CryptoMimic, Leery Turtle, Sapphire Sleet, TA444, BlackAlicanto Jade Sleet, UNC4899, Slaw Pisces Gleaming Pisces, Citrine Sleet Andariel, Stonefly, Onyx Sleet, Jumpy Pisces, Silent Chollima Moonstone Sleet (*This may not be a subgroup of Lazarus)
Labels that used to refer to a single attack group and then now used for its successors, related groups, and branched subgroups: Lazarus, Bluenoroff, APT38, Andariel
I have argued[3] in various places that accurate profiling and attribution of APT groups is critical for counter-operations against threat actors. Some people may think that a broad classification is sufficient, rather than more detailed subgrouping. It is true that some of the Lazarus subgroups have the same targets, objectives and TTPs. For example, no matter whether the attacker is Citrine Sleet/UNC4736, Sapphire Sleet/CryptoMimic or Moonstone Sleet, all of which target cryptocurrency, the response strategy may not change significantly. The reasons for identifying threat actors at the subgroup level for Lazarus is further explained later, but there are two characteristics and trends behind this argument, which are unique to Lazarus subgroups and make the grouping of threat actors more difficult:
Overlaps in TTPs among multiple subgroups As many security vendors and analysts have discussed in the past[4], there are overlaps in initial attack vector, C2 infrastructure, and malware among multiple subgroups. As explained in JPCERT/CC Eyes[5] recently, there have been multiple confirmed attack campaigns in which LinkedIn was used for initial attack vector. In addition, there is a tendency that similar attack methods to be increasingly used, which is explained later.
Rise of task force-like groups beyond traditional subgrouping From 2021 to February 2023, reports and media coverage on a new APT actor called Bureau325 appeared[6]. It is known that this actor shares the same TTPs as multiple known Lazarus subgroups and also uses the same malware as Kimsuky. It is assumed that Bureau325 is a task force-like group or activity which is free from existing group structures[7]. In March 2023, Mandiant published a report on APT43[8]. The activities of the actors described in this report were previously reported as those of Kimsuky or Thallium. However, Mandiant’s analysis team has reclassified the group as APT43. The report also notes that APT43 uses the same tools across groups and subgroups, similar to Bureau 325.
Reasons for identification in subgroup level
When identifying APT actors, attention is often paid to attribution, such as identifying the perpetrators, their backgrounds, and attributing responsibility to a specific state, which I believe is the underlying reason why people are not so interested in Lazarus subgroup identification[9]. The following section discusses why detailed identification of subgroups, which are merely virtual distinctions, is necessary in addition to attribution.
Reason 1: To ensure the effects of mid- to long-term damage prevention through security alerts, etc. For example, in attacks through SNS, such as the case covered on JPCERT/CC Eyes recently, cryptocurrency businesses and defense and aviation industries were targeted, and thus it was possible to focus on alerting such industries. Since attackers usually contact individual engineers at target organizations on SNS, it was effective to alert and share IoCs with organizations in the sector. On the other hand, objectives, and target sectors/individuals/organizations of subgroups (and related groups) and attack campaigns identified in the second half of 2023 and later are becoming more complex. While most of them target the cryptocurrency sector, there is a wide range of groups, such as those targeting sensitive corporate information, those using ransomware (Moonstone Sleet), and those targeting illegal foreign currency income by IT workers (WageMole attack campaign). Identifying the target industries and objectives of each subgroup accurately makes it possible to provide information to specific sectors and organizations, which is more effective than issuing alerts. When an alert is issued about an attack that exploits the vulnerability of a specific sector or product, the attacker is also likely to target other sectors or products. However, people may not pay much attention to the alert, thinking that it is irrelevant to them.
Reason 2: Countermeasures/counter operations The accurate identification of subgroups is also essential for Japan to capture the activities of individual actors over the long term and to conduct accurate threat analysis on what kind of activities are intended by the government agencies behind these Lazarus subgroups[[10]. Active cyber defence will also be important for Japan to conduct counter operations against the activities of APT actors in the future.Behind each subgroup, there should be an organization with formation, rules, and forms of command and control, and the effectiveness of various countermeasures should differ from one another. Moreover, in addition to the effectiveness, some countermeasures may cause problems under international law[11], and it is extremely important to accurately capture the relationship between the actions and perpetrator of the counterparty and the background entity.
Reason 3: “Message” to the attackers Many threat analysts are increasingly focusing on subgroup identification. This is partly for counter-tactical reasons, as discussed in Reason 1. However, it is also because the analysts believe that subgroups reflect the actual activities, organizational backgrounds, and resources of the real perpetrators, not just a virtual distinction. There are only a limited number of cases where disclosing information about threat actors, such as public attribution or publishing analytical reports, influences their activities[12]. However, it is at least possible to make the attacker’s new tactics less likely to succeed or make them obsolete. We do not know to what extent APT actors actually pay attention to such information disclosures since they have rarely been verified so far. In any case, if the information is to be disclosed for the purpose of deterrence, such as in the form of public attribution, accurate subgroup identification and clarification would be a minimum requirement to deliver the message to the target (individual or organizational actors). Most importantly, it should be noted that disclosure of accurate subgroup identification demonstrates the ability of the defenders and responders.
Case study of subgroups with overlapping tactics: contact targets on SNS and have them download a malicious npm package
As explained in a recent JPCERT/CC Eyes article, several subgroups started to contact individual engineers on LinkedIn or other SNS to have them download a malicious Python or npm package via PyPI or GitHub in their initial phase. The following is a timeline of the activities of several subgroups that use same or similar tactics.
Figure 1: Multiple subgroups that contact their targets on SNS and have them download malicious packages
Moonstone Sleet Target sectors/objectives: cryptocurrency theft, ransomware attacks, sensitive information in defense industry, etc., illegal income of IT workers In February 2024, we published a JPCERT/CC Eyes blog article about a case in which this subgroup have their targets to download a malicious Python package via PyPI, and its analysis mentioned that the Comebacker was used[13]. In December 2023, Qianxin reported a similar sample[14], and later in May 2024, Microsoft announced that it was tracking the subgroup under the name Moonstone Sleet[15]. Microsoft says that this subgroup has no direct overlap with the subgroup which performs Contagious Interviews (discussed below), whose TTP is similar[16]. Comebacker was found in a 2021 campaign by TEMP.Hermit (labeled by Mandiant and also classified as UNC577 in the past)/Diamond Sleet (labeled by Microsoft and also classified as Zinc in the past)[17]. However, there is little information on the relations between the attack groups.
Gleaming Pisces (Citrine Sleet) Relations to previously classified group: actors of Apple Jeus (UNC1720) Target sectors: cryptocurrency businesses, individuals Similar to Moonstone Sleet, this subgroup performs initial compromise using PyPI. Unit42 calls the group Gleaming Pisces, and Microsoft refers to it as Citrine Sleet. PondRAT (named by Unit42) used in the PyPI exploit attack campaign in 2024[18] has its origin in PoolRAT (name by Unit42) disclosed by CISA when it issued an alert about AppleJeus attack campaign in February 2021[19], and PoolRAT was also found in the supply chain attack on 3cx in March 2023[20]. These RATs share a common A5/1 encryption key, and it was also found in the previously mentioned Comebacker-like sample reported by Qianxin. In addition, FudModule, reportedly used by TEMP.Hermit/Diamond Sleet, was also found in Citrine Sleet’s attack. Microsoft says that there are overlaps between Diamond Sleet and Citrine Sleet in their infrastructure and malware[21].
Contagious Interview (attack campaign) Target sectors/objectives: cryptocurrency theft, illegal income of IT workers (Associated with Wagemole although it is a separate campaign.) This attack activity was reported by Macnica in October 2024[22] and by NTT Security in December 2024[23]. The attackers contact IT engineers pretending to request job interviews. It was first reported by Unit42 in November 2023[24], and according to the company, the campaign has been active since 2022. The attack campaign was allegedly conducted by FAMOUS CHOLLIMA, classified by CrowdStrike, but it remains unclear whether it is a subgroup of Lazarus or another group. In addition, this activity has been associated with Wagemole and CL-STA-0237 (the name used by Unit 42)[25], which are allegedly related to the activities of “IT workers”, North Korean IT technical impersonators who work illegally at overseas IT companies to obtain foreign currency[26]. As mentioned earlier, Microsoft currently classifies Moonstone Sleet activity and Contagious Interview as separate activities. Phylum has been tracking the malicious npm packages used in both activities and has published a number of reports[27].
Reference: Summary of relationships among subgroups at the moment In this article, I have described and compared the Moonstone Sleet activity, Contagious Interview attack campaign, and Gleaming Pisces (Citrine Sleet) activity. They all share the same initial attack vector: contact the target on SNS and then have them download a malicious npm package. The following is a summary of the activities of other Lazarus subgroups and the changes in the classification and the names used by security vendors over time. I believe that the information will continue to change, with new subgroups emerging and security analysts making reclassifications[28]. In the future, we will try to create a system that captures and organizes such information in a dynamic and flexible manner.
Figure 2: Transition of Lazarus subgroups
In conclusion
The term “attribution” has two concepts. One of them is a strict meaning used in international law and criminal procedure, and the other is traditionally used by the security community. I personally refer to the former as “hard” attribution, which includes the identification of individuals and organizations actually involved as well as the attribution of responsibility, and the latter as “soft” attribution, which covers virtual groupings such as actors/attack groups and profiling. Even when there is insufficient evidence for “hard” attribution, “soft” attribution may be helpful in issuing appropriate alerts and providing countermeasure information. On the other hand, “hard” attribution is necessary for long-term countermeasures even when it is not feasible for technically timely responses.
There is not enough space here to cover a variety of technical and non-technical issues surrounding attribution, but I believe that “information disclosure” will be a key topic in the future. Disclosure of attribution results is an achievement for analysts in the private sector as well as an important tool for commercial businesses to demonstrate their expertise. While it is difficult for them to visualize the capabilities of products and services, reports of (soft) attribution can easily show their findings, which is important for maintaining the sound growth of the security market.
Meanwhile, attribution is also an achievement for government side. Aside from the arguments over the effectiveness of public attribution[29], it is a valuable opportunity for governments to demonstrate why they collect information on private victim organizations. In addition, as mentioned earlier, it is also a chance to demonstrate the capabilities as a country to their allies and adversaries. However, in either position, prioritizing achievement and disclosing technically unreliable attribution results bring a number of negative consequences. The effectiveness of information disclosure should also be verified.
Most importantly, it should always be reminded that so-called “threat intelligence,” including attribution results, is not a product created solely by those who release the information. Behind the scenes, victim organizations and analysts involved in on-site response play an extremely important role. Information disclosure influences threat actors, and at the same time, it is also a highly complex activity that affects not only the alerted organizations but also various other parties, including the victim organizations, analysts, and product vendors. Attribution methodology is still in the process of development, and information disclosure involves a number of unresolved issues. I have repeatedly discussed various issues surrounding “information disclosure” in the past[30], and I will continue such discussions along with alerts and analytical reports.
Figure 3: Timing of each attribution
Hayato Sasaki (Translated by Takumi Nakano)
References
*Please note that the authors and titles are omitted due to the large number of references.
[1] This name first appeared in Operation Blockbuster, a joint analysis report led by Novetta and involving a number of security vendors in 2016. It was initially described as “Lazarus Group.”
[2] Attack campaign: Attack activities conducted against a specific organization or sector for a certain period of time using a specific attack method or infrastructure. (Reference: 2024年3月「攻撃技術情報の取扱い・活用手引き」(サイバー攻撃による被害に関する情報共有の促進に向けた検討会事務局(経済産業省、JPCERT/CC))[Japanese only]
[3] https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_2_sasaki_en.pdf, JSAC2024 https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_6_hayato_sasaki_en.pdf, National Institute for Defense Studies (NIDS) Commentary https://www.nids.mod.go.jp/publication/commentary/pdf/commentary346.pdf [Japanese only]
[4] These are slightly old reports, but they analyze the organization and overlaps of subgroups based on the clustering of malware clusters. https://securelist.com/lazarus-threatneedle/100803/, https://vblocalhost.com/uploads/VB2021-Park.pdf
[6] https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/?hl=en, “Final report of the Panel of Experts submitted pursuant to resolution 2627 (2022)”, https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports
[9] When I once explained the Lazarus subgroups to a member of an international organization, I was told, “Whatever the subgroups are, they are already attributed (to a certain government) for their illegal activities, and that should be enough.”
[10] Until 2023, such tracking and reporting was conducted at the expert panel of the United Nations Security Council Sanctions Committee on North Korea. The panel collected information like those covered in this article from various security vendor reports and analyzed threats by group and government agencies considered behind such groups. However, as news media reported, the expert panel’s activities ended in FY2023.
[12] For an explanation on the limitations of the punitive deterrence approach centered on public attribution in the U.S. and the history of the transition to a cost-imposition approach, please refer to the following article of the National Institute for Defense Studies (NIDS) Commentary. 佐々木勇人, 瀬戸崇志『サイバー攻撃対処における攻撃「キャンペーン」概念と「コスト賦課アプローチ」——近年の米国政府当局によるサイバー攻撃活動への対処事例の考察から』https://www.nids.mod.go.jp/publication/commentary/pdf/commentary346.pdf [Japanese only]
[28] We mentioned that Mandiant reclassified it as APT43 in March 2023. The activities of this actor were previously often reported and classified as those of Kimsuky and Thallium. However, after years of tracking, it was reanalyzed, reclassified, and then announced as APT43. https://cloud.google.com/blog/ja/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage
[29] For the studies based on the argument that deterrence approaches through public attribution and economic sanctions assuming so-called punitive deterrence had little success, refer to the following. Michael P. Fischerkeller, Emily O. Goldman, Richard J. Harknett, “Cyber Persistence Theory: Redefining National Security in Cyberspace”, Robert Chesney and Max Smeets Eds, “Deter, Disrupt, or Deceive Assessing Cyber Conflict as an Intelligence Contest”
In January 2025, Ivanti published an advisory[1] regarding the vulnerability CVE-2025-0282 in Ivanti Connect Secure. JPCERT/CC has confirmed multiple cases of this vulnerability being exploited in Japan since late December 2024, prior to the disclosure of the vulnerability, and published a security alert[2]. This vulnerability has already been used by multiple attack groups.
Among these cases, JPCERT/CC has confirmed that SPAWN malware family[3][4], which infects after exploiting the vulnerability, according to a report by Google, had been updated. This article explains the updated malware family (hereafter referred to as “SPAWNCHIMERA”).
Overview of SPAWNCHIMERA’s behavior
Figure 1 shows an overview of SPAWNCHIMERA’s behavior. It is malware with the functions of SPAWNANT, SPAWNMOLE, and SPAWNSNAIL all updated and integrated. Therefore, there is no significant difference in the way malware is installed or injected into other processes compared to SPAWN family reported by Google[4]. On the other hand, as shown in Figure 1, SPAWNCHIMERA can be injected into various processes and run in each of them. The major changes are as follows.
Change in inter-process communication
Function to fix vulnerability CVE-2025-0282
New decode functions added
Deleted debug message
Figure 1: Flow of SPAWNCHIMERA’s behavior.
Inter-process communication through UNIX domain sockets
In the previous SPAWN family, the malicious traffic received by SPAWNMOLE was sent to port 8300 on 127.0.0.1, and SPAWNSNAIL processed it. With the abovementioned update, this inter-process communication method was altered to use UNIX domain socket. It is created in the below path, and malicious traffic is sent and received between SPAWNCHIMERA injected into the web process and that injected into the dsmdm process. This change made it more difficult to detect the malware, as netstat command results from the Integrity Checker Tool (ICT) may not be displayed.
/home/runtime/tmp/.logsrv
Function to fix the vulnerability CVE-2025-0282
SPAWNCHIMERA has a new function to fix the CVE-2025-0282 vulnerability. CVE-2025-0282 is a buffer overflow vulnerability[5] caused by the strncpy function, and the malware dynamically fixes it by hooking the strncpy function and limiting the copy size to 256. Figure 2 shows the replaced strncpy function. SPAWNCHIMERA converts its process name to hexadecimal and verifies the added value. The fix is triggered when the process name is “web” The fix is programmed to be disabled when the first byte of the source copied to the strncpy function matches 0x04050203. Due to this function, if another attacker uses this vulnerability to attempt penetration or executes a PoC[6] for scanning purposes, the attack may not succeed.
Figure 2: The strncpy function replaced through hook
New decode functions added
In the previous samples, the private key for SSH server functionality was hardcoded in plaintext within the samples and exported to /tmp/.dskey. On the other hand, in SPAWNCHIMERA, it is now encoded and hardcoded within the sample. The key is used after being decoded with an XOR-based decode function. Since it is not exported as a file, traces are less likely to be left. The decoded private key is shown below.
Additionally, while the previous sample identified malicious traffic in replaced accept function, by matching a part of the received buffer with a hard-coded value, SPAWNCHIMERA has a new decode function and determines whether the traffic is malicious based on its calculation result. The decode function is shown in Figure 3.
Figure 3: Decode function used to identify malicious traffic
Deleted debug message
While there are only minor differences in functionality between the previous SPAWNSLOTH and that dropped by SPAWNCHIMERA, some functions related to debug messages were deleted from the entire sample, possibly with the aim of complicating analysis and preventing hunting. This modification is also seen in the main sample of SPAWNCHIMERA. Figure 4 shows an example of the deleted functions.
SPAWNCHIMERA has evolved into more sophisticated malware by changing various functions of SPAWN family in a way that leaves less traces, and SPAWN family is expected to remain in use. We hope that the information in this article will help your malware analysis. The hash values and file paths of the confirmed malware are listed in the Appendix.
In a previous article of JPCERT/CC Eyes, we reported on SPAWNCHIMERA malware, which infects the target after exploiting the vulnerability in Ivanti Connect Secure. However, this is not the only malware observed in recent attacks. This time, we focus on another malware DslogdRAT and a web shell that were installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024.
Functionality of the installed Web shell
Figure 1 shows a part of the web shell written in Perl. This Perl script is executed as a CGI and retrieves the Cookie header from incoming HTTP requests. If the value of DSAUTOKEN= matches af95380019083db5, the script uses the system function to execute an arbitrary command specified in the request parameter data. It is considered that attackers accessed this simple web shell to execute commands to run malware such as DslogdRAT, which is discussed in the next section.
Figure 1: A part of the web shell
Overview of DslogdRAT
Figure 2 shows the execution flow of DslogdRAT. Upon execution, the main process of DslogdRAT creates a first child process and then terminates itself. The child process then decodes the configuration data and creates a second child process. The first child process enters a loop routine including sleep intervals, and thus it never gets terminated. The second child process contains DslogdRAT core functionality, which includes the following:
Initiate communication with the C2 server based on configuration data
Create a worker thread and pass socket information for communication
The worker thread handles data exchange with the C2 server and execution of various commands. These threads are implemented using the pthread library.
Figure 2: Execution Flow of DslogdRAT
Configuration Data of DslogdRAT
The configuration data of DslogdRAT is encoded and hardcoded in the sample. It is XOR-decoded byte to byte with 0x63 as the key. The structure of the configuration is listed in Table 1 in Appendix A, and the decoded configuration data is shown in Table 2. According to the decoded data, DslogdRAT is set to operate between 8:00 AM and 8:00 PM and remain in a sleep state during the other times. It is considered that attackers intended to avoid detection by communicating during business hours.
DslogdRAT’s Communication Method and Command Execution
DslogdRAT communicates with its C2 server through socket connections. The data exchanged during the communication is encoded using a function shown in Figure 3. The encoding and decoding operations are simple: applying XOR to each 7-byte block from 0x01 to 0x07.
Figure 3: DslogdRAT’s encoding and decoding mechanism
Figure 4 shows an example of the decoded initial communication with the C2 server. During this initial exchange, the malware sends basic information about the infected host to the server. The sent data follows a specific format:
0x00: ff ff ff ff
+0x04: 0f 00
+0x06: Data length
+0x0A: Encoded data
Figure 4: Example of DslogdRAT’s decoded initial communication
DslogdRAT supports multiple commands used for establishing an initial point of entry as shown below. Details of the supported commands are listed in Appendix B.
File upload and download
Execution of shell commands
Proxy functionality
SPAWNSNARE
In addition to DslogdRAT, SPAWNSNARE was also identified on the same compromised system. The malware was previously reported by both CISA and Google in April 2025 [1][2]. For details of SPAWNSNARE’s behavior, please refer to Google’s report [1].
In Closing
It is currently unknown whether the attacks using DslogdRAT is part of the same campaign involving SPAWN malware family operated by UNC5221 [1]. For further information on observed C2 servers, hash values, and file paths, refer to Appendix C and D. JPCERT/CC has issued an alert regarding a vulnerability in Ivanti Connect Secure (CVE-2025-22457), and attacks targeting Ivanti Connect Secure are expected to continue. We recommend continuing to monitor such attacks.
A newly published report by Yuma Masubuchi from the JPCERT Coordination Center (JPCERT/CC) has uncovered the deployment of a stealthy remote access trojan dubbed DslogdRAT, which was installed on compromised Ivanti Connect Secure devices by exploiting a zero-day vulnerability tracked as CVE-2025-0282. The attacks took place in December 2024 and primarily targeted organizations in Japan.
Attackers first deployed a Perl-based web shell to execute arbitrary commands on the infected system. This lightweight backdoor operated as a CGI script and checked for a specific cookie value, DSAUTOKEN=af95380019083db5, before processing commands.
“It is considered that attackers accessed this simple web shell to execute commands to run malware such as DslogdRAT,” according to JPCERT/CC.
Once triggered, DslogdRAT exhibits a multi-stage process flow to evade detection. The main process spawns a child process that decodes configuration data and initiates a second core process. The malware’s architecture ensures that a persistent parent process remains active with intermittent sleep intervals to avoid termination.
“The second child process contains DslogdRAT core functionality, which includes: Initiate communication with the C2 server… and execution of various commands.”
Execution Flow of DslogdRAT | Image: JPCERT/CC
DslogdRAT communicates with its Command-and-Control (C2) server via sockets using a custom XOR-based encoding scheme. The encoded communication includes system fingerprints and follows a specific format outlined in the report.
The RAT supports the following key capabilities:
File upload and download
Shell command execution
Proxy functionality
This enables threat actors to maintain control over the infected system and use it as a foothold for further intrusion.
JPCERT/CC analysis revealed that DslogdRAT is programmed to operate only between 8:00 AM and 8:00 PM, staying dormant outside these hours to blend in with normal user activity.
“It is considered that attackers intended to avoid detection by communicating during business hours,” the report explains.
Alongside DslogdRAT, the SPAWNSNARE malware was also discovered on affected systems. While it’s currently unclear whether the two are part of the same campaign linked to UNC5221, the simultaneous presence of both malware types suggests coordination among advanced threat actors.
Kaspersky Labs has recently revealed a major cyber-espionage campaign conducted by the Lazarus group, dubbed “Operation SyncHole.” Targeting critical industries in South Korea, including software, IT, financial, semiconductor manufacturing, and telecommunications sectors, this operation exemplifies the group’s sophisticated and evolving tactics.
“We have been tracking the latest attack campaign by the Lazarus group since last November,” Kaspersky reported, emphasizing that the attackers used a combination of watering hole strategies and the exploitation of vulnerabilities within South Korean software to penetrate defenses.
The operation began with a watering hole attack, where visitors to compromised South Korean online media sites were selectively redirected to attacker-controlled pages. “Shortly after visiting one particular site, the machine was compromised by the ThreatNeedle malware,” Kaspersky noted. The attackers exploited a potential flaw in Cross EX software, allowing them to inject malware into legitimate processes like SyncHost.exe.
Further investigation uncovered that Lazarus also leveraged a one-day vulnerability in Innorix Agent to facilitate lateral movement within networks. This vulnerability allowed attackers to deliver additional malware on a targeted host of their choice, exploiting traffic validation weaknesses.
Kaspersky identified multiple Lazarus malware strains with new capabilities, including:
ThreatNeedle (updated variant): Divided into Loader and Core components, utilizing the Curve25519 algorithm and ChaCha20 encryption.
wAgent (variant): An upgraded downloader capable of in-memory payload execution and complex plugin management.
Agamemnon Downloader: Implementing advanced reflective loading techniques to bypass EDRs.
SIGNBT (versions 0.0.1 and 1.2): Shifted towards minimized remote control and scheduled execution.
COPPERHEDGE: Used primarily for internal reconnaissance, exploiting ADS for stealthy communication with C2 servers.
“The malware used by the Lazarus group has been rapidly evolving to include lightweighting and modularization,” Kaspersky remarked, indicating a broader strategic shift towards stealthier and more flexible operations.
The attackers cleverly used compromised legitimate South Korean websites as C2 servers, blending malicious activities with normal traffic. Kaspersky also noted that domains like smartmanagerex[.]com and re-registered domains such as thek-portal[.]com were utilized in the campaign.
Attribution to Lazarus was supported by toolset signatures, TTP analysis, and operational timings: “The timeframes were mostly concentrated between GMT 00:00 and 09:00,” aligning with GMT+09, South Korea’s and North Korea’s time zones.
Upon discovery, Kaspersky promptly communicated the findings to the Korea Internet & Security Agency (KrCERT/CC), ensuring swift remediation. Vulnerabilities in Cross EX and Innorix Agent have since been patched, mitigating the immediate threats.
Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group, Contagious Interview, a subgroup of Lazarus (aka “Famous Chollima”). This latest operation reveals an elaborate scheme involving three fake cryptocurrency consulting companies used as fronts to distribute malware to unsuspecting job applicants.
The fake companies exposed are:
BlockNovas LLC (blocknovas[.]com)
Angeloper Agency (angeloper[.]com)
SoftGlide LLC (softglide[.]co)
Silent Push confirmed that these companies are being used to spread three malware strains:
BeaverTail: A JavaScript-based information stealer targeting browser-based crypto wallets.
InvisibleFerret: A Python-based backdoor, often deployed as a second stage payload.
OtterCookie: Another strain aiding persistence and data exfiltration across platforms.
“Our malware analysts confirmed that three strains, BeaverTail, InvisibleFerret, and OtterCookie, are being used to spread malware via ‘interview malware lures’ to unsuspecting cryptocurrency job applicants,” Silent Push reported.
The BlockNovas “About Us” page found on the Wayback Machine | Image: Silent Push
Contagious Interview’s method heavily relies on social engineering. They post fake job listings on legitimate platforms like Upwork, Freelancer, and CryptoJobsList, lure applicants into fake interviews, and deliver malware disguised as skill assessment tests. Silent Push analysts highlighted, “The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas our team researched appear to be fake.” AI-generated images, particularly via “Remaker AI,” were used to create realistic but fictitious employee profiles to build credibility for these companies.
Silent Push discovered that BlockNovas’ infrastructure, including domains like lianxinxiao[.]com, was used both as command-and-control (C2) servers and malware staging points. GitHub repositories tied to BlockNovas hosted malicious code disguised as developer assessment tasks.
One victim recounted, “After accepting the contract, the client invited me to their GitLab project and asked me to run their backend code. Soon after running it, I realized that my MetaMask wallet had been compromised.”
Among the technical findings:
BeaverTail targets browser extensions such as MetaMask, Coinbase Wallet, Phantom, and Crypto.com.
InvisibleFerret ensures persistence across Windows, macOS, and Linux.
OtterCookie assists in maintaining access and hiding communications.
The malware was often spread via fake GitHub repositories, and Silent Push found obfuscated JavaScript and Python payloads dynamically pulled from C2 domains.
A notable operational security lapse by Contagious Interview exposed their dashboard monitoring service health for domains like BlockNovas and lianxinxiao[.]com, tying all fronts together. Silent Push noted, “This dashboard tied the three different companies and their products together, along with a malware staging and C2 domain. This was a significant OPSEC failure by Contagious Interview.”
The Contagious Interview campaign represents a dangerous evolution in North Korean cyber operations, combining AI deception, sophisticated social engineering, and cross-platform malware. Job seekers in the cryptocurrency sector are particularly at risk.
Silent Push urges defenders to remain vigilant against suspicious job offers and implement strong endpoint protections, especially when handling freelance or remote job solicitations in cryptocurrency and tech fields.
The eSentire’s Threat Response Unit (TRU) discovered a sophisticated cyberattack campaign linking SocGholish (also known as FakeUpdates) malware to affiliates of the notorious RansomHub ransomware group. This operation showcases how attackers are combining initial access malware with highly targeted backdoor deployments to compromise corporate networks.
The infection chain began when victims visited a compromised WordPress site, butterflywonderland[.]com, which prompted them to download a fake Microsoft Edge update in the form of “Update.zip.” This archive contained a malicious JScript file, Update.js, designed to communicate with SocGholish command-and-control (C2) infrastructure.
As eSentire explained: “The purpose of this script is to send a POST request to the SocGholish C2… to retrieve the next stage and execute it via the eval() function.”
Once initial access was established, SocGholish gathered system information, including domain details, usernames, computer names, and processor architecture. The malware also executed LOLBins like net.exe and systeminfo to enumerate network connections and system configurations, transmitting this intelligence back to its C2 server.
One of the more insidious aspects of this campaign was the attackers’ strategic target evaluation. Instead of deploying ransomware indiscriminately, they first collected reconnaissance data to select high-value targets. eSentire noted:
“The primary objective of this reconnaissance activity appears to be enabling threat actors to strategically select their targets while effectively evading security researchers and sandbox environments.”
Approximately 6.5 minutes after initial communication, the attackers delivered a Python backdoor via a second-stage payload. The backdoor was deployed through a technique:
Renaming and unpacking a zip archive named python3.12.zip.
Installing it persistently via a scheduled task using pythonw.exe.
The backdoor, obfuscated within a file called fcrapvim.pyz, employed multiple encryption layers (Base85, AES-GCM, AES-CTR, ChaCha20, and Blake3/XOR) to conceal its stages.
The final stage of the malware connected to a threat actor server at 38.146.28[.]93, enabling:
Proxying victim network traffic to the attackers via SOCKS.
Remote command execution.
Facilitating lateral movement within compromised environments.
The Python backdoor included sophisticated anti-analysis features. As eSentire reported: “First, the script checks the victim machine’s platform name for the substrings, ‘vm’ or ‘virtual’. If the substrings are found, the script exits.”
Additional checks aimed to detect debugging attempts, causing the malware to terminate or raise exceptions if a debugger was found active.
Organizations must stay vigilant, hardening systems against both initial access vectors like SocGholish and post-compromise lateral movement tactics.
ARMO researchers have uncovered a critical weakness in Linux runtime security tools, revealing how the io_uring interface enables rootkits to operate undetected by conventional monitoring solutions. Their findings demonstrate that many widely used tools — including Falco, Tetragon, and even Microsoft Defender for Endpoint — are “blind” to attacks exploiting this mechanism.
“This mechanism allows a user application to perform various actions without using system calls,” ARMO explains. Introduced in Linux 5.1, io_uring is a high-performance asynchronous I/O interface that uses shared ring buffers between user space and kernel space, significantly reducing overhead.
While beneficial for efficiency, io_uring also bypasses traditional system call monitoring — the backbone of many Linux security tools. As ARMO warns: “Security tools relying on system call monitoring are ‘blind’ to rootkits working solely on io_uring.”
To demonstrate the threat, ARMO developed Curing, a fully functional rootkit that communicates with a command-and-control server exclusively via io_uring operations, with zero detectable system calls. This proof-of-concept highlights how attackers could:
ARMO tested Curing against several open-source and commercial Linux security products, discovering alarming gaps:
Falco: Completely blind to io_uring-based operations.
Tetragon: Default policies miss io_uring activity, although deeper visibility can be configured with Kprobes and LSM hooks.
Microsoft Defender for Endpoint: Failed to detect multiple malicious activities, even with io_uring usage. Detection was limited to file changes monitored by Fanotify.
According to ARMO: “Many well-known commercial products we tested showed this detection gap.”
Today’s Linux EDR tools largely depend on eBPF-based agents, prioritizing syscall monitoring due to ease of implementation. However, ARMO highlights a significant architectural flaw: “Most cybersecurity vendors still haven’t addressed the issue… they continue to rely on easy and straightforward solutions that are not immune to changes and diversity of applications and kernel features.”
ARMO recommends several strategies to close this blind spot:
Monitor Anomalous io_uring Usage: Flag unexpected use of io_uring in applications.
Adopt KRSI (Kernel Runtime Security Instrumentation): Integrate with Linux’s LSM framework for deeper, structured kernel event visibility.
Hook Beyond System Calls: Explore stable Kprobes and other hook points for better coverage across the kernel.
As ARMO notes, KRSI provides a more resilient detection mechanism: “Unlike direct syscall hooking, LSM hooks provide more consistent and reliable coverage for security-relevant actions.”
In a detailed report by Cyfirma, researchers have uncovered a Python-based Remote Access Trojan (RAT) that leverages Discord as its command-and-control (C2) platform. This malware, deceptively crafted as a benign Python script, is capable of executing a wide range of malicious operations — from exfiltrating system information to crashing systems with a simulated Blue Screen of Death (BSOD).
“The malware analyzed in this report is a Python-based Remote Access Trojan (RAT) that utilizes Discord as a command-and-control (C2) platform,” Cyfirma explains. “Disguised as a benign script, it leverages built-in Python libraries and a Discord bot interface to execute a wide range of malicious operations.”
Discord, originally designed as a communication tool for gaming and communities, has become an attractive medium for cybercriminals due to its permissive network access and encrypted traffic. Cyfirma notes: “It takes advantage of the permissive network environments in which Discord traffic is typically unfiltered, and it employs widely available Python libraries that blend into benign system activity.”
This makes the RAT difficult to detect, particularly in environments where Discord is used for legitimate purposes.
The Python-based RAT is not particularly sophisticated in terms of evasion, but its simplicity and modularity make it highly dangerous. Once installed, it grants attackers a disturbing level of control over infected systems:
Screen Locking: Using the tkinter library, it creates an unclosable fullscreen window, blocking user access.
Visual Disruption: An animated spiral pattern is displayed to further disorient users.
BSOD Simulation: Perhaps its most destructive feature, the malware can invoke a Windows system fault: “It uses ctypes.windll.ntdll to call the undocumented Windows functions RtlAdjustPrivilege and NtRaiseHardError… resulting in a BSOD. This is essentially a simulated kernel panic, which crashes the system without warning and may result in data loss.”
Mouse Interference: Using pyautogui, the script randomly moves the mouse pointer, sabotaging user interaction.
Information Exfiltration: The RAT collects usernames, hostnames, IP addresses, and detailed geolocation data (down to city and GPS coordinates) and sends it back to the attacker’s Discord channel.
All of these malicious functionalities are conveniently triggered through simple button clicks on Discord: “From the Discord channel, attackers can click interactive buttons labeled with actions like ‘Block Screen,’ ‘Trigger BSOD,’ and ‘Mess with Mouse.’ When clicked, these send commands to the bot, which immediately invokes the corresponding Python function on the victim’s machine.”
This seamless integration reduces the technical barrier for attackers, allowing even low-skilled threat actors to execute disruptive attacks effortlessly.
The RAT weaponizes common Python libraries — pyautogui, tkinter, ctypes, requests, and discord — all of which are normally benign and widely used in legitimate applications. By doing so, it blends malicious behavior with legitimate system activity, making static analysis much more difficult.
The malware also ensures persistence by stealthily copying itself into the Windows Startup folder, masquerading under the name “WindowsCrashHandaler.exe”: “The use of a name resembling a system component is intended to evade user detection and administrator scrutiny.”
The increasing use of platforms like Discord for cyber operations underscores a growing challenge for defenders. As Cyfirma warns: “The increasing reliance on communication platforms like Discord for both personal and professional use has created a new attack surface for cybercriminals.”
In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group, dubbed Earth Kurma, which has been targeting government and telecommunications entities across Southeast Asia since November 2020. Focused primarily on cyberespionage and data exfiltration, Earth Kurma’s tactics reveal a sophisticated blend of custom toolsets, stealthy rootkits, and public cloud services to exfiltrate sensitive data.
“Since June 2024, we uncovered a sophisticated APT campaign targeting multiple countries in Southeast Asia, including the Philippines, Vietnam, and Malaysia,” Trend researchers stated. “Our analysis revealed that they primarily focused on government sectors, showing particular interest in data exfiltration.”
According to Trend, Earth Kurma’s toolsets include TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA — the latter two being rootkits used for stealthy persistence.
“Earth Kurma also developed rootkits such as KRNRAT and MORIYA to hide their activities,“ Trend noted.
Notably, forensic analysis uncovered overlaps with other known APT groups, including ToddyCat and Operation TunnelSnake, though Trend concluded: “Differences in the attack patterns prevent us from conclusively attributing these campaigns and operations to the same threat actors. Hence, we named this new APT group ‘Earth Kurma.’”
While the initial infection vectors remain unclear, Earth Kurma’s lateral movement involved a blend of open-source and customized tools, including:
NBTSCAN and ICMPinger for network reconnaissance.
Ladon (wrapped with a reflective loader) to scan infrastructures covertly.
WMIHACKER for executing commands remotely over port 135.
KMLOG — a simple but effective keylogger that stored stolen keystrokes inside fake ZIP files.
To ensure persistence, Earth Kurma employed sophisticated loaders such as DUNLOADER, TESDAT, and DMLOADER, which ultimately deployed payloads like Cobalt Strike beacons and stealth rootkits.
“In the persistence stage, the actors deployed different loaders to maintain their foothold, including DUNLOADER, TESDAT and DMLOADER.”
Earth Kurma’s most striking hallmark is its use of two powerful rootkits:
The IOCTL code in MORIYA (top) and the working flow for MORIYA (bottom) | Image: Trend Micro
MORIYA: Functions as a TCP traffic interceptor, capable of injecting malicious payloads into network responses while remaining invisible. It also boasts AES-encrypted payload injections into svchost.exe processes, using direct system calls to bypass detection.
“The MORIYA variant we found has an additional shellcode injection capability. At the end of its execution, it tries to load a payload file… and injects it into the process of svchost.exe.”
KRNRAT: A full-fledged stealth backdoor built upon multiple open-source projects, capable of process manipulation, file hiding, traffic concealment, and even shellcode injection via specific IOCTL commands.
“KRNRAT is a full-featured backdoor with various capabilities, including process manipulation, file hiding, shellcode execution, traffic concealment, and C&C communication.”
Once valuable documents (such as .pdf, .docx, .xls, etc.) were harvested, Earth Kurma archived them with WinRAR (protected by passwords) and used tools like SIMPOBOXSPY and ODRIZ to stealthily upload the stolen data to Dropbox and OneDrive.
In a sophisticated maneuver, they even leveraged the Distributed File System Replication (DFSR) feature of Active Directory servers to automatically synchronize stolen archives across domain controllers:
“The stolen archives can be automatically synchronized to all DC servers, enabling exfiltration through any one of them.”
Despite surface-level similarities with ToddyCat and Operation TunnelSnake — such as the shared usage of MORIYA and SIMPOBOXSPY — definitive attribution remains elusive. Trend concluded: “Thus, we cannot conclusively link Earth Kurma to ToddyCat.”
Earth Kurma’s operational security, modular malware architecture, and targeted victimology suggest a highly organized, possibly state-backed entity focused on strategic intelligence gathering in the Southeast Asian region.
In a newly released report, Kaspersky Labs warns of an alarming evolution in the Triada Trojan, a notorious Android malware that has adapted to exploit the latest protections in the mobile ecosystem. Researchers have uncovered that the newest versions of Triada are now being pre-installed into the firmware of counterfeit Android devices — making them nearly impossible to remove without a full system reinstallation.
“We discovered new versions of the Triada Trojan on devices whose firmware was infected even before they were available for sale,” Kaspersky reported. “These were imitations of popular smartphone brands, and they remained available from various online marketplaces at the time of our research.”
Initially exploiting root vulnerabilities in older Android versions, Triada adapted as manufacturers hardened their systems. Today, attackers bypass operating system restrictions entirely by embedding malicious components within the system partition, infecting the very heart of the device at the Zygote process level — the parent of all Android applications.
“Attackers are now embedding a sophisticated multi-stage loader directly into device firmware. This allows the Trojan to infect the Zygote process, thereby compromising every application running on the system,“ Kaspersky stated.
Triada Trojan, Android Malware | Image: Kaspersky
Through this method, Triada gains sweeping control, loading malicious payloads into any app launched by the user.
Triada’s modular design enables tailored attacks depending on the app targeted. According to Kaspersky’s findings:
Cryptocurrency theft: Triada modifies clipboard data and interface elements, swapping wallet addresses during transfers to steal funds.
Account hijacking: It steals login credentials and session tokens for Telegram, Instagram, WhatsApp, Facebook, and more.
Browser manipulation: It intercepts and replaces links clicked in browsers like Chrome and Firefox, opening the door to phishing attacks.
SMS and call interception: It hijacks SMS messages to steal verification codes or register unauthorized services.
Device hijacking: It turns infected devices into reverse proxies, enabling attackers to route malicious traffic through victim devices.
“The modular architecture of the malware gives attackers virtually unlimited control over the system, enabling them to tailor functionality to specific applications,” Kaspersky explained.
The infection is initiated via a malicious system library (binder.so) embedded into the device’s framework. From there, the malware carefully selects modules to deploy based on the running application’s package name. For instance:
Cryptocurrency apps like Binance and KuCoin are targeted by crypto stealers.
Messaging apps like Telegram and WhatsApp are infected with modules that harvest login tokens and hijack conversations.
Browsers are targeted to inject and swap malicious links.
Notably, the malware dynamically communicates with C2 servers, using strong encryption (AES-128, RSA) to download additional modules tailored for specific applications.
“Each additional malware payload can use all the permissions available to the app,” Kaspersky highlights, making privilege escalation unnecessary once Triada infiltrates an app’s process.
The scale of the operation is significant. Kaspersky telemetry detected over 4,500 infected devices worldwide, with high infection rates reported in Russia, the UK, Germany, the Netherlands, and Brazil. Cryptocurrency analysis indicated that the attackers have accumulated over $264,000 by June 2025 via their malicious activities.
Perhaps the most concerning revelation is the attack vector. Infected devices were often counterfeit products posing as popular brands, distributed unknowingly through online marketplaces: “It is likely that a stage in the supply chain was compromised, with the vendors in online stores possibly being unaware that they were distributing fake devices infected with Triada.”
This underscores the critical need for consumers to buy devices from trusted sources and verify firmware authenticity.
If your device is suspected to be infected with Triada, Kaspersky advises:
Install clean firmware directly from official sources.
Avoid using messaging apps, crypto wallets, or social media clients before reinstalling firmware.
Use reputable mobile security solutions to detect embedded threats.
“The new version of the Triada Trojan is a multi-stage backdoor giving attackers unlimited control over a victim’s device,” Kaspersky concluded.
In a deep-dive analysis released by Ben Martin, a security analyst at Sucuri, researchers revealed a remarkably sophisticated multi-stage carding attack targeting a vulnerable Magento eCommerce website. This advanced operation leveraged a fake GIF file, browser sessionStorage abuse, and a malicious reverse proxy server to seamlessly intercept and steal sensitive data — including credit card information, login credentials, cookies, and session tokens.
“This malware leveraged a fake gif image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse-proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website,” Martin explained.
The targeted website was running Magento 1.9.2.4, a platform officially unsupported since June 2020. As Martin emphasized: “It’s worth mentioning that the website in question was using a very out-of-date Magento installation.” This outdated and unpatched software became the perfect gateway for attackers to exploit.
Investigators initially noticed suspicious JavaScript injected into the checkout page, disguised to resemble Bing ad tracking code. However, deeper inspection revealed unusual behavior: references to Magento hidden within the code and dynamic manipulation of strings to construct malicious file paths.
The manipulated JavaScript pointed to what appeared to be a legitimate GIF file: “In the final analysis we get the following: /media/magentothem/img/line.gif?<timestamp>.“ Yet this “GIF” was no image at all — it housed a malicious PHP script designed to act as a reverse proxy.
Reverse proxies are typically legitimate tools used for load balancing and network optimization. However, in this attack, the malware repurposed this technology for nefarious purposes: “The malware captures incoming requests (headers, body, IP address, etc) as well as intercepts POST data (login info, forms, file uploads).”
It laundered all user communications through an attacker-controlled server, manipulating cookies, stripping redirects, and ensuring that victims and administrators remained completely unaware.
But the attack didn’t end there. A second malware injection was discovered within the checkout page template onestepcheckout.phtml. This code cleverly exploited browser sessionStorage to create a session-specific trigger: “In this way most of the actual card-stealing and malicious behaviour is done client-side, making it more difficult to detect.”
This method ensured that the malicious behavior was transient — erased once the browser tab was closed — leaving virtually no forensic traces on the victim’s device. In essence, the fake Bing JS planted the trigger, and the checkout page code detonated it.
Martin concluded that this was no ordinary MageCart-style attack. The infrastructure, careful layering, and use of reverse proxy technology showed significant planning and expertise:
“It is very clear that MageCart malware isn’t going anywhere any time soon,” Martin warned. “eCommerce website admins and shoppers alike need to continue to be diligent in order to protect their data and customers online.”
In a new investigation, The DFIR Report’s Threat Intel Group has shed light on the growing operations of the Fog ransomware group, revealing a sophisticated arsenal of tools and techniques employed to breach networks across multiple industries and geographies.
First observed in mid-2024, Fog has demonstrated a proficiency in reconnaissance, credential theft, privilege escalation, and command-and-control operations. The analysis stemmed from the discovery of an open directory hosted at 194.48.154.79:80, a server likely operated by a Fog affiliate.
“Analysis of its contents revealed a comprehensive toolkit used for reconnaissance, exploitation, credential theft, and command-and-control activities,” the report notes.
The server contained a vast array of offensive tools, including:
SonicWall Scanner: For exploiting VPN credentials.
DonPAPI: For extracting Windows DPAPI-protected credentials.
Certipy: For abusing Active Directory Certificate Services (AD CS).
Zer0dump and Pachine/noPac: For exploiting Active Directory vulnerabilities like CVE-2020-1472 and CVE-2021-42278/42287.
Sliver C2: A powerful post-exploitation command-and-control framework.
AnyDesk: Deployed via a PowerShell script for stealthy persistence with the default password Admin#123.
“Proxychains and Powercat were used to facilitate stealthy lateral movement and reverse shells,“ the report explains. The group’s use of Proxychains allowed them to execute commands from the C2 server while leaving minimal traces on compromised endpoints.
Victim data found on the exposed server indicated that Fog targeted organizations in the technology, education, transportation, and retail sectors. Geographically, their operations spanned Italy, Greece, Brazil, and the United States.
The investigation highlighted a specific breach involving ouroverde.net.br, a Brazilian victim whose data appeared on Fog’s Dedicated Leak Site (DLS), confirming the ransomware group’s direct involvement.
Another notable compromise involved the Greek retail group Fourlis, where internal domain artifacts were found on the exposed server, correlating with a contemporaneous public cyberattack disclosure.
Fog’s operations exhibit a layered attack chain:
Initial Access: Exploiting valid SonicWall VPN credentials using automated scripts.
Credential Access: Harvesting credentials with DonPAPI and Impacket’s DPAPI modules, and extracting domain backup keys.
Privilege Escalation: Leveraging Zer0dump and noPac to escalate privileges to domain admin.
Persistence: Installing AnyDesk silently for continuous access, configured with hardcoded credentials.
Command-and-Control: Deploying Sliver C2 implants for robust C2 communications, alongside Proxychains and Powercat for stealthy network navigation.
The server hosting the open directory was briefly observed operating a Sliver team server on port 31337 before disappearing from view. Notably, the server was rented through Clouvider (AS62240), a common provider for C2 infrastructure among various threat groups.
“The DFIR Report’s Threat Intel Group assesses with moderate confidence the open directory was used by an affiliate of the Fog ransomware group,” the report concluded.
In a new report, researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC), living in exile. The attackers hijacked a trusted Uyghur language text editing software, weaponizing it to deliver Windows-based malware designed for surveillance and control.
“In March 2025, senior members of the World Uyghur Congress (WUC) living in exile were targeted with a spearphishing campaign aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets,” the Citizen Lab report states.
This campaign underscores a disturbing pattern where software intended to empower repressed communities is instead co-opted into tools of digital transnational repression.
The malware was embedded in a trojanized version of UyghurEditPP, a legitimate open-source text editor developed to support the Uyghur language. The original developer was known and trusted within the Uyghur community, making the deception particularly insidious.
“The malware was delivered through a trojanized version of a legitimate open source word processing and spell check tool developed to support the use of the Uyghur language,” the researchers detailed.
Once executed, the malicious software would profile the system, send collected information to a remote command-and-control (C2) server, and could potentially download additional malicious plugins to the infected machine.
Diagram demonstrating the two distinct clusters of C2 infrastructure used in this campaign | Image: Citizen Lab
The backdoor embedded in the software was designed to collect and transmit:
Machine name
Username
IP address
Operating system version
Unique device identifiers (via MD5 hash)
It communicated with C2 domains like tengri[.]ooguy[.]com and fallback addresses such as anar[.]gleeze[.]com, cleverly disguised using culturally significant Uyghur and Turkic language terms to avoid raising suspicion.
“The use of known words further highlights the targeted nature of this campaign,” Citizen Lab researchers noted.
The malware’s modular design allowed operators to deploy additional capabilities only after verifying a system as a legitimate target.
The attack is part of a wider trend of digital transnational repression — the use of hacking, malware, and online surveillance to silence diaspora communities abroad.
“Digital transnational repression arises when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities,” Citizen Lab explained.
The Uyghur diaspora, alongside Tibetans and Hong Kong activists, has been a persistent target of such repression by actors likely aligned with the Chinese government.
The command-and-control servers were hosted in IP ranges known to be abused by threat actors and used a self-signed, spoofed Microsoft.COM certificate, further indicating a state-level sophistication behind the campaign.
While Citizen Lab stops short of definitive attribution, the tactics, targets, and infrastructure strongly resemble previously documented campaigns attributed to Chinese government-linked actors.
“Trojanizing their projects by implanting malware causes harm beyond the immediate phishing attempt because it sows fear and uncertainty about the very tools aiming to support and preserve the community,” the report emphasizes.
Citizen Lab calls for greater protection of these vulnerable cultural digital tools and recommends vigilance among users when downloading software — particularly for communities at risk.
The internet forum 4chan, which recently suffered a major data breach following a hacker attack, has begun to resume operations after a two-week disruption. However, the forum has lamented a severe lack of necessary funding for maintenance and is now recruiting new community volunteers to help shoulder backend responsibilities.
4chan has essentially confirmed that the breach resulted from outdated software packages that left vulnerabilities open to exploitation. On April 14, a hacker using a UK-based IP address uploaded a malicious PDF file, leveraging flaws in expired server software to gain access to one of the servers—a server that also provided access to the site’s databases and administrative panel.
The attacker then spent several hours exfiltrating much of 4chan’s source code and database tables. After completing the data theft, the hacker began to vandalize the forum, at which point administrators detected the intrusion and quickly took the compromised server offline, severing the hacker’s access.
The forum attributed the breach to chronic underfunding, which prevented timely updates to its operating systems, codebase, and core infrastructure. Owing to its long-standing association with hate speech, violent content, and extremism, 4chan has found itself largely abandoned by advertisers, resulting in a financial shortfall that left it critically understaffed.
4chan revealed that efforts to procure new servers began in late 2023. Until then, the forum had been operating on second-hand servers purchased by its founder, Christopher Poole, who departed the project in 2015 and has had no further involvement since.
By April 2024, 4chan had finalized the specifications for new servers and initiated procurement, but securing a vendor proved difficult—many server providers were unwilling to associate with 4chan due to reputational concerns. It was not until June 2024 that the hardware acquisition was completed, with server installations finalized in July. Content migration began thereafter, albeit slowly.
During the migration, many critical services remained dependent on the aging infrastructure, and according to 4chan, every phase of the transition took significantly longer than anticipated. Only after the attack did the forum replace the compromised server and upgrade its software packages to the latest versions.
As a preventative measure, 4chan has since disabled the PDF upload function to avert similar attacks and has also shuttered its Flash board, citing concerns that hackers might exploit vulnerabilities through .swf file uploads. Given that Adobe Flash is no longer supported and has become increasingly insecure, disabling these functions was deemed necessary to bolster site defenses.
A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare and pharmaceutical organizations worldwide.
First observed as recently as March 10, 2025, this malware distinguishes itself from related threats like Rhadamanthys and Lumma through its sophisticated in-memory execution and multi-layered evasion techniques.
Morphisec, a leading cybersecurity firm, has detailed the malware’s operations, while PolySwarm analysts classify ResolverRAT as an emerging threat with unique capabilities.
Deployed through localized phishing campaigns, the malware leverages fear-based lures in languages such as Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish, often citing legal or copyright violations to trick users into downloading a seemingly legitimate executable that initiates the infection via DLL side-loading.
Technical Sophistication and Stealthy Operations
ResolverRAT’s infection chain begins with a .NET-based loader that employs advanced anti-analysis methods, utilizing the System.Security.Cryptography namespace for AES-256 encryption in CBC mode with obfuscated keys decoded at runtime.
The payload, compressed using GZip, operates entirely in memory to minimize disk footprints and evade traditional security monitoring.
A standout feature is its use of .NET ResourceResolve event hijacking, which intercepts legitimate resource requests to inject malicious assemblies without altering PE headers or triggering suspicious API calls-a technique Morphisec describes as “malware evolution at its finest.”
Further complicating detection, the payload decryption within the RunVisibleHandler() method uses a complex state machine with control flow flattening and system fingerprinting to thwart static analysis and sandbox environments.
For persistence, ResolverRAT scatters up to 20 obfuscated registry entries across multiple locations and installs itself in various directories, ensuring it remains embedded in compromised systems.
According to the Report, the malware’s command-and-control (C2) infrastructure is equally robust, utilizing a custom protocol over standard ports to blend with legitimate traffic.
Certificate pinning and a parallel trust system bypass SSL inspection, while IP rotation maintains connectivity even if primary servers are disrupted.
Data serialization via Protocol Buffers (ProtoBuf) enhances efficiency and obfuscation, and random-interval connection attempts via timer callbacks add to its stealth.
ResolverRAT’s multi-threaded architecture processes commands concurrently with error handling to prevent crashes, and for data exfiltration, it splits files exceeding 1MB into 16KB chunks, transmitting them only when sockets are ready to minimize detection and recover from network interruptions.
While it shares phishing tactics and binary reuse with Rhadamanthys and Lumma, its distinct loader and payload architecture cement its status as a standalone threat family.
Organizations in the healthcare and pharmaceutical sectors are urged to bolster defenses against phishing campaigns and deploy advanced endpoint detection to counter this evolving threat.
Indicators of Compromise (IOCs)
The following table lists known ResolverRAT samples identified by PolySwarm for reference and threat hunting purposes:
