# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt # Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf exbonus.mrbasic.com movis-es.ignorelist.com tradeboard.mefound.com update.toythieves.com sap.misapor.ch # Reference: https://securelist.com/operation-applejeus/87553/ celasllc.com 185.142.236.226 185.142.239.173 196.38.48.121 80.82.64.91 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea tpddata.com itaddnet.com wifispeedcheck.net coinoen.org coinmaketcape.com bitfiniex.org apshenyihl.com/include/arc.speclist.class.php ap8898.com/include/arc.search.class.php anlway.com/include/arc.search.class.php tpddata.com/skins/skin-8.thm tpddata.com/skins/skin-6.thm 168wangpi.com/include/charset.php ando.co.kr/service/s_top.asp ansetech.co.kr/smarteditor/common.asp mileage.krb.co.kr/common/db_conf.asp 028xmz.com/include/common.php 33cow.com/include/control.php 51up.com/ace/main.asp 530hr.com/data/common.php 97nb.net/include/arc.sglistview.php marmarademo.com/include/extend.php paulkaren.com/synthpop/main.asp shieldonline.co.za/sitemap.asp # Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ # Reference: https://twitter.com/KevinPerlow/status/1083759627714682880 # Reference: https://twitter.com/Bank_Security/status/1107543887462064128 # Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926 # Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection # Reference: https://twitter.com/ClearskySec/status/1084463729633316864 bodyshoppechiropractic.com drupdate.club ecombox.store /tbl_add.php # Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/ http://37.238.135.70/img/anan.jpg # Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b # Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ dev.microcravate.com nzssdm.com bluecreekrobotics.com/wp-includes/common.php dev.microcravate.com/wp-includes/common.php dev.whatsyourcrunch.com/wp-includes/common.php enterpriseheroes.com.ng/wp-includes/common.php hrgp.asselsolutions.com/wp-includes/common.php baseballcharlemagnelegardeur.com/wp-content/languages/common.php bogorcenter.com/wp-content/themes/index2.php eventum.cwsdev3.bi.com/wp-includes/common.php streamf.ru/wp-content/index2.php towingoperations.com/chat/chat.php vinhsake.com/wp-content/uploads/index2.php tangowithcolette.com/pages/common.php # Reference: https://twitter.com/blackorbird/status/1110750919082147842 # Reference: https://blog.alyac.co.kr/2219 alahbabgroup.com http://47.91.56.21/verify.php http://103.225.168.159/admin/verify.php # Reference: https://twitter.com/blackorbird/status/1111449536910680065 wb-bot.org wb-invest.net # Reference: https://twitter.com/KevinPerlow/status/1136994848341409792 sbackservice.com # Reference: https://twitter.com/navSi16/status/1148192534654439426 # Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7 sensationalsecrets.com/js/left.php # Reference: https://twitter.com/blackorbird/status/1148843702690832385 194.45.8.41:443 # Reference: https://twitter.com/bad_packets/status/1148864469486854144 # Reference: https://pastebin.com/G0Ad5Ut6 http://178.128.253.67/tbl_add.php # Reference: https://twitter.com/RedDrip7/status/1148887458152472576 byucksanpaint.com/community/com_gon_open.asp # Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd http://103.53.176.145:8080/ServiceDeskPlus/products.do http://111.68.126.155:8080/ServiceDeskPlus/products.do http://137.117.57.244:8080/ServiceDeskPlus/products.do chanbang.co.kr/board/check.asp chanbang.co.kr/family/check.asp chanbang.co.kr/gonggu/upload.asp difa.or.kr/common/asp/inc_Comn.asp edenenc.co.kr/Report/RptMyReport.asp egreenland.co.kr/cheditor2/example/newpost.asp hanbook.co.kr/partnershop/hanmail_ep.asp img.kindermom.co.kr/frameart/print/footer.mov kgsa1015.co.kr/upload/member/member.asp rodaxsankyokorea.com/upload/favicon/favicon.asp sinokor-eng.com/sub/sub01_09.asp # Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5 byucksanpaint.com/community/com_gon_open.asp byucksanpaint.com/main/main4.asp keyang.co.kr/pub/editor/wa_path.asp upload.childu.co.kr/include/OnlyOne1.asp # Reference: https://twitter.com/cyberwar_15/status/1152035187196223488 lavaandstone.com/wp-content/plugins/fusion-core/about.php sales.alitho.com/wp-content/themes/sketch/about.php amytanathorn.com/wp-admin/includes/about.php # Reference: https://twitter.com/cyberwar_15/status/1153123863435214848 rhythm86.com/wp-content/themes/twentysixteen/about.php cabba-cacao.com/wp-content/themes/integral/about.php 3x-tv.com/plugins/editors/about.php # Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792 # Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection policyupdates.info # Reference: https://twitter.com/cyberwar_15/status/1166282138179624960 # Reference: https://twitter.com/navSi16/status/1166287915959214080 youdermoscopy.org/media/fly.avi youdermoscopy.org/media/fly312.avi # Reference: https://blog.alyac.co.kr/2500 (Korean) # Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5 alnagm-press.com/wp-content/plugins/cloudflare/list.php elsouq.org/aramex/left.php swedishmassageamsterdam.nl/wp-content/themes/top.php # Reference: https://twitter.com/cyberwar_15/status/1175940165425958912 http://158.69.57.135 http://92.222.106.229 # Reference: https://securelist.com/my-name-is-dtrack/93338/ # Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/ # Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8 # Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection # Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection katawaku.jp/bbs/data/theme/profile2.php materialindia.in totalmateria.net cyberub.com/board/icon/template/template_ro.php /gallery/profile2.php /theme/profile2.php /wp/profile2.php # Reference: https://twitter.com/KseProso/status/1178580006047539200 heromessi.com/wp-public/career/car_add.php # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv deltaemis.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv vmware-probe.zol.co.zw # Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/ # Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea gp-core.com gp-main.com # Reference: https://twitter.com/VK_Intel/status/1182722604240719872 # Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus) 185.228.83.32:443 beastgoc.com /grepmonux.php # Reference: https://twitter.com/kyleehmke/status/1184120287199223808 # Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations dev.jmttrading.org # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://blog.alyac.co.kr/2388 (Korean) # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc crabbedly.club craypot.live czinfo.club indagator.club pegasusco.net smilekeepers.co # Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481 thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi juliesoskin.com/includes/common/list.php necaled.com/modules/applet/list.php valentinsblog.de/wp-admin/includes/list.php # Reference: https://twitter.com/blackorbird/status/1187619261612609536 # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html # Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations 119.18.230.253:443 218.255.24.226:443 # Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680 # Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/ curiofirenze.com # Reference: https://twitter.com/blackorbird/status/1202177008572092417 unioncrypto.vip # Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/ 107.172.197.175:443 172.93.201.219:443 192.210.213.178:443 198.180.198.6:443 209.90.234.34:443 23.227.196.116:443 23.227.199.53:443 23.254.119.12:443 23.81.246.179:443 37.72.175.179:443 64.188.19.117:443 74.121.190.121:443 # Reference: https://securelist.com/operation-applejeus-sequel/95596/ # Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76 aeroplans.info beastgoc.com buckfast-zucht.de chainfun365.com cyptian.com invesuccess.com jmttrading.org mydealoman.com private-kurier.com unioncrypto.vip wb-bot.org wb-invest.net wfcwallet.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv falcancoin.io # Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/ # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e # Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f 94.177.123.138:8088 193.56.28.103:88 197.211.212.59:7443 181.39.135.126:7443 112.175.92.57:443 81.94.192.147:443 21.252.107.198:23164 70.224.36.194:59681 113.114.117.122:23397 47.206.4.145:59067 84.49.242.125:17770 26.165.218.44:2248 137.139.135.151:64694 97.90.44.200:37120 128.200.115.228:52884 186.169.2.237:65292 188.165.37.168:80 159.100.250.231:80 159.100.250.231:8080 107.6.12.135:443 210.202.40.35:443 # Reference: https://twitter.com/AffableKraut/status/1234726033930248198 74.121.190.140:8443 # Reference: https://twitter.com/RedDrip7/status/1254678135133442048 # Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/ # Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations afuocolento.it/wp-admin/network/server_test.php kingsvc.cc mbrainingevents.com/wp-admin/network/server_test.php sofa.rs/wp-admin/network/server_test.php sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg /wp-admin/network/server_test.php # Reference: https://twitter.com/cyberwar_15/status/1254736896330133504 matteoragazzini.it/wp-content/uploads/2017/06/category.php # Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576 # Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105 astedams.it/uploads/template/17.dotm astedams.it/include/inc-elenco-offerter.asp # Reference: https://twitter.com/spider_girl22/status/1258224278194941953 astedams.it/uploads/frame/61.dotm # Reference: https://objective-see.com/blog/blog_0x57.html # Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ # Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20 185.62.58.207:443 67.43.239.146:443 # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv # Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay # Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip 51.77.65.154:443 192.169.250.185:443 sanlorenzoyacht.com/newsl/uploads/docs/43.dotm elite4print.com/admin/order/batchPdfs.asp od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm # Reference: https://twitter.com/cyberwar_15/status/1264353716930412544 # Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection # Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/ # Reference: https://twitter.com/spider_girl22/status/1265486116393713665 anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg # Reference: https://twitter.com/cyberwar_15/status/1265266629044080642 # Reference: https://asec.ahnlab.com/1323 (Korean) mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php sixbitsmedia.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317 fudcitydelivers.com sctemarkets.com # Reference: https://twitter.com/IntezerLabs/status/1268158680593313794 threegood.cc # Reference: https://twitter.com/ccxsaber/status/1268020350605910016 coingotrade.com kupaywallet.com # Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922 bluemoonresearch.org fitnessdirector.net # Reference: https://twitter.com/RedDrip7/status/1270201358721769475 paghera.com/include/inc-main-default-news.asp # Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768 ne-ba.org/files/gallery/img/img.asp # Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019 160.20.147.253:8443 audiopodcasts.co/verify.php lastedforcast.com/list.php # Reference: https://twitter.com/spider_girl22/status/1275366600560873473 # Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824 # Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/ scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php annafalkenau.com/awstats/data/upload.php # Reference: https://blog.reversinglabs.com/blog/hidden-cobra # Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15 1688dsj.com amytanathorn.com ccsnbao.com fmose.com fudcitydelivers.com lavaandstone.com sctemarkets.com vns1389.com # Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529 anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg # Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840 # Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/ down.1230578.com # Reference: https://twitter.com/felixaime/status/1280053007036624896 # Reference: https://sansec.io/research/north-korea-magecart # Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/ # Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection areac-agr.com papers0urce.com # Reference: https://twitter.com/gwillem/status/1281128245052805120 focuscamere.com # Reference: https://twitter.com/patrickwardle/status/1286109626941845504 # Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ 104.232.71.7:443 107.172.197.175:443 108.170.31.81:443 111.90.146.105:443 111.90.148.132:443 172.81.132.41:443 172.93.184.62:443 172.93.201.219:443 185.62.58.207:443 192.210.239.122:443 198.180.198.6:443 209.90.234.34:443 216.244.71.233:443 23.227.199.53:443 23.227.199.69:443 23.254.119.12:443 67.43.239.146:443 68.168.123.86:443 # Reference: https://twitter.com/cyberwar_15/status/1287291019537473538 nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php # Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792 # Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection publishapp.co # Reference: https://twitter.com/RedDrip7/status/1293462469214531584 # Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection unsunozo.org/include/notes/notes.asp # Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html # Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb gestao.simtelecomrs.com.br/sac/digital/client.jsp sac.onecenter.com.br/sac/masks/wfr_masks.jsp mk.bital.com.br/sac/Formule/Manager.jsp # Reference: https://twitter.com/IntezerLabs/status/1300403461809491969 # Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/ # Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection 104.217.163.61:443 107.175.172.129:443 37.72.168.228:443 # Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600 fabianiarte.com/uploads/imgup/21it-23792.jpg # Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html # Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6 automercado.co.cr/empleo/css/main.jsp curiofirenze.com/include/inc-site.asp ne-ba.org/files/news/thumbs/thumbs.asp sanlorenzoyacht.com/newsl/include/inc-map.asp # Reference: https://twitter.com/h2jazi/status/1311644338812792833 # Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection phukien2a.net/images/images.zip.000 # Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html # Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg publishapp.co/update/check.php sideforum.cc/forum/list.php freeforum.co/forum/list.php goodfriend.pro/projects/list.php friendship.me/users/register.php threegood.cc/api/manage/customers Engpro.xyz/images/detail.php infocop.me/products/list.php teamspit.pro/adverts/follow.php dodoi.cc/photos/preview.php advertapp.me/user/invite.php insideforum.me/forum/list.php anyoneforum.cc/forum/list.php goodproject.xyz/projects/list.php hellofriend.pro/users/register.php moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php calculactcal.org/wp-content/themes/twentysixteen/body.php 3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php worldfoodstory.co.uk/wp-includes/register.php bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php tiramisu.it/wp-content/plugins/wp-comment-form.php kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php ecolerubanvert.com/wp-content/plugins/image-intense/know.php lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php copansrl.it/wp-admin/user/invite.php arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php firstalliance.church/wp-content/plugins/music-press/templates/404.php erickeleo.com.br/wp-content/plugins/music-press-pro/go.php kingsvc.cc/index.php sofa.rs/wp-admin/network/server_test.php afuocolento.it/wp-admin/network/server_test.php mbrainingevents.com/wp-admin/network/server_test.php afuocolento.it/wp-includes/process.php # Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ # Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6 cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://twitter.com/h2jazi/status/1334353120038678528 # Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection ilhak.co.kr/images/data/upload.asp ktri.or.kr/upload/mail/upload.asp warevalley.com/support/orange_open.asp # Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296 # Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464 # Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928 # Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051 admforte.com.br/wp-content/plugins/top.php dafnefonseca.com/wp-content/themes/top.php drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php greenvideo.nl/wp-content/themes/top.php haciendadeclarevot.com/wp-content/top.php justholdfast.com/doodle/wp-content/plugins/top.php qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php shahrtdc.com/wp-content/plugins/top.php tag-cloud-photo.freeware.filetransit.com/login.php urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php # Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9 yakufreshperu.com/facturacion/public/css/main.php shikshakibaat.com/classes/detail.jsp sanlorenzoyacht.com/newsl/include/inc-map.asp paghera.com/content/view/thumb/info.asp lyzeum.com/popup/popup.asp index-consulting.jp/eng/news/index.php hansolhope.or.kr/welfare/notice/view.jsp forecareer.com/gdcareer/officetemplate-20nab.asp?iqxml=NVcareer183991 fidesarte.it/thumb/multibox/style/common.asp fabianiarte.com/uploads/imgup/21it-23792.jpg fabianiarte.com/pdf/thumbs/thumb.asp emilypress.com/CMWorking/Static/service/center.asp curiofirenze.com/include/inc-site.asp calculadoras.mx/themes/pack/pilot.php automercado.co.cr/empleo/css/main.jsp astedams.it/photos/image/image.asp arumdaunresort.com/admin/html/user/contact.asp apars-surgery.org/bbs/bbs_files/board_photo/menu.php anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm vega.mh-tec.jp/.well-known/index.php turnscor.com/ACT/images/slide/view.jsp prestigein-am.jp/akita/wp-includes/wp-rss1.php genieaccount.com/images/common/common.asp acanicjquery.com/slides/style.php mannpublicwhseltd.com/cservice.asp hirokawaunso.co.jp/wordpress/wp-includes/review.php anisweb.org/layout/site/style/preview.jsp support.medicalinthecloud.com/TechCenter/include/slide.asp pennontraders.com/assets/slides/view.jsp indoweb.org/love/data/common/common.php admin.shcpa.co.kr/_asapro2/formmail/lib.php http://137.74.114.227/theveniaux/webliotheque/public/css/main.php http://125.206.177.152/old/viewer.php # Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323 muzeyyengroup.com/wp-content/help.php puskesmas-terminal.com/wp-content/help.php zeandf.com/wp-content/help.php # Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ # Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415 bytecortex.com.br/eletronicos/digital.jsp client.livesistemas.com/Live/posto/system.jsp cometnet.biz/framework/common/common.asp gongim.com/board/ajax_Write.asp iski.silogica.net/events/serial.jsp k-kiosk.com/bbs/notice_write.asp kne.co.kr/upload/Customer/BBS.asp locknlockmall.com/common/popup_left.asp sac.najatelecom.com.br/sac/Dados/ntlm.jsp sistema.celllab.com.br/webrun/Navbar/auth.jsp # Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247 # Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection # Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection aideck.net # Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339 creaideck.com/update/darwin64.bin # Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a hpc.kau.ac.kr/error2.php # Reference: https://twitter.com/BushidoToken/status/1353684625382641664 # Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations # Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection # Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection # Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection advantims.com # Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456 angeldonationblog.com # Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592 # Reference: https://twitter.com/500mk500/status/1353992570519609344 # Reference: https://twitter.com/RedDrip7/status/1354038387603197952 # Reference: https://twitter.com/sS55752750/status/1354059524739653633 # Reference: https://twitter.com/vngkv123/status/1357247638228226053 # Reference: https://twitter.com/blackorbird/status/1357259907448229888 # Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean) # Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean) # Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ # Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74 # Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection # Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection # Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection # Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8 angeldonationblog.com codebiogblog.com codevexillium.org investbooking.de krakenfolio.com opsonew3org.sg transferwiser.io transplugin.io blog.br0vvnn.io codevexillium.org/image/download/download.asp colasprint.com/_vti_log/upload.asp dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php dronerc.it/shop_testbr/Core/upload.php dronerc.it/shop_testbr/upload/upload.php edujikim.com/intro/blue/insert.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp loonsaloon.com/wp-content/plugins/revslider/hello.php transplugin.io/upload/upload.asp trophylab.com/notice/images/renewal/upload.asp # Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html # Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31 akramportal.org/public/voice/voice.php commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php fabianiarte.com/newsletter/arte/view.asp hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php index-consulting.jp/eng/news/index.php inovecommerce.com.br/public/pdf/view.php ja-fc.or.jp/shop/shopping.php kenpa.org/yokohama/main.php leemble.com/5mai-lyon/public/webconf.php mail.clicktocareers.com/dev_clicktocareers/public/mailview.php scimpex.com/admin/assets/backup/requisition/requisition.php tronslog.com/public/appstore.php vega.mh-tec.jp/.well-known/index.php # Reference: https://twitter.com/Dashowl/status/1354264740692942848 trophylab.com/design/trophy/product/lmages/logo.png worldspia.kr/upload_images/inc/LOG.PHP # Reference: https://twitter.com/mattyb1512/status/1354070629469872129 ctrac.online # Reference: https://twitter.com/h2jazi/status/1362109944791764993 # Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection # Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection # Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection kupaywallet.com levelframeblog.com dorusio.com/dorusio_update.php # Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496 materialindia.in/wp/wp-main/gallery/profile2.php totalmateria.net/wp/profile2.php # Reference: https://securelist.com/lazarus-threatneedle/100803/ # Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/ http://156.245.16.55/admin/admin.asp americanhotboats.com/forums/core/cache/index.php astedams.it/photos/image/image.asp au-pair.org/admin/Newspaper.asp au-pair.org/admin/login.asp automercado.co.cr/empleo/css/main.jsp cloudarray.com/images/logo/videos/cache.jsp colasprint.com/_vti_log/upload.asp curiofirenze.com/include/inc-site.asp dellarocca.net/it/content/img/img.asp digitaldowns.us/artman/exec/upload.php djasw.or.kr/sub/popup/images/upfiles.asp docentfx.com/wp-admin/includes/upload.php dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php edujikim.com/intro/blue/view.asp edujikim.com/pay/sample/INIstart.asp edujikim.com/smarteditor/img/upload.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp forum.iron-maiden.ru/core/cache/index.php forum.snowreport.gr/cache/template/upload.php fredrikarnell.com/marocko2014/index.php geeks-board.com/blog/wp-content/uploads/2017/cache.php gonnelli.it/uploads/catalogo/thumbs/thumb.asp juvillage.co.kr/img/upload.asp kannadagrahakarakoota.org/forums/admincp/upload.php kbcwainwrightchallenge.org.uk/connections/dbconn.asp kwwa.org/DR6001/FN6006LS.asp kwwa.org/popup/160307/popup_160308.asp lyzeum.com/board/bbs/bbs_read.asp lyzeum.com/images/board/upload.asp martiancartel.com/forum/customavatars/avatars.php mdim.in.ua/core/cache/index.php newidealupvc.com:443/img/prettyPhoto/jquery.max.php polyboatowners.com/2010/images/BOTM/upload.php polyboatowners.com/css/index.php prototypetrains.com:443/forums/core/cache/index.php raiestatesandbuilders.com/admin/installer/installer/index.php roit.co.kr/xyz/mainpage/view.asp sanatoliacare.com/include/index.asp sanlorenzoyacht.com/newsl/include/inc-map.asp shinwonbook.co.kr/basket/pay/open.asp shinwonbook.co.kr/board/editor/upload.asp theforceawakenstoys.com/vBulletin/core/cache/upload.php waterdoblog.com/uploads/index.asp # Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738 # Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450 # Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection gcloud-share.com dshellelink.gcloud-share.com # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords) # Reference: https://pastebin.com/raw/cLWvyJ20 # Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920 # Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464 # Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection http://84.201.189.216 103.205.179.4:8080 amazonaws1.info gdrvup.xyz gmaildrive.site googleauth.pro googledriver.info googleupload.info liveonedrvshare.xyz secureshares.online gdriveupload.info # Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword) 88.204.166.59:8080 # Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword) gdocshare.com # Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291 # Reference: https://twitter.com/_re_fox/status/1260931809103101957 # Reference: https://twitter.com/_re_fox/status/1301564536575733760 # Reference: https://twitter.com/_re_fox/status/1301565785345863689 # Reference: https://twitter.com/mattnotmax/status/1370311682354941954 # Reference: https://twitter.com/cyber__sloth/status/1285510760303656960 # Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection # Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese) # Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection doc.gsheetshare.org docs.dsharefile.tech docs.gdriveshare.top drop.trailads.net dsharefile.tech gsheetshare.org filehost.network mdown.showprice.xyz mse.theworkpc.com name.ownemail.me newsbtctech.com ownemail.me share.onedrvfile.site shop.newsbtctech.com trailads.net up.digifincx.com up.myemail.works # Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword) # Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection google-clouds.com # Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword) # Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword) addrcheck.corecheckmailsrv.com cloud-sheet.net cloud.optvers.net corecheckmailsrv.com digitalcurencygroup.co down.privatework.buzz fidelitydigitalsassets.com gdocshare.com goglestorage.com google-clouds.com googleproduct.org gsuiteshare.com msftoffice.com myemail.works official.googleproduct.org presentonline.xyz privatework.buzz sharesvr.net # Reference: https://twitter.com/h2jazi/status/1369305004922855431 # Reference: https://twitter.com/h2jazi/status/1369307165807280135 torgirf.ru/loginhome.css # Reference: https://twitter.com/h2jazi/status/1370024802791096320 # Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection # Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection dronerc.it/shop_testbr/localization/dir_photoes/image.php dronerc.it/shop_testbr/localization/dir_photoes/logo.php # Reference: https://twitter.com/h2jazi/status/1354880834092859395 # Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations # Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection # Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection # Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection documentprotect.live documentprotect.pro # Reference: https://twitter.com/h2jazi/status/1373985591814197250 # Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection cloudshare.jumpshare.vip # Reference: https://twitter.com/HONKONE_K/status/1374178555634933762 # Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection # Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection antcapital.us document.antcapital.us protect.antcapital.us # Reference: https://twitter.com/DrN1ght/status/1374026917343543301 chemistryworld.us coinbigex.com innoenergy.info mclland.com qooqle.download # Reference: https://twitter.com/h2jazi/status/1375528365587894272 # Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection sanlorenzoyacht.com/newsl/uploads/docs/ # Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973 # Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433 toysbagonline.com purewatertokyo.com pinkgoat.com yellowlion.com salmonrabbit.com bluecow.com # Reference: https://twitter.com/darktracer_int/status/1380309710721622016 # Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/ # Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15 4bjt2rceijktwedi.onion cwwpxpxuswo7b6tr.onion # Reference: https://twitter.com/fr0s7_/status/1381328726819020804 # Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection protectoffice.club # Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597 # Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp # Reference: https://www.group-ib.com/blog/btc_changer luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php /random_compat/zeus/wongs/wongs.php /zeus/wongs/wongs.php