# Copyright (c) 2014-2023 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: apt-c-26, dangerous passwords, hidden cobra, guardians of peace, zinc, nickel academy, manuscrypt, applejeus # Reference: https://cdn.securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf exbonus.mrbasic.com movis-es.ignorelist.com tradeboard.mefound.com update.toythieves.com sap.misapor.ch # Reference: https://securelist.com/operation-applejeus/87553/ celasllc.com 185.142.236.226 185.142.239.173 196.38.48.121 80.82.64.91 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea tpddata.com itaddnet.com wifispeedcheck.net coinoen.org coinmaketcape.com bitfiniex.org apshenyihl.com/include/arc.speclist.class.php ap8898.com/include/arc.search.class.php anlway.com/include/arc.search.class.php tpddata.com/skins/skin-8.thm tpddata.com/skins/skin-6.thm 168wangpi.com/include/charset.php ando.co.kr/service/s_top.asp ansetech.co.kr/smarteditor/common.asp mileage.krb.co.kr/common/db_conf.asp 028xmz.com/include/common.php 33cow.com/include/control.php 51up.com/ace/main.asp 530hr.com/data/common.php 97nb.net/include/arc.sglistview.php marmarademo.com/include/extend.php paulkaren.com/synthpop/main.asp shieldonline.co.za/sitemap.asp # Reference: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ # Reference: https://twitter.com/KevinPerlow/status/1083759627714682880 # Reference: https://twitter.com/Bank_Security/status/1107543887462064128 # Reference: https://www.hybrid-analysis.com/sample/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/5c8a414a0388381b3f329926 # Reference: https://www.virustotal.com/gui/file/7646c2afbc8b9719b0295e5a880bb89fb85bdd4346603a52768b161eda12e8be/detection # Reference: https://twitter.com/ClearskySec/status/1084463729633316864 bodyshoppechiropractic.com drupdate.club ecombox.store /tbl_add.php # Reference: https://otx.alienvault.com/pulse/5c8b8e19261a7451de02bf60/ http://37.238.135.70/img/anan.jpg # Reference: https://otx.alienvault.com/pulse/5c9a4d9f90726d0988873a2b # Reference: https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ dev.microcravate.com nzssdm.com bluecreekrobotics.com/wp-includes/common.php dev.microcravate.com/wp-includes/common.php dev.whatsyourcrunch.com/wp-includes/common.php enterpriseheroes.com.ng/wp-includes/common.php hrgp.asselsolutions.com/wp-includes/common.php baseballcharlemagnelegardeur.com/wp-content/languages/common.php bogorcenter.com/wp-content/themes/index2.php eventum.cwsdev3.bi.com/wp-includes/common.php streamf.ru/wp-content/index2.php towingoperations.com/chat/chat.php vinhsake.com/wp-content/uploads/index2.php tangowithcolette.com/pages/common.php # Reference: https://twitter.com/blackorbird/status/1110750919082147842 # Reference: https://blog.alyac.co.kr/2219 alahbabgroup.com http://47.91.56.21/verify.php http://103.225.168.159/admin/verify.php # Reference: https://twitter.com/blackorbird/status/1111449536910680065 wb-bot.org wb-invest.net # Reference: https://twitter.com/KevinPerlow/status/1136994848341409792 sbackservice.com # Reference: https://twitter.com/navSi16/status/1148192534654439426 # Reference: https://otx.alienvault.com/pulse/5d24562845fe64e37ffc46a7 sensationalsecrets.com/js/left.php # Reference: https://twitter.com/blackorbird/status/1148843702690832385 194.45.8.41:443 # Reference: https://twitter.com/bad_packets/status/1148864469486854144 # Reference: https://pastebin.com/G0Ad5Ut6 http://178.128.253.67/tbl_add.php # Reference: https://twitter.com/RedDrip7/status/1148887458152472576 byucksanpaint.com/community/com_gon_open.asp # Reference: https://otx.alienvault.com/pulse/5d2c64b174175b03e7db85cd http://103.53.176.145:8080/ServiceDeskPlus/products.do http://111.68.126.155:8080/ServiceDeskPlus/products.do http://137.117.57.244:8080/ServiceDeskPlus/products.do chanbang.co.kr/board/check.asp chanbang.co.kr/family/check.asp chanbang.co.kr/gonggu/upload.asp difa.or.kr/common/asp/inc_Comn.asp edenenc.co.kr/Report/RptMyReport.asp egreenland.co.kr/cheditor2/example/newpost.asp hanbook.co.kr/partnershop/hanmail_ep.asp img.kindermom.co.kr/frameart/print/footer.mov kgsa1015.co.kr/upload/member/member.asp rodaxsankyokorea.com/upload/favicon/favicon.asp sinokor-eng.com/sub/sub01_09.asp # Reference: https://otx.alienvault.com/pulse/5d2dca0a1c7d00fa07be15e5 byucksanpaint.com/community/com_gon_open.asp byucksanpaint.com/main/main4.asp keyang.co.kr/pub/editor/wa_path.asp upload.childu.co.kr/include/OnlyOne1.asp # Reference: https://twitter.com/cyberwar_15/status/1152035187196223488 lavaandstone.com/wp-content/plugins/fusion-core/about.php sales.alitho.com/wp-content/themes/sketch/about.php amytanathorn.com/wp-admin/includes/about.php # Reference: https://twitter.com/cyberwar_15/status/1153123863435214848 rhythm86.com/wp-content/themes/twentysixteen/about.php cabba-cacao.com/wp-content/themes/integral/about.php 3x-tv.com/plugins/editors/about.php # Reference: https://twitter.com/KorbenD_Intel/status/1158479283549089792 # Reference: https://www.virustotal.com/gui/file/3bba04f277e7f51a5500f7b144fdbd851954e4f94bb0290e49fc63f6fc807321/detection policyupdates.info # Reference: https://twitter.com/cyberwar_15/status/1166282138179624960 # Reference: https://twitter.com/navSi16/status/1166287915959214080 youdermoscopy.org/media/fly.avi youdermoscopy.org/media/fly312.avi # Reference: https://blog.alyac.co.kr/2500 (Korean) # Reference: https://otx.alienvault.com/pulse/5d6940cb9e719255258969f5 alnagm-press.com/wp-content/plugins/cloudflare/list.php elsouq.org/aramex/left.php swedishmassageamsterdam.nl/wp-content/themes/top.php # Reference: https://twitter.com/cyberwar_15/status/1175940165425958912 http://158.69.57.135 http://92.222.106.229 # Reference: https://securelist.com/my-name-is-dtrack/93338/ # Reference: https://unit42.paloaltonetworks.com/inside-tdrop2-technical-analysis-of-new-dark-seoul-malware/ # Reference: https://otx.alienvault.com/pulse/5d88b31dea7f4b9d4701d7e8 # Reference: https://www.virustotal.com/gui/file/fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702/detection # Reference: https://www.virustotal.com/gui/file/58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb/detection katawaku.jp/bbs/data/theme/profile2.php materialindia.in totalmateria.net cyberub.com/board/icon/template/template_ro.php /gallery/profile2.php /theme/profile2.php /wp/profile2.php # Reference: https://twitter.com/KseProso/status/1178580006047539200 heromessi.com/wp-public/career/car_add.php # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-12-lazarus-resurfaces-targets-global-banks-bitcoin-users/lazarus-resurfaces-targets-global-banks-bitcoin-users.csv deltaemis.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2017/2017-11-20-android-malware-appears-linked-to-lazarus-cybercrime-group/android-malware-appears-linked-to-lazarus-cybercrime-group.csv vmware-probe.zol.co.zw # Reference: https://app.any.run/tasks/01497f45-7fba-4356-bbdc-4270e51c2465/ # Reference: https://twitter.com/Rmy_Reserve/status/1181528617374777344 # Reference: https://www.alienvault.com/blogs/labs-research/malicious-documents-from-lazarus-group-targeting-south-korea gp-core.com gp-main.com # Reference: https://twitter.com/VK_Intel/status/1182722604240719872 # Reference: https://objective-see.com/blog/blog_0x49.html (# AppleJeus) 185.228.83.32:443 beastgoc.com /grepmonux.php # Reference: https://twitter.com/kyleehmke/status/1184120287199223808 # Reference: https://www.virustotal.com/gui/ip-address/185.228.83.129/relations dev.jmttrading.org # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://blog.alyac.co.kr/2388 (Korean) # Reference: https://twitter.com/RedDrip7/status/1186562944311517184 # Reference: https://otx.alienvault.com/pulse/5db06ad90686f3bad959d7fc crabbedly.club craypot.live czinfo.club indagator.club pegasusco.net smilekeepers.co # Reference: https://twitter.com/0xD0CF11E0A1B11/status/1187264570861076481 thevagabondsatchel.com/wp-content/uploads/2019/09/public.avi juliesoskin.com/includes/common/list.php necaled.com/modules/applet/list.php valentinsblog.de/wp-admin/includes/list.php # Reference: https://twitter.com/blackorbird/status/1187619261612609536 # Reference: https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat.html # Reference: https://www.virustotal.com/gui/ip-address/218.255.24.226/relations 119.18.230.253:443 218.255.24.226:443 # Reference: https://twitter.com/Rmy_Reserve/status/1188235835956551680 # Reference: https://app.any.run/tasks/42c972b1-ec38-4637-9354-9de930ff50b2/ curiofirenze.com # Reference: https://twitter.com/blackorbird/status/1202177008572092417 unioncrypto.vip # Reference: https://blog.netlab.360.com/dacls-the-dual-platform-rat/ 107.172.197.175:443 172.93.201.219:443 192.210.213.178:443 198.180.198.6:443 209.90.234.34:443 23.227.196.116:443 23.227.199.53:443 23.254.119.12:443 23.81.246.179:443 37.72.175.179:443 64.188.19.117:443 74.121.190.121:443 # Reference: https://securelist.com/operation-applejeus-sequel/95596/ # Reference: https://otx.alienvault.com/pulse/5e15b526b4f8bc605744ad76 aeroplans.info beastgoc.com buckfast-zucht.de chainfun365.com cyptian.com invesuccess.com jmttrading.org mydealoman.com private-kurier.com unioncrypto.vip wb-bot.org wb-invest.net wfcwallet.com # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-03-08-hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant.csv falcancoin.io # Reference: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/ # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045d # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045e # Reference: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045b # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045a # Reference: https://www.us-cert.gov/ncas/analysis-reports/ar20-045f 94.177.123.138:8088 193.56.28.103:88 197.211.212.59:7443 181.39.135.126:7443 112.175.92.57:443 81.94.192.147:443 21.252.107.198:23164 70.224.36.194:59681 113.114.117.122:23397 47.206.4.145:59067 84.49.242.125:17770 26.165.218.44:2248 137.139.135.151:64694 97.90.44.200:37120 128.200.115.228:52884 186.169.2.237:65292 188.165.37.168:80 159.100.250.231:80 159.100.250.231:8080 107.6.12.135:443 210.202.40.35:443 # Reference: https://twitter.com/AffableKraut/status/1234726033930248198 74.121.190.140:8443 # Reference: https://twitter.com/RedDrip7/status/1254678135133442048 # Reference: https://ti.qianxin.com/blog/articles/analysis-of-lazarus-apt-targeted-attack-against-south-korea-using-new-crown-outbreak-bait/ # Reference: https://www.virustotal.com/gui/domain/teslacontrols.ir/relations afuocolento.it/wp-admin/network/server_test.php kingsvc.cc mbrainingevents.com/wp-admin/network/server_test.php sofa.rs/wp-admin/network/server_test.php sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg /wp-admin/network/server_test.php # Reference: https://twitter.com/cyberwar_15/status/1254736896330133504 matteoragazzini.it/wp-content/uploads/2017/06/category.php # Reference: https://twitter.com/DeadlyLynn/status/1257504361577496576 # Reference: https://twitter.com/ShadowChasing1/status/1257511608189743105 astedams.it/uploads/template/17.dotm astedams.it/include/inc-elenco-offerter.asp # Reference: https://twitter.com/spider_girl22/status/1258224278194941953 astedams.it/uploads/frame/61.dotm # Reference: https://objective-see.com/blog/blog_0x57.html # Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/ # Reference: https://otx.alienvault.com/pulse/5eb2fabf6c26a287f705ca20 185.62.58.207:443 67.43.239.146:443 # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/Analysis.md#IOC # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/North%20Korea/APT/Lazarus/2020-05-05/CSV/IOC-Lazarus_2020_05_05.csv # Reference: https://www.virustotal.com/gui/file/1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f/behavior/VMRay # Reference: https://www.virustotal.com/gui/file/66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88/behavior/QiAnXin%20RedDrip 51.77.65.154:443 192.169.250.185:443 sanlorenzoyacht.com/newsl/uploads/docs/43.dotm elite4print.com/admin/order/batchPdfs.asp od.lk/d/MzBfMjA1Njc0ODdf/pubmaterial.dotm # Reference: https://twitter.com/cyberwar_15/status/1264353716930412544 # Reference: https://www.virustotal.com/gui/file/e637c86ae20a7f36a0ad43618b00c48f47b5591a03af3fb689a16c45afa43733/detection # Reference: https://www.virustotal.com/gui/file/d3a402458682c4febacc6ae4bc98e15e92142603a97d51316eeee9e8bca77f88/detection depts.washington.edu/dswkshp/wordpress/wp-content/themes/twentyfifteen/inc/io/ # Reference: https://twitter.com/spider_girl22/status/1265486116393713665 anca-aste.it/uploads/form/boeing_spectrolab_logo.jpg # Reference: https://twitter.com/cyberwar_15/status/1265266629044080642 # Reference: https://asec.ahnlab.com/1323 (Korean) mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php sixbitsmedia.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/ShadowChasing1/status/1267431134662541317 fudcitydelivers.com sctemarkets.com # Reference: https://twitter.com/IntezerLabs/status/1268158680593313794 threegood.cc # Reference: https://twitter.com/ccxsaber/status/1268020350605910016 coingotrade.com kupaywallet.com # Reference: https://twitter.com/Vishnyak0v/status/1269635930878545922 bluemoonresearch.org fitnessdirector.net # Reference: https://twitter.com/RedDrip7/status/1270201358721769475 paghera.com/include/inc-main-default-news.asp # Reference: https://twitter.com/ShadowChasing1/status/1270728525926944768 ne-ba.org/files/gallery/img/img.asp # Reference: https://twitter.com/MBThreatIntel/status/1270741821560406019 160.20.147.253:8443 audiopodcasts.co/verify.php lastedforcast.com/list.php # Reference: https://twitter.com/spider_girl22/status/1275366600560873473 # Reference: https://www.virustotal.com/gui/file/0fa91cac5712cfc0848af092190fd3d09948f1a7750547f0f16d1867dac6288a/detection thestreetsmartsalesman.com/wp-content/uploads/wp-logs/category.php # Reference: https://twitter.com/JAMESWT_MHT/status/1275396942139469824 # Reference: https://app.any.run/tasks/5ddb7e93-bfc8-49a9-bd52-6b70f57c3846/ scertodisha.nic.in/wp-content/plugins/photo-gallery/admin/controllers/Photo.php haciendasacchich.com/wp-content/plugins/photo-gallery/admin/views/404.php annafalkenau.com/awstats/data/upload.php # Reference: https://blog.reversinglabs.com/blog/hidden-cobra # Reference: https://otx.alienvault.com/pulse/5ef2252af73ae43d92eecd15 1688dsj.com amytanathorn.com ccsnbao.com fmose.com fudcitydelivers.com lavaandstone.com sctemarkets.com vns1389.com # Reference: https://twitter.com/ShadowChasing1/status/1276324740878102529 anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg # Reference: https://twitter.com/JAMESWT_MHT/status/1276471822217891840 # Reference: https://app.any.run/tasks/109752e9-2c7f-4d5c-9c3f-300bddc4c0db/ down.1230578.com # Reference: https://twitter.com/felixaime/status/1280053007036624896 # Reference: https://sansec.io/research/north-korea-magecart # Reference: https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-credit-card-stealing-attacks-on-us-stores/ # Reference: https://www.virustotal.com/gui/file/a6c803d7a185f896a6c90f78891c5dbb904df3535825764e05432641ab059fb1/detection areac-agr.com papers0urce.com # Reference: https://twitter.com/gwillem/status/1281128245052805120 focuscamere.com # Reference: https://twitter.com/patrickwardle/status/1286109626941845504 # Reference: https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/ 104.232.71.7:443 107.172.197.175:443 108.170.31.81:443 111.90.146.105:443 111.90.148.132:443 172.81.132.41:443 172.93.184.62:443 172.93.201.219:443 185.62.58.207:443 192.210.239.122:443 198.180.198.6:443 209.90.234.34:443 216.244.71.233:443 23.227.199.53:443 23.227.199.69:443 23.254.119.12:443 67.43.239.146:443 68.168.123.86:443 # Reference: https://twitter.com/cyberwar_15/status/1287291019537473538 nextlevelliving.pro/wp-content/uploads/js_composer/images/8c206b81-f5b1-4242-84d3-237ce728ff35.php # Reference: https://twitter.com/AnonySecAgency/status/1290115260116897792 # Reference: https://www.virustotal.com/gui/file/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/detection publishapp.co # Reference: https://twitter.com/RedDrip7/status/1293462469214531584 # Reference: https://www.virustotal.com/gui/file/b0921142f8d3067c8253931977999a5092470ff3e562586d87af68c28ec66a99/detection unsunozo.org/include/notes/notes.asp # Reference: https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html # Reference: https://otx.alienvault.com/pulse/5f4d20e8d417f271a62e0aeb gestao.simtelecomrs.com.br/sac/digital/client.jsp sac.onecenter.com.br/sac/masks/wfr_masks.jsp mk.bital.com.br/sac/Formule/Manager.jsp # Reference: https://twitter.com/IntezerLabs/status/1300403461809491969 # Reference: https://analyze.intezer.com/analyses/13d64c6e-6ac7-4888-a682-138a06cbaf16/ # Reference: https://www.virustotal.com/gui/file/390f9aae2dd5f0584106e3aa315bbd28a8c6479f126a4f13c7c3a62e19356634/detection 104.217.163.61:443 107.175.172.129:443 37.72.168.228:443 # Reference: https://twitter.com/ShadowChasing1/status/1302180729174937600 fabianiarte.com/uploads/imgup/21it-23792.jpg # Reference: https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html # Reference: https://otx.alienvault.com/pulse/5f7389601681e32d5bf045f6 automercado.co.cr/empleo/css/main.jsp curiofirenze.com/include/inc-site.asp ne-ba.org/files/news/thumbs/thumbs.asp sanlorenzoyacht.com/newsl/include/inc-map.asp # Reference: https://twitter.com/h2jazi/status/1311644338812792833 # Reference: https://www.virustotal.com/gui/file/d2f1cccfe688c074c3d58ae8f7be7b10dbea5d7ae53320c3f7b6e48cd4f62955/detection phukien2a.net/images/images.zip.000 # Reference: https://blog.talosintelligence.com/2020/11/crat-and-plugins.html # Reference: https://otx.alienvault.com/pulse/5faf04431c479940b422288b teslacontrols.ir/wp-includes/images/detail31.jpg teslacontrols.ir/wp-includes/images/detail32.jpg sofa.rs/wp-content/themes/twentynineteen/sass/layout/h1.jpg publishapp.co/update/check.php sideforum.cc/forum/list.php freeforum.co/forum/list.php goodfriend.pro/projects/list.php friendship.me/users/register.php threegood.cc/api/manage/customers Engpro.xyz/images/detail.php infocop.me/products/list.php teamspit.pro/adverts/follow.php dodoi.cc/photos/preview.php advertapp.me/user/invite.php insideforum.me/forum/list.php anyoneforum.cc/forum/list.php goodproject.xyz/projects/list.php hellofriend.pro/users/register.php moonge.cc/wp-content/plugins/google-sitemap-generator/sitemap-builder-embed.php calculactcal.org/wp-content/themes/twentysixteen/body.php 3cuartos.com/wp-content/plugins/music-press-pro/templates/global/update.php worldfoodstory.co.uk/wp-includes/register.php bokkeriejesj.nl/wp-content/plugins/music-press-pro/upload.php encontrosmaracatu.com.br/wp-content/plugins/music-press-pro/templates/global/topmenu.php theblackout.fr/wp-content/plugins/music-press-pro/music-pro.php mokawafm.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/dialog.php tiramisu.it/wp-content/plugins/wp-comment-form.php kartacnictvi.cz/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/upload.php dimer-group.com/wp-content/plugins/ckeditor-for-wordpress/ckeditor/plugins/image/download.php ecolerubanvert.com/wp-content/plugins/image-intense/know.php lwac.com/wp-content/plugins/gallery-plugin/includes/demo-data/images/music/photo.php copansrl.it/wp-admin/user/invite.php arar-musique.fr/wp-content/plugins/music-press-pro/includes/admin/upgrade.php firstalliance.church/wp-content/plugins/music-press/templates/404.php erickeleo.com.br/wp-content/plugins/music-press-pro/go.php kingsvc.cc/index.php sofa.rs/wp-admin/network/server_test.php afuocolento.it/wp-admin/network/server_test.php mbrainingevents.com/wp-admin/network/server_test.php afuocolento.it/wp-includes/process.php # Reference: https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ # Reference: https://otx.alienvault.com/pulse/5fb4044fd5f18831c24c6af6 cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://twitter.com/h2jazi/status/1334353120038678528 # Reference: https://www.virustotal.com/gui/file/c19064733f2a23f09c8b16b3847cceeac8f61488be57911cefceb75425501097/detection ilhak.co.kr/images/data/upload.asp ktri.or.kr/upload/mail/upload.asp warevalley.com/support/orange_open.asp # Reference: https://twitter.com/BitsOfBinary/status/1321488299932983296 # Reference: https://twitter.com/BitsOfBinary/status/1337330286787518464 # Reference: https://twitter.com/mg2_tracy1/status/1337335098224508928 # Reference: https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=3051 admforte.com.br/wp-content/plugins/top.php dafnefonseca.com/wp-content/themes/top.php drei-schneeballen.de/wp-content/plugins/nextgen-gallery/view.php funny-pictures.picphotos.net/saint-louis-senior-photos-senior-pictures-seniors-st-louis-st-louis/upload.php greenvideo.nl/wp-content/themes/top.php haciendadeclarevot.com/wp-content/top.php justholdfast.com/doodle/wp-content/plugins/top.php qwerty.creativehonduras.com/wp-includes/class-wp-redirect.php shahrtdc.com/wp-content/plugins/top.php tag-cloud-photo.freeware.filetransit.com/login.php urbankizomba.se/wp-content/plugins/photo-gallery/filemanager/upload.php # Reference: https://otx.alienvault.com/pulse/5fd8dbfcfed23b6fa1393ea9 yakufreshperu.com/facturacion/public/css/main.php shikshakibaat.com/classes/detail.jsp sanlorenzoyacht.com/newsl/include/inc-map.asp paghera.com/content/view/thumb/info.asp lyzeum.com/popup/popup.asp index-consulting.jp/eng/news/index.php hansolhope.or.kr/welfare/notice/view.jsp forecareer.com/gdcareer/officetemplate-20nab.asp fidesarte.it/thumb/multibox/style/common.asp fabianiarte.com/uploads/imgup/21it-23792.jpg fabianiarte.com/pdf/thumbs/thumb.asp emilypress.com/CMWorking/Static/service/center.asp curiofirenze.com/include/inc-site.asp calculadoras.mx/themes/pack/pilot.php automercado.co.cr/empleo/css/main.jsp astedams.it/photos/image/image.asp arumdaunresort.com/admin/html/user/contact.asp apars-surgery.org/bbs/bbs_files/board_photo/menu.php anca-aste.it/uploads/form/02E319AF73A33547343B71D5CB1064BC.dotm vega.mh-tec.jp/.well-known/index.php turnscor.com/ACT/images/slide/view.jsp prestigein-am.jp/akita/wp-includes/wp-rss1.php genieaccount.com/images/common/common.asp acanicjquery.com/slides/style.php mannpublicwhseltd.com/cservice.asp hirokawaunso.co.jp/wordpress/wp-includes/review.php anisweb.org/layout/site/style/preview.jsp support.medicalinthecloud.com/TechCenter/include/slide.asp pennontraders.com/assets/slides/view.jsp indoweb.org/love/data/common/common.php admin.shcpa.co.kr/_asapro2/formmail/lib.php http://137.74.114.227/theveniaux/webliotheque/public/css/main.php http://125.206.177.152/old/viewer.php # Reference: https://twitter.com/BitsOfBinary/status/1339623925274296323 muzeyyengroup.com/wp-content/help.php puskesmas-terminal.com/wp-content/help.php zeandf.com/wp-content/help.php # Reference: https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ # Reference: https://otx.alienvault.com/pulse/5fe36c30dbe6a83c04783415 bytecortex.com.br/eletronicos/digital.jsp client.livesistemas.com/Live/posto/system.jsp cometnet.biz/framework/common/common.asp gongim.com/board/ajax_Write.asp iski.silogica.net/events/serial.jsp k-kiosk.com/bbs/notice_write.asp kne.co.kr/upload/Customer/BBS.asp locknlockmall.com/common/popup_left.asp sac.najatelecom.com.br/sac/Dados/ntlm.jsp sistema.celllab.com.br/webrun/Navbar/auth.jsp # Reference: https://twitter.com/ShadowChasing1/status/1349924271791882247 # Reference: https://www.virustotal.com/gui/file/867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36/detection # Reference: https://www.virustotal.com/gui/file/89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e4aa15ccd7512b1e63957/detection aideck.net # Reference: https://twitter.com/ShadowChasing1/status/1349927630183694339 creaideck.com/update/darwin64.bin # Reference: https://www.virustotal.com/gui/file/d09041e3d635ddb28540b11cf180a30a28fc04c2ee6e5d994aa0bacc9633e944/detection hpc.kau.ac.kr/rolling_banner/tmp4c5ae3.p3a hpc.kau.ac.kr/error2.php # Reference: https://twitter.com/BushidoToken/status/1353684625382641664 # Reference: https://www.virustotal.com/gui/ip-address/120.138.8.26/relations # Reference: https://www.virustotal.com/gui/file/cabb45c99ffd8dd189e4e3ed5158fac1d0de4e2782dd704b2b595db5f63e2610/detection # Reference: https://www.virustotal.com/gui/file/a9b3bc337043c04f529b2c19b3e33df1ad59bce27c074427e7b563db3a83c37b/detection # Reference: https://www.virustotal.com/gui/file/bdf9fffe1c9ffbeec307c536a2369eefb2a2c5d70f33a1646a15d6d152c2a6fa/detection advantims.com # Reference: https://twitter.com/ShadowChasing1/status/1353972356759187456 angeldonationblog.com # Reference: https://twitter.com/K_N1kolenko/status/1353975032104558592 # Reference: https://twitter.com/500mk500/status/1353992570519609344 # Reference: https://twitter.com/RedDrip7/status/1354038387603197952 # Reference: https://twitter.com/sS55752750/status/1354059524739653633 # Reference: https://twitter.com/vngkv123/status/1357247638228226053 # Reference: https://twitter.com/blackorbird/status/1357259907448229888 # Reference: https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg (Korean) # Reference: https://enki.co.kr/blog/2021/02/04/ie_0day.html (Korean) # Reference: https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ # Reference: https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/ # Reference: https://otx.alienvault.com/pulse/60103a3268891c63b1f24d74 # Reference: https://www.virustotal.com/gui/file/a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855/detection # Reference: https://www.virustotal.com/gui/file/a08d24f74027256c6fd5c5a2fdb15b12889971fbdcfa7a28ffebbfe8b15aaefb/detection # Reference: https://www.virustotal.com/gui/file/9c906c2f3bfb24883a8784a92515e6337e1767314816d5d9738f9ec182beaf44/detection # Reference: https://www.virustotal.com/graph/embed/g4784ec032b3f4cb987a616f4b2dbc9aa9a982d9b20494f8980ae611a4ca3a1d8 angeldonationblog.com codebiogblog.com codevexillium.org investbooking.de krakenfolio.com opsonew3org.sg transferwiser.io transplugin.io blog.br0vvnn.io codevexillium.org/image/download/download.asp colasprint.com/_vti_log/upload.asp dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php dronerc.it/shop_testbr/Core/upload.php dronerc.it/shop_testbr/upload/upload.php edujikim.com/intro/blue/insert.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp loonsaloon.com/wp-content/plugins/revslider/hello.php transplugin.io/upload/upload.asp trophylab.com/notice/images/renewal/upload.asp # Reference: https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html # Reference: https://otx.alienvault.com/pulse/601052e27a2c451b3ba5ed31 akramportal.org/public/voice/voice.php commodore.com.tr/mobiquo/appExtt/notdefteri/writenote.php fabianiarte.com/newsletter/arte/view.asp hirokawaunso.co.jp/wordpress/wp-includes/ID3/module.audio.mp4.php index-consulting.jp/eng/news/index.php inovecommerce.com.br/public/pdf/view.php ja-fc.or.jp/shop/shopping.php kenpa.org/yokohama/main.php leemble.com/5mai-lyon/public/webconf.php mail.clicktocareers.com/dev_clicktocareers/public/mailview.php scimpex.com/admin/assets/backup/requisition/requisition.php tronslog.com/public/appstore.php vega.mh-tec.jp/.well-known/index.php # Reference: https://twitter.com/Dashowl/status/1354264740692942848 trophylab.com/design/trophy/product/lmages/logo.png worldspia.kr/upload_images/inc/LOG.PHP # Reference: https://twitter.com/mattyb1512/status/1354070629469872129 ctrac.online # Reference: https://twitter.com/h2jazi/status/1362109944791764993 # Reference: https://www.virustotal.com/gui/file/0bc7517aa2f0c1820ced399bfd66b993f10ad77e8d72727b0f3dc1ca35cad7ba/detection # Reference: https://www.virustotal.com/gui/file/91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd/detection # Reference: https://www.virustotal.com/gui/file/dcb232409c799f6ddfe4bc0566161c2d0b372db6095a0018e6059e34c2b79c61/detection kupaywallet.com levelframeblog.com dorusio.com/dorusio_update.php # Reference: https://twitter.com/ShadowChasing1/status/1362362744909930496 materialindia.in/wp/wp-main/gallery/profile2.php totalmateria.net/wp/profile2.php # Reference: https://securelist.com/lazarus-threatneedle/100803/ # Reference: https://otx.alienvault.com/pulse/6037c3cea83bb963f5be0d51/ http://156.245.16.55/admin/admin.asp americanhotboats.com/forums/core/cache/index.php astedams.it/photos/image/image.asp au-pair.org/admin/Newspaper.asp au-pair.org/admin/login.asp automercado.co.cr/empleo/css/main.jsp cloudarray.com/images/logo/videos/cache.jsp colasprint.com/_vti_log/upload.asp curiofirenze.com/include/inc-site.asp dellarocca.net/it/content/img/img.asp digitaldowns.us/artman/exec/upload.php djasw.or.kr/sub/popup/images/upfiles.asp docentfx.com/wp-admin/includes/upload.php dronerc.it/forum/uploads/index.php dronerc.it/shop_testbr/Adapter/Adapter_Config.php edujikim.com/intro/blue/view.asp edujikim.com/pay/sample/INIstart.asp edujikim.com/smarteditor/img/upload.asp fabioluciani.com/ae/include/constant.asp fabioluciani.com/es/include/include.asp forum.iron-maiden.ru/core/cache/index.php forum.snowreport.gr/cache/template/upload.php fredrikarnell.com/marocko2014/index.php geeks-board.com/blog/wp-content/uploads/2017/cache.php gonnelli.it/uploads/catalogo/thumbs/thumb.asp juvillage.co.kr/img/upload.asp kannadagrahakarakoota.org/forums/admincp/upload.php kbcwainwrightchallenge.org.uk/connections/dbconn.asp kwwa.org/DR6001/FN6006LS.asp kwwa.org/popup/160307/popup_160308.asp lyzeum.com/board/bbs/bbs_read.asp lyzeum.com/images/board/upload.asp martiancartel.com/forum/customavatars/avatars.php mdim.in.ua/core/cache/index.php newidealupvc.com:443/img/prettyPhoto/jquery.max.php polyboatowners.com/2010/images/BOTM/upload.php polyboatowners.com/css/index.php prototypetrains.com:443/forums/core/cache/index.php raiestatesandbuilders.com/admin/installer/installer/index.php roit.co.kr/xyz/mainpage/view.asp sanatoliacare.com/include/index.asp sanlorenzoyacht.com/newsl/include/inc-map.asp shinwonbook.co.kr/basket/pay/open.asp shinwonbook.co.kr/board/editor/upload.asp theforceawakenstoys.com/vBulletin/core/cache/upload.php waterdoblog.com/uploads/index.asp # Reference: https://twitter.com/AnonySecAgency/status/1366971633458548738 # Reference: https://twitter.com/ShadowChasing1/status/1366988046294376450 # Reference: https://www.virustotal.com/gui/file/03cd4ec3defa490e68b1ca2efaf8daea6f89d3cceed51c91f4c4f9e2222d258d/detection gcloud-share.com dshellelink.gcloud-share.com # Reference: https://twitter.com/c3rb3ru5d3d53c/status/1225581378840006656 (# DangerousPasswords) # Reference: https://pastebin.com/raw/cLWvyJ20 # Reference: https://twitter.com/Rmy_Reserve/status/1230881875767377920 # Reference: https://twitter.com/ShadowChasing1/status/1328208737933246464 # Reference: https://www.virustotal.com/gui/file/4c574c1a2b126c8a5ba1ef9560516d0ac9990c0253119f874eb084b57742e3d7/detection http://84.201.189.216 103.205.179.4:8080 amazonaws1.info gdrvup.xyz gmaildrive.site googleauth.pro googledriver.info googleupload.info liveonedrvshare.xyz secureshares.online gdriveupload.info # Reference: https://twitter.com/Rmy_Reserve/status/1246404220040802309 (# DangerousPassword) 88.204.166.59:8080 # Reference: https://twitter.com/ShadowChasing1/status/1339195498519875585 (# DangerousPassword) gdocshare.com # Reference: https://twitter.com/ShadowChasing1/status/1367368069618700291 # Reference: https://twitter.com/_re_fox/status/1260931809103101957 # Reference: https://twitter.com/_re_fox/status/1301564536575733760 # Reference: https://twitter.com/_re_fox/status/1301565785345863689 # Reference: https://twitter.com/mattnotmax/status/1370311682354941954 # Reference: https://twitter.com/cyber__sloth/status/1285510760303656960 # Reference: https://www.virustotal.com/gui/file/d287388e5ff978bf6f8af477460a9b76a74fdc33535e392b70e58176fc9ad805/detection # Reference: https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_302_kodera_jp.pdf (Japanese) # Reference: https://www.virustotal.com/gui/file/01184a5acb8b3ec56c9e90f2e6cd6673ae83b4fd6982e17329b33da2f77bcf5b/detection doc.gsheetshare.org docs.dsharefile.tech docs.gdriveshare.top drop.trailads.net dsharefile.tech gsheetshare.org filehost.network mdown.showprice.xyz mse.theworkpc.com name.ownemail.me newsbtctech.com ownemail.me share.onedrvfile.site shop.newsbtctech.com trailads.net up.digifincx.com up.myemail.works # Reference: https://twitter.com/ShadowChasing1/status/1339933511973699584 (# DangerousPassword) # Reference: https://www.virustotal.com/gui/file/c64e2993563345fd497cfc382de27c7791b4f172d2c50d79b6290c2f9c06102c/detection google-clouds.com # Reference: https://twitter.com/cyber__sloth/status/1344208175168368641 (# DangerousPassword) # Reference: https://twitter.com/cyber__sloth/status/1344208380525752321 (# DangerousPassword) addrcheck.corecheckmailsrv.com cloud-sheet.net cloud.optvers.net corecheckmailsrv.com digitalcurencygroup.co down.privatework.buzz fidelitydigitalsassets.com gdocshare.com goglestorage.com google-clouds.com googleproduct.org gsuiteshare.com msftoffice.com myemail.works official.googleproduct.org presentonline.xyz privatework.buzz sharesvr.net # Reference: https://twitter.com/h2jazi/status/1369305004922855431 # Reference: https://twitter.com/h2jazi/status/1369307165807280135 torgirf.ru/loginhome.css # Reference: https://twitter.com/h2jazi/status/1370024802791096320 # Reference: https://www.virustotal.com/gui/file/46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51/detection # Reference: https://www.virustotal.com/gui/file/c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925/detection dronerc.it/shop_testbr/localization/dir_photoes/image.php dronerc.it/shop_testbr/localization/dir_photoes/logo.php # Reference: https://twitter.com/h2jazi/status/1354880834092859395 # Reference: https://www.virustotal.com/gui/ip-address/104.168.158.103/relations # Reference: https://www.virustotal.com/gui/file/aec3ced40a3451dc2c6b1704cc50b0e0c8e549faaa8ae42b6d6f421b4fc2ef8a/detection # Reference: https://www.virustotal.com/gui/file/e7a4d8b80dc653a47440db2a8deaf782109bb710e5d4311bc3d7685dba715865/detection # Reference: https://www.virustotal.com/gui/file/75d3d96033db529c9ae698ac6de8fba420c2daa5d97614d7118f49e03c2d83d3/detection documentprotect.live documentprotect.pro # Reference: https://twitter.com/h2jazi/status/1373985591814197250 # Reference: https://www.virustotal.com/gui/file/09b83a501b8f919fc4861735097dd50957f21e81209d362b4fa425bd3348a495/detection cloudshare.jumpshare.vip # Reference: https://twitter.com/HONKONE_K/status/1374178555634933762 # Reference: https://www.virustotal.com/gui/file/66e96fbd6e977ddef3f0a2924978d92e5d67bd96e68dc4832f5041dbd40bcfc9/detection # Reference: https://www.virustotal.com/gui/file/e087d06c552aeef36c2ba9fdd14b06fca499f2d37dfea21e480a02a748b19bf1/detection antcapital.us document.antcapital.us protect.antcapital.us # Reference: https://twitter.com/DrN1ght/status/1374026917343543301 chemistryworld.us coinbigex.com innoenergy.info mclland.com qooqle.download # Reference: https://twitter.com/h2jazi/status/1375528365587894272 # Reference: https://www.virustotal.com/gui/file/2fdba1e332203ca0d01992b137ebeaa1f21f7c3daec7230e6b8a4d36182caed4/detection sanlorenzoyacht.com/newsl/uploads/docs/ # Reference: https://twitter.com/ShadowChasing1/status/1377610488830291973 # Reference: https://twitter.com/ShadowChasing1/status/1377628563000594433 # Reference: https://securelist.com/dtrack-targeting-europe-latin-america/107798/ toysbagonline.com purewatertokyo.com pinkgoat.com purplebear.com yellowlion.com salmonrabbit.com bluecow.com # Reference: https://twitter.com/darktracer_int/status/1380309710721622016 # Reference: https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/ # Reference: https://otx.alienvault.com/pulse/60739323ef1b2b3a187f0f15 4bjt2rceijktwedi.onion cwwpxpxuswo7b6tr.onion # Reference: https://twitter.com/fr0s7_/status/1381328726819020804 # Reference: https://www.virustotal.com/gui/file/e514d83d2aaa1357b34f5f11ecc35afe10b6240796e085977e9d4a56145bb8b3/detection protectoffice.club # Reference: https://twitter.com/ShadowChasing1/status/1382514587589742597 # Reference: https://www.virustotal.com/gui/file/f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72/detection jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp # Reference: https://www.group-ib.com/blog/btc_changer luxmodelagency.com/wp-incluses/random_compat/zeus/wongs/wongs.php /random_compat/zeus/wongs/wongs.php /zeus/wongs/wongs.php # Reference: https://twitter.com/ShadowChasing1/status/1384016097494507521 # Reference: https://twitter.com/cyberwar_15/status/1384462513249546244 # Reference: https://www.virustotal.com/gui/file/79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35/detection ddjm.co.kr/bbs/icon/skin/skin.php snum.or.kr/skin_img/skin.php # Reference: https://www.virustotal.com/gui/file/6d2ecc3b0a43f0c377ea6d9a68aa5ac0d48635a04219264fb0702976efea8ef6/detection http://121.146.68.233/fileserver/temp/platform.asp http://121.254.224.218/angkor.ylw.common.fileserviceserver/web/document/netframework.asp codibest.com/data/geditor/main_1.php gbflatinamerica.com myungokhun.co.kr/_proc/member/member_bk.asp /angkor.ylw.common.fileserviceserver/web/document/netframework.asp /data/geditor/main_1.php /fileserver/temp/platform.asp # Reference: https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/ # Reference: https://otx.alienvault.com/pulse/608af383c5be4591c5da02e5 akramportal.org/delv/public/voice/voice.php apars-surgery.org/bbs/bbs_files/board_blog/write.php bootcamp-coders.cnm.edu ctevt.org.np/ctevt/public/frontend/review.php forecareer.com/gdcareer/officetemplate-20nab.asp gbflatinamerica.com/file/filelist.php goldllama4.sakura.ne.jp hospitality-partners.co.jp/works/performance/consumer.php inovecommerce.com.br/public/pdf/view.php mail.clicktocareers.com/public/jobapplications/jdviewer.php propro.jp/wp-content/documents/docsmgmt.php vega.mh-tec.jp/.well-known/gallery/siteview.php # Reference: https://www.virustotal.com/gui/file/610047be0b2360d609baa71be22ddc5814743868886f8d85ab9985d3f01229d6/detection mappo-on.life help.mappo-on.life # Reference: https://www.virustotal.com/gui/file/27bfac11c1f9184b515fbf5fcd946e921c95506f89eb273e148fcf0068e50932/detection octo-manage.net help.octo-manage.net # Reference: https://twitter.com/ShadowChasing1/status/1391981731394187266 # Reference: https://www.virustotal.com/gui/file/a0d070b66408654cdcb84784e77914dc355a23c81e3e6ef36362470619c4de96/detection http://45.61.136.204 googledocpage.com # Reference: https://twitter.com/ShadowChasing1/status/1393356174506921985 # Reference: https://www.virustotal.com/gui/file/8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97/detection allgraphicart.com # Reference: https://twitter.com/ShadowChasing1/status/1397768682776895491 # Reference: https://www.virustotal.com/gui/file/8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20/detection sslsharecloud.net dev.sslsharecloud.net # Reference: https://twitter.com/ShadowChasing1/status/1398468263818928136 ewha-ac.ml # Reference: https://twitter.com/ShadowChasing1/status/1399369260577681426 # Reference: https://www.virustotal.com/gui/file/4059fea324e27cfbd4955f37dc7791709dbf35a800449373c6715bc53b88f7c5/detection amene.homepc.it # Reference: https://twitter.com/360CoreSec/status/1402920149754155010 # Reference: https://www.virustotal.com/gui/file/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c/detection # Reference: https://www.virustotal.com/gui/file/3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83/detection shopweblive.com # Reference: https://twitter.com/h2jazi/status/1406401709157629952 # Reference: https://twitter.com/ShadowChasing1/status/1406592585796177924 # Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ # Reference: https://www.virustotal.com/gui/file/5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c/detection allamwith.com/home/mobile/list.php conkorea.com/cshop/banner/list.php ddjm.co.kr/bbs/icon/skin/skin.php hivekorea.com/jdboard/member/list.php jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp mail.neocyon.com/jsp/user/sms/sms_recv.jsp mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp snum.or.kr/skin_img/skin.php /jsp/user/sms/sms_recv.jsp # Reference: https://twitter.com/360CoreSec/status/1405790277034418177 # Reference: https://www.virustotal.com/gui/file/35a39299c47bc701dbe7cb72fcb695d08eb2095d1a5b8b7942d3034d16435e89/detection # Reference: https://www.virustotal.com/gui/file/382a209ce5745c85507b0bd80b87496ad92128e6870199d0c33d6ddedc542dd1/detection # Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection 185.208.158.204:443 193.56.28.251:443 # Reference: https://twitter.com/ShadowChasing1/status/1405515076149284870 # Reference: https://www.virustotal.com/gui/file/4c4cc3abd3ddb15d5306fb647c6d779b18df5b949673bb3f3f87faa2c5f56a6a/detection authenticate.azure-drive.com # Reference: https://twitter.com/ShadowChasing1/status/1407993219720224771 elwoodasset.xyz sharemanage.elwoodasset.xyz # Reference: https://twitter.com/360CoreSec/status/1410127120177635328 52.202.193.124:443 # Reference: https://twitter.com/fr0s7_/status/1402394083331559431 # Reference: https://twitter.com/Jup1a/status/1402470227292561412 # Reference: https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection azure-drive.com download.azure-drive.com protect.azure-drive.com # Reference: https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12 # Reference: https://otx.alienvault.com/pulse/60e6d2a6786d43397db19bc7 grandgolf.co.kr/html/facilities/facilities_01_06.asp kdone.co.kr/Utils/EmailUtil.asp namchuncheon.co.kr/admin/BookAppl/Search_left.asp # Reference: https://twitter.com/ShadowChasing1/status/1412934665292316677 # Reference: https://twitter.com/ShadowChasing1/status/1412953330700062726 http://95.179.235.55 sharebusiness.xyz signverydn.sharebusiness.xyz # Reference: https://twitter.com/ShadowChasing1/status/1412932935523573760 # Reference: https://www.virustotal.com/gui/file/8afdf8513a6e3bede16187004daccc95e193a29062415d9ba0c29b98a5a927d1/detection devprocloud.com share.devprocloud.com # Reference: https://mp.weixin.qq.com/s/y-SHoh9f5qwAwqml3uf8vw # Reference: https://otx.alienvault.com/pulse/60f930c9c1a69acdb28adea6 smartaudpor.com # Reference: https://twitter.com/h2jazi/status/1445596955552272389 gozdeelektronik.net/wp-content/themes/0111/ # Reference: https://twitter.com/s1ckb017/status/1447476954639347712 # Reference: https://www.virustotal.com/gui/file/cf10c1cad090ab31d9e579df3bd22f3d0653792cb010e1d6ac0e2cd1ced52076 digitalguarder.com # Reference: https://twitter.com/h2jazi/status/1455601350222417926 # Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection mantis.linkundlink.de /logs/officetemplate.php # Reference: https://twitter.com/ESETresearch/status/1458438169502826508 # Reference: https://www.virustotal.com/gui/ip-address/45.147.231.213 # Reference: https://www.virustotal.com/gui/file/fe80e890689b0911d2cd1c29196c1dad92183c40949fe6f8c39deec8e745de7f/detection devguardmap.org navercorpservice.com # Reference: https://twitter.com/ShadowChasing1/status/1455489336850325519 # Reference: https://www.virustotal.com/gui/file/65b5709f67bb0fac31ec977f98cda6f89f4b38703ee5aeef0b633c33669ea88a/detection thetalkingcanvas.com/jobs/en-gb/jobs/9/details.php # Reference: https://twitter.com/h2jazi/status/1462832390632583168 # Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096 ditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php # Reference: https://twitter.com/ShadowChasing1/status/1465998017836707840 # Reference: https://twitter.com/ShadowChasing1/status/1465998020734898176 http://152.89.247.236 silvergatehr.com ny.silvergatehr.com /5Ek9724mz8oncul8Zx7E7CVDCdBNxuFFUO6pLk/ # Reference: https://twitter.com/k3yp0d/status/1468485748269662208 # Reference: https://app.any.run/tasks/ff306f89-64d4-4d30-8b72-7c0be0b1f9fb/ cloudplus.one drive.cloudplus.one # Reference: https://twitter.com/h2jazi/status/1462832390632583168 # Reference: https://www.virustotal.com/gui/file/c12a0565ea1c59d7c2b73e9c022604dbc827980df58ede7ce42d648f9dd4e096/detection aditijindal.com/wp-content/gallery/services/globalcareers/12849/jobs/gallery.php # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus_APT_Related.json # Reference: https://www.virustotal.com/gui/ip-address/149.28.162.113/relations dubbedfinally.link filesaves.cloud fsdriveshare.org googlesheetpage.org gsheetpage.com help-optus.com onedocshare.com onlinedoc.dev pilotview.cloud retrots.net tresordocs.com trollinguneaten.org database.retrots.net doc.filesaves.cloud docs.gsheetpage.com license.cloudplus.one product.onlinedoc.dev sheet.tresordocs.com support.pilotview.cloud # Reference: https://github.com/ti-research-io/ti/blob/main/ioc_extender/ET_Lazarus.json autodiscover.vin banner-counter.com clarionhpdu.top craptioerne.com fhewkhwjehwekjfhwehfwe.com lif0.top smartscreenfilter.com statcounters.net vz206llb19o.com 2ab9.watashinonegai.ru b.watashinonegai.ru d.watashinonegai.ru apkv3.clarionhpdu.top cltpk.doomdns.org down.mykings.pw # Reference: https://twitter.com/souiten/status/1468818352156020737 # Reference: https://www.virustotal.com/gui/file/b3646d8cbadc7620ca7782f2525cc019740a3088f32e2ea9a6c97cc1432537b0/detection fsdriveshare.org dmarc.fsdriveshare.org file.fsdriveshare.org share.fsdriveshare.org # Reference: https://twitter.com/ffforward/status/1456239300593524741 # Reference: https://www.virustotal.com/gui/file/0b8d7a851920d4584777505f9fb484b226a8457d4049885a87c847f7d3532d28/detection stablemarket.org share.stablemarket.org # Reference: https://twitter.com/k3yp0d/status/1448552868907204612 # Reference: https://www.virustotal.com/gui/domain/cloudmgmt.org/relations cloudmgmt.org share.cloudmgmt.org # Reference: https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/ # Reference: https://otx.alienvault.com/pulse/61c9aff8d72c2a4731021bee allamwith.com/home/mobile/list.php conkorea.com/cshop/banner/list.php ddjm.co.kr/bbs/icon/skin/skin.php jinjinpig.co.kr/Anyboard/skin/board.php mail.namusoft.kr/jsp/user/eam/board.jsp mail.neocyon.com/jsp/user/sms/sms_recv.jsp mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp snum.or.kr/skin_img/skin.php /jsp/user/sms/sms_recv.jsp # Reference: https://twitter.com/h2jazi/status/1483521532433473536 # Reference: https://twitter.com/h2jazi/status/1483521535268769793 # Reference: https://www.virustotal.com/gui/file/0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b/detection lm-career.com # Reference: https://twitter.com/s1ckb017/status/1484451637653614592 # Reference: https://twitter.com/h2jazi/status/1486448926081302536 # Reference: https://www.virustotal.com/gui/file/0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1/detection allinfostudio.com markettrendingcenter.com yourblogcenter.com # Reference: https://twitter.com/czy_1116/status/1485813878550597632 # Reference: https://www.virustotal.com/gui/file/3542078fd524e3cb141d5bebf96aea73467505a07ae72fc58395afa14f22e8a3/detection gfinanzen.net portal.gfinanzen.net # Reference: https://twitter.com/ShadowChasing1/status/1486530954382348290 # Reference: https://www.virustotal.com/gui/file/ac7b6ca73207db6ec6d4af2632a7c842c32af6658e3214753e589b567d809125/detection docusign.agency # Reference: https://twitter.com/h2jazi/status/1487070198955978753 loneeaglerecords.com/wp-content/uploads/2020/01/images.tgz.001 /update_coingotrade.php # Reference: https://twitter.com/h2jazi/status/1490057626134192136 # Reference: https://www.virustotal.com/gui/file/08c3aaeec3da9a106536ad1beff4d2ed23d1e31c9481be60f5dbd5eb1a01d2e5/detection sportsblogweb.com # Reference: https://twitter.com/s1ckb017/status/1489591023030448129 # Reference: https://www.virustotal.com/gui/file/29de2289a2b111a4873e49402c310b2ad0e3de51b5562ee1422a37c514910c71/detection designautocad.org # Reference: https://twitter.com/cyberoverdrive/status/1490839283803951106 # Reference: https://www.virustotal.com/gui/file/353f82475fcfad5b3f06ed85a931bda46ec34279793b5d70085aa8c603e8ebec/detection datacentre.center # Reference: https://twitter.com/ShadowChasing1/status/1490958579930517504 # Reference: https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f/detection shopapppro.com shopapptech.com # Reference: https://twitter.com/pkalnai/status/1489269982814949382 # Reference: http://report.threatbook.cn/LS.pdf (Chinese) # Reference: https://www.virustotal.com/gui/file/8562f6b2a95963f076f7bc6ff00401d96656eafda1cfad3af53b3e3b99ae6452/detection bmanal.com canyonzcc.com devguardmap.org industryinfostructure.com linkundlink.de mante.li shopandtravelusa.com mantis.linkundlink.de # Reference: https://twitter.com/jaydinbas/status/1468521246862233603 # Reference: https://www.virustotal.com/gui/file/ef2d3e488b781a7c6144afa8fc8ba2b6d085ca671100d04686097f3b4dd2ed42/detection mantis-gewa.technisat-digital.de # Reference: https://twitter.com/czy_1116/status/1498190652412203008 # Reference: https://www.virustotal.com/gui/file/4cbad835586faf1d91431d5421b58b4acda0bd280cfbaf8a5d4820aec486b0e6/detection bloomcloud.org share.bloomcloud.org # Reference: https://twitter.com/ShadowChasing1/status/1502240130702065664 open.googlesheetpage.org /KcyRbGDJKRZoaLq8lHh8/C0sHwcGMH2/ /C0sHwcGMH2/ /KcyRbGDJKRZoaLq8lHh8/ # Reference: https://twitter.com/malwrhunterteam/status/1503640289810038786 # Reference: https://twitter.com/malwrhunterteam/status/1504573045750571010 # Reference: https://twitter.com/malwrhunterteam/status/1506008938197643266 # Reference: https://twitter.com/h2jazi/status/1503826030812925962 # Reference: https://twitter.com/h2jazi/status/1503826034923388929 # Reference: https://www.virustotal.com/gui/file/8672acfb06258f5b6dec3700cd7f91a0c013a70a9664dbc6cf33a4c6406756ed/detection # Reference: https://www.virustotal.com/gui/file/e62a7d9184a841e2b53e41f2d85aa278b427e2e427dbfd8f4be072108e3089c1/detection # Reference: https://www.virustotal.com/gui/file/689d5513ad52ad5e7a631a9147049c4cc494ad514b81cf41e841fb244c766b8b/detection # Reference: https://www.virustotal.com/gui/file/a51cad94475e0af91d270146379574b5a8ae70a03098318ddf9912784ace3cba/detection encorpost.com foxiebed.com hillokay.com nhn-games.com sktelecom.help want-helper.com # Reference: https://twitter.com/h2jazi/status/1505965580075114498 # Reference: https://www.virustotal.com/gui/file/e3a4e97e27bcfb6126ebfe92827cfb6b7e0c04eb7f5426bf17dd366e4723d1ef/detection pvacek.cz/wp-content/plugins/akismet/control/en/en.jpg # Reference: https://twitter.com/h2jazi/status/1505983796897894401 # Reference: https://www.virustotal.com/gui/file/d0cf9c1f87eac9b8879684a041dd6a2e1a0c15e185d4814a51adda19f9399a9b/detection webhosttech.org # Reference: https://twitter.com/blackorbird/status/1507040337097027584 # Reference: https://blog.google/threat-analysis-group/countering-threats-north-korea/ disneycareers.net find-dreamjob.com indeedus.org varietyjob.com ziprecruiters.org blockchainnews.vip chainnews-star.com financialtimes365.com fireblocks.vip gatexpiring.com gbclabs.com giantblock.org humingbot.io onlynova.org teenbeanjs.com colasprint.com/about/about.asp varietyjob.com/sitemap/sitemap.asp financialtimes365.com/user/finance.asp gatexpiring.com/gate/index.asp humingbot.io/cdn/js.asp teenbeanjs.com/cloud/javascript.asp # Reference: https://twitter.com/jaydinbas/status/1506970733997604867 # Reference: https://twitter.com/ShadowChasing1/status/1508637858927587328 # Reference: https://twitter.com/ShadowChasing1/status/1509520460974723072 # Reference: https://twitter.com/ShadowChasing1/status/1511144288830119941 # Reference: https://asec.ahnlab.com/ko/33034/ (Korean) # Reference: https://www.virustotal.com/gui/ip-address/2.57.90.16/relations # Reference: https://www.virustotal.com/gui/ip-address/209.126.83.186/relations # Reference: https://www.virustotal.com/gui/file/2fc71184be22ed1b504b75d7bde6e46caac0bf63a913e7a74c3b65157f9bf1df/detection # Reference: https://www.virustotal.com/gui/file/392aba0070375051d7bc3cc478c4bb66c5f55be87ad797800f50a338c3e2479b/detection # Reference: https://www.virustotal.com/gui/file/a7c17e5fa55bcc60d4cff64dd37d0a1f0cc93f4f44b3cebd5633ca5af413e5cc/detection # Reference: https://www.virustotal.com/gui/file/ae7275988753fffb29bdb254babdf46773daf935b2721006fe66a1747af3d1d4/detection naveicoipf.online naveicoipg.online naveicoiph.online naveicoiph.online naveicoipa.tech naveicoipc.tech naveicoipd.tech naveicoipe.tech navermailteam.online 123fisd.naveicoipg.online aat1pbil.naveicoipg.online adzjvazj.naveicoipg.online aosm8cts.naveicoipg.online buiweggajhqwj.naveicoipg.online cecomtp3.naveicoipg.online edfeiyql.naveicoipg.online eoinlslsf.naveicoipg.online fwpoyktt.naveicoipg.online hytrycnc.naveicoipg.online jbmnqpwp.naveicoipg.online jvnquetbon.naveicoipg.online kdzdm1rq.naveicoipg.online kygfkdum.naveicoipg.online l1tog1iv.naveicoipg.online lbmwbnbieo.naveicoipg.online olsnvolqwe.naveicoipg.online pv5pnwlx.naveicoipg.online qogngnslel.naveicoipg.online tp0rw6ie.naveicoipg.online twlekqnwl.naveicoipg.online urm1o6h0.naveicoipg.online vm2rjonq.naveicoipg.online vnwoei.naveicoipg.online 6la0cwds.naveicoiph.online 9yxqida1b.naveicoiph.online d4yp8bphj3.naveicoiph.online dtdgwgfvr.naveicoiph.online gkins2p3i.naveicoiph.online kashaccn4.naveicoiph.online lkpiedozd.naveicoiph.online rxpz7z2yi8.naveicoiph.online gowelknx.naveicoipf.online xjowihgnxcvb.naveicoipf.online xuau0b2i.naveicoipf.online 4w9h8ps9.naveicoipa.tech 4w9h8ps9.naveicoipc.tech momls4ii.naveicoipa.tech momls4ii.naveicoipc.tech tofysz6a.naveicoipa.tech tofysz6a.naveicoipc.tech uzzmuqwv.naveicoipa.tech uzzmuqwv.naveicoipc.tech zvc1ijau.naveicoipa.tech zvc1ijau.naveicoipc.tech bcvbert.naveicoipe.tech mhf8huuo.naveicoipe.tech msldkopw.naveicoipe.tech tyidrtu.naveicoipe.tech uktyukb.naveicoipe.tech vkqrwl00.naveicoipe.tech wrhehdfg.naveicoipe.tech nredial.navermailteam.online /1uFnvppj/1uFnvppj32.acm /1uFnvppj/1uFnvppj64.acm /1uFnvppj/ /1uFnvppj32.acm /1uFnvppj64.acm /018ueCdS/018ueCdS32.acm /018ueCdS/ /018ueCdS32.acm /0lvNAK1t/0lvNAK1t32.acm /0lvNAK1t/ /0lvNAK1t32.acm # Reference: https://www.virustotal.com/gui/ip-address/15.235.132.77/relations # Reference: https://www.virustotal.com/gui/ip-address/23.81.246.131/relations # Reference: https://www.virustotal.com/gui/ip-address/23.82.19.179/relations mailcontactteam.online mailcustomerservice.site mailhelp.online mailmanagecorp.online mailsecurity.email mailservicecorp.online mailserviceteam.email navcopcenter.tech navcorpmanager.site naveeocorp.xyz navenida.live navenida.site navenidb.live navenidb.site navenidc.live navenidc.site navenidd.site navenide.site navenidf.site naveorseccorp.link naveracom.link naveradmin01.link naveranid.link naveranid.live naveranid.online naverbcom.link naverbnid.live naverbnid.online naverccom.link navercert.live navercert.online navercnid.link navercnid.online navercoa.store navercob.store navercoc.store navercod.store navercoe.store navercoma.link navercoma.online navercomb.link navercomb.online navercomb.tech navercomc.link navercomc.online navercomc.tech navercomd.link navercomd.online navercome.link navercome.online navercome.tech navercomf.link navercomf.online navercomg.link navercomh.link navercop.link navercop.online navercorp.email navercorp.live navercorpl.tech navercorpr.online navercorpservice.com navercorpteam.com navercscorp.com naverenid.online naverfnid.online navergnid.online naverhnid.online naverhost.live naverinid.com naverinid.online naverjnid.online naverlogn.live navermailcorp.com navermailmanage.com navermailservice.com navermailservice.online navermailteam.online navermanage.com navermanage.live navermanage.space navermanageteam.com navermcorp.com navernida.link navernida.online navernida.tech navernidb.link navernidb.online navernidb.tech navernidc.link navernidc.online navernidc.tech navernidd.live navernidd.online navernide.online navernidlog.live navernidmail.com naverorteam.link naverreda.xyz naverredc.xyz naverredd.xyz naverrede.xyz naverredirect.live naversecurityservice.online naversecurityteam.com naverservice.email naverservice.host naverservice.link naverserviceteam.com naverserviceteam.email naverteam.live naverteamcorp.live navreplya.live navreplya.online navreplyb.live navreplyd.live navreplye.live navreplyf.site navreplyg.site navreplyh.site navreplyi.site navreplyj.site navreplyk.site navteamcorp.link nidbnaver.tech nidcnaver.tech niddnaver.tech nidnavera.online nidnavere.online noreplya.xyz noreplyb.xyz nvrcopa.link nvrcopb.link nvrcopc.link nvrcope.site nvrcopf.site nvricop.online nvrjcop.online portalcorpteam.com help.navreplya.live logn.navermanagecorp.site logn.noreplya.website mail.naveradmina.tech mail.navercomf.link nav.cloudcentre.space nav.naveracom.link nav.naveradmin06.online nav.noreplyb.xyz nav.portalcorpteam.com nin.navercop.link nlog.noreplyb.space red.naveradmin07.site red.nidnavere.online sec.naveralert.link sub.naverbcom.link # Reference: https://twitter.com/ShadowChasing1/status/1508706298640052225 # Reference: https://www.virustotal.com/gui/ip-address/44.227.65.245/relations cloudscare.xyz onlinedocview.biz cdn.onlinedocview.biz edit.onlinedocview.biz # Reference: https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ # Reference: https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ # Reference: https://otx.alienvault.com/pulse/61bca21cf212a6842e17c00b diragame.com diregame.live mygametoa.com d.diragame.com google.diragame.com jom.diregame.live toa.mygametoa.com tob.mygametoa.com # Reference: https://twitter.com/h2jazi/status/1509206625701220356 # Reference: https://www.virustotal.com/gui/file/e9894893a8a1f74d7d6a8768dda9ef5ddaf8aac18634a1110e9a79652c9f13ee/detection aixstore.info app.aixstore.info # Reference: https://securelist.com/lazarus-trojanized-defi-app/106195/ # Reference: https://otx.alienvault.com/pulse/6246c2c9082f5d1a7c15ffba bn-cosmo.com/customer/board_replay.asp edujikim.com/pay_sample/INIstart.asp emsystec.com/include/inc.asp gyro3d.com/common/faq.asp gyro3d.com/mypage/faq.asp ilovesvc.com/HomePage1/Inquiry/privacy.asp newbusantour.co.kr/gallery/left.asp roit.co.kr/xyz/adminer/edit_fail_decoded.asp softapp.co.kr/sub/cscenter/privacy.asp syadplus.com/search/search_00.asp # Reference: https://twitter.com/ShadowChasing1/status/1514899414367694851 # Reference: https://www.virustotal.com/gui/file/f78b85fc5c9a5f6c8d735f13180d318bf8f5639e71556e2ae0f2c6b9b4181a6c/detection http://15.235.33.14 # Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical # Reference: https://otx.alienvault.com/pulse/625d3bb7b78be557e145d2c7 aumentarelevisite.com juneprint.com jungfrau.co.kr mariamchurch.com happy.nanoace.co.kr ric-camid.re.kr # Reference: https://twitter.com/blackorbird/status/1516300076523548674 # Reference: https://mp.weixin.qq.com/s/Xs54_RDKU5MvkvsPPCGKEw (Chinese) beenos.biz zvc.capital cloud.beenos.biz it.zvc.capital # Reference: https://www.cisa.gov/uscert/ncas/alerts/aa22-108a # Reference: https://otx.alienvault.com/pulse/625e65bf6aa1f7977a316d65 alticgo.com cryptais.com dafom.dev esilet.com tokenais.com # Reference: https://asec.ahnlab.com/ko/33706/ # Reference: https://otx.alienvault.com/pulse/625e688f46dbcbce7ac0668d gaonwell.com/data/base/mail/login.asp h-cube.co.kr/main/image/gellery/gallery.asp materic.or.kr/include/main/main_top.asp materic.or.kr/include/main/main_top.xn--asp namchoncc.co.kr/include/?ind= okkids.kr/html/program/display/?re= shoppingbagsdirect.com/media/images/?ui= # Reference: https://twitter.com/blackorbird/status/1519504288849874944 # Reference: https://www.virustotal.com/gui/file/672ec8899b8ee513dbfc4590440a61023846ddc2ca94c88ae637144305c497e7/detection http://109.248.144.155 http://155.94.210.11 http://193.56.28.32 http://45.57.245.17 109.248.144.136:8443 109.248.144.155:8080 109.248.144.155:8443 usengineergroup.com mail.usengineergroup.com # Reference: https://twitter.com/ESETresearch/status/1521735320852643840 # Reference: https://twitter.com/ESETresearch/status/1521735343497695232 # Reference: https://www.virustotal.com/gui/file/55571ac52e1f02f18af77e2f3314382c982a37744b58732dfc15faac9d66619f/detection # Reference: https://www.virustotal.com/gui/file/a0bf5af3f931a428b905fd14d43b61af47b7f272425ae4ff4d78b5cb139b8276/detection # Reference: https://www.virustotal.com/gui/file/315503862cb7ebb0a731483827016015e355bad51f872db5c650a822de744937/detection onlinestockwatch.net # Reference: https://www.virustotal.com/gui/file/5081f54761947bc9ce4aa2a259a0bd60b4ec03d32605f8e3635c4d4edaf48894/detection 66.154.102.91:9090 # Reference: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html bluedragon.com/login crm.vncgroup.com/cats/scripts/sphinxview.php mantis.westlinks.net/api/soap/mc_enum.php ougreen.com/zone semiconductboard.com/xcror shipshorejob.com/ckeditor/samples/samples.php tecnojournals.com/general tecnojournals.com/prest # Reference: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html # Reference: https://www.virustotal.com/gui/file/f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb/detection http://213.180.180.154 karin-store.com/recaptcha.php yoshinorihirano.net/wp-includes/feed-xml.php /editor/session/aaa000/support.php /aaa000/support.php # Reference: https://mp.weixin.qq.com/s/USitU4jAg9y2XkQxbwcAPQ # Reference: https://otx.alienvault.com/pulse/62d153ef7d6fbe552403bc90 namchuncheon.co.kr/html/notice/list.asp stracarrara.org/public/photos/image/image.asp stracarrara.org/public/photos/image/image.xn--asp # Reference: https://twitter.com/h2jazi/status/1549780561551675393 # Reference: https://www.virustotal.com/gui/ip-address/155.138.219.140/relations # Reference: https://www.virustotal.com/gui/file/f7170b70a89f4b5d196e3a09c1d6135d36320548f66cdc2c55bf725b0f8d4ab8/detection documentworkspace.io fclouddown.co cdn.documentworkspace.io file.fclouddown.co # Reference: https://twitter.com/cyberoverdrive/status/1550175620927299584 # Reference: https://www.virustotal.com/gui/file/1e154b2976cc00d457c0dc2b83ebe81911294c8276691617085c03a3304fd87f/detection googlesheet.info # Reference: https://twitter.com/h2jazi/status/1553024107989635073 # Reference: https://www.virustotal.com/gui/file/0fe69e67286203ca2dcd080b4c25ab76fc4ca925e6207b193d47f02da1481843/detection shconstmarket.com dps.shconstmarket.com inst.shconstmarket.com web.shconstmarket.com # Reference: https://twitter.com/Des00464472/status/1546403794871001093 http://52.79.92.249/bbs/bbs_post.asp # Reference: https://twitter.com/h2jazi/status/1555205042331947011 # Reference: https://www.virustotal.com/gui/file/a3ef9fd758bca1c94054a43995a99069abaef672495c1bd3ee831217c1f5e498/detection mktrending.com docs.mktrending.com # Reference: https://twitter.com/ShadowChasing1/status/1557034048345997312 # Reference: https://www.virustotal.com/gui/file/57959c2be2ac6349aa37edb73cd8a88fe8d3e69678cac4b38fac401bd3141fdf/detection documentshare.info doc.documentshare.info ww16.documentshare.info /DmJMFYpwLPP3ygS/ # Reference: https://twitter.com/malwrhunterteam/status/1557077792075829249 # Reference: https://www.virustotal.com/gui/file/f1ade73b9c61f2f4b774a1b5003a5d70d7a12e0872abe98c52fbf9e9e3a90fc5/detection wordonline.cloud cdn.wordonline.cloud gdoc.wordonline.cloud # Reference: https://twitter.com/ESETresearch/status/1559553324998955010 # Reference: https://www.virustotal.com/gui/file/49046dfeaefc59747e45e013f3ab5a2895b4245cfaa218dd2863d86451104506/detection # Reference: https://www.virustotal.com/gui/file/8b427c47a43e6c357d8439fefa7f0ff34b72a2abdaf0461193fb9e6086807e17/detection # Reference: https://www.virustotal.com/gui/file/94a669041ef572e3fb089179f5c29e2811e2e82613290e39a2ce1b6c273727c9/detection # Reference: https://www.virustotal.com/gui/file/dae9f37ae5c2a030c0fb3f55d5731cdb37a4f68560a6f2ba38bb54c9533f8805/detection # Reference: https://www.virustotal.com/gui/file/e29d0db8c013e7eb5820a6f40aae92a085d9550f2f0b2ebc10c8c2c08d14f6d5/detection # Reference: https://www.virustotal.com/gui/file/fe336a032b564eef07afb2f8a478b0e0a37d9a1a6c4c1e7cd01e404cc5dd2853/detection concrecapital.com # Reference: https://twitter.com/h2jazi/status/1559259261665943553 # Reference: https://www.virustotal.com/gui/file/03f6c8f173413302d9c22a44a593fc9a5203fbb7652d3a36b3ace79f3cdc39a3/detection 1drvmicrosoft.com hare.1drvmicrosoft.com share.1drvmicrosoft.com # Reference: https://twitter.com/malwrhunterteam/status/1560563222624710656 # Reference: https://www.virustotal.com/gui/file/c9b4893bdb85d67c13826814ef0cf392648089f416aed40078907054624fba72/detection cooporatestock.com doc.cooporatestock.com docs.cooporatestock.com # Reference: https://www.virustotal.com/gui/ip-address/45.76.77.197/relations # Reference: https://www.virustotal.com/gui/file/0f6b6c1596e38e840fb03420317db224739a18dbef0b98285637f5887e90a191/detection drivegoogle.info docs.drivegoogle.info # Reference: https://twitter.com/ShadowChasing1/status/1564980900785373185 # Reference: https://www.virustotal.com/gui/file/51d53ca36a662b4aad5878987548f0f22f2a53545790577d8043373b6bf7eb75/detection wpsonline.co edit.wpsonline.co wps.wpsonline.co # Reference: https://www.virustotal.com/gui/file/f42c637db03edf83a08e944bc190265167ecea84d77508f37fc1269d267fe5a8/detection stablehouses.info app.stablehouses.info # Reference: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html # Reference: https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/ # Reference: https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/detection # Reference: https://www.virustotal.com/gui/file/f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4/detection # Reference: https://www.virustotal.com/gui/file/eb73c57c6f4ce8bf197ddc689b7e0afd3703a9bf9a78212c9cb838528441df7a/detection # Reference: https://www.virustotal.com/gui/file/bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1/detection # Reference: https://www.virustotal.com/gui/file/afb2d4d88f59e528f0e388705113ae54b7b97db4f03a35ae43cc386a48f263a0/detection # Reference: https://www.virustotal.com/gui/file/196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba/detection http://151.106.2.139 http://193.56.28.251 http://52.202.193.124 http://64.188.27.73 http://66.154.102.91 151.106.2.139:8080 151.106.2.139:8443 66.154.102.91:9090 gendoraduragonkgp126.com /adm_bord/login_new_check.php # Reference: https://twitter.com/Des00464472/status/1569331099305918465 techdesignshop.com # Reference: https://twitter.com/h2jazi/status/1570501870954905600 # Reference: https://www.virustotal.com/gui/file/5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3/detection azure-protect.online verify.azure-protect.online # Reference: https://twitter.com/BaoshengbinCumt/status/1570579732399558656 jbic.us mufg.tokyo salt1ending.com wpic.ink cloud.jbic.us cloud.mufg.tokyo # Reference: https://twitter.com/HaoZhixiang/status/1572434427942432772 # Reference: https://www.virustotal.com/gui/file/0b79e1194644431c2e28c48aa3654e658a2907e1003cd0484cd00a0796ebe6bb/detection onlineshares.cloud ms.onlineshares.cloud # Reference: https://twitter.com/malwrhunterteam/status/1573305740252663809 # Reference: https://www.virustotal.com/gui/file/48bd1c5cf9ccc3d454ab80d7284abaf39028a228607d132bfa92ab2ceca47ca2/detection azure-protection.cloud docs.azure-protection.cloud secure.azure-protection.cloud # Reference: https://twitter.com/StopMalvertisin/status/1574329188793733120 # Reference: https://www.virustotal.com/gui/file/3b70c3ebffcfd6a97859f8d9e5a31f6902756e23fd6688ca7c7446d24ec76d9d/detection digiboxes.us fs.digiboxes.us # Reference: https://twitter.com/StopMalvertisin/status/1574749887203143680 # Reference: https://www.virustotal.com/gui/file/f00fe4e6da3aaad25d1ac8b268ffeebc98bda184e3df224905626908be24d415/detection sunlin.org/info/style?title= # Reference: https://twitter.com/StopMalvertisin/status/1575055809104334848 # Reference: https://twitter.com/ScarletSharkSec/status/1575130042627244038 # Reference: https://twitter.com/malwrhunterteam/status/1593744606172168195 # Reference: https://www.virustotal.com/gui/ip-address/155.138.159.45/relations # Reference: https://www.virustotal.com/gui/file/99eae95f3271fe7cd2b25aca9a2b69ca8f5cc034f3416b554a4af38903f14233/detection # Reference: https://www.virustotal.com/gui/file/8f05021071c4bfd4cfce3d02bd30bf16f1322170515d796e13f75eb25b09d533/detection docuprivacy.com gdocshare.one msteam.biz onlinecloud.cloud privacysign.org _dmarc.onlineshares.cloud dmarc.onlineshares.cloud ms.msteam.biz team.msteam.biz open.onlinecloud.cloud # Reference: https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ 137.184.15.189:22 172.93.201.253:22 44.238.74.84:22 44.238.74.84:5900 # Reference: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/ # Reference: https://otx.alienvault.com/pulse/6336cd77cbc019c475aa2034 contradecapital.com m.contradecapital.com market.contradecapital.com stage.contradecapital.com vpn.contradecapital.com # Reference: https://github.com/eset/malware-ioc/tree/master/nukesped_lazarus cowp.or.kr/html/board/main.asp erpmas.co.kr/Member/franchise_modify.asp fored.or.kr/home/board/view.php gncaf.or.kr/cafe/cafe_board.asp gongsinet.kr/comm/comm_gongsi.asp goojoo.net/board/banner01.asp hsbutton.co.kr/bbs/bbs_write.asp hstudymall.co.kr/easypay/web/bottom.asp ikrea.or.kr/main/main_board.asp pcdesk.co.kr/Freeboard/mn_board.asp pgak.net/service/engine/release.asp quecue.kr/okproj/ex_join.asp style1.co.kr/main/view.asp wowpress.co.kr/customer/refuse_05.asp zndance.com/shop/post.asp # Reference: https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/ # Reference: https://otx.alienvault.com/pulse/633c7f2703c1f6dec01555e5 aquaprographix.com/patterns/Map/maps.php stracarrara.org/images/img.asp thetalkingcanvas.com/thetalking/globalcareers/us/5/careers/jobinfo.php turnscor.com/wp-includes/feedback.php # Reference: https://twitter.com/Des00464472/status/1580021488433831936 propertys-shop.com # Reference: https://twitter.com/h2jazi/status/1582809597051826177 # Reference: https://twitter.com/h2jazi/status/1582809599023124481 # Reference: https://www.virustotal.com/gui/file/c114b73da17eb5c8aff5a7b5509ffe26b9770e28c7123f038e98d42f8a065632/detection bbcnewsagency.com # Reference: https://twitter.com/h2jazi/status/1582919568384663552 bloombergnewsagency.com # Reference: https://www.virustotal.com/gui/file/500ae0f1ab40a254f81c73331c9848bada4c26adad613d53d339d14ca3599a32/detection # Reference: https://www.virustotal.com/gui/file/442c2b7b8e7ec13306bfb6c1332bd87e4d9cac242fd86555df355a606b895c46/detection 11.23.33.44:8050 66.85.157.67:8050 drivetools.xyz filesspace.xyz theboxart.xyz # Reference: https://twitter.com/imp0rtp3/status/1589263364274155520 # Reference: https://twitter.com/imp0rtp3/status/1589263367650578434 # Reference: https://www.virustotal.com/gui/file/06ea41ee563f0ecb884d0640344a1e0006a9e8b1b3d4cda9a769a896f18c4b6d/detection # Reference: https://www.virustotal.com/gui/file/e1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10/detection # Reference: https://www.virustotal.com/gui/file/dc20873b80f5cd3cf221ad5738f411323198fb83a608a8232504fd2567b14031/detection leadsblue.com/wp-content/wp-utility/index.php # Reference: https://twitter.com/Des00464472/status/1590966132596695040 olidhealth.com dc-ba6f51b553e0.olidhealth.com # Reference: https://twitter.com/souiten/status/1593449165349978113 # Reference: https://www.virustotal.com/gui/file/0937cbb980cb898eacd8458366fc4de3510266b8fbcd68010aa04e58bf72df28/detection # Reference: https://www.virustotal.com/gui/file/a3f087c83453cde2bc845122c05ebeb60e8891e395b45823c192869ec1b72ea6/detection capmarketreport.com # Reference: https://explore.avertium.com/resource/an-in-depth-look-at-north-korean-threat-actor-zinc # Reference: https://otx.alienvault.com/pulse/637f670d45a399f00e8aea3c cats.runtimerec.com/db/dbconn.php elite4print.com/support/support.asp hurricanepub.com/include/include.php olidhealth.com/wp-includes/php-compat/compat.php recruitment.raystechserv.com/lib/artichow/BarPlotDashboard.object.php turnscor.com/wp-includes/contacts.php # Reference: https://twitter.com/jaydinbas/status/1598660262751604738 # Reference: https://www.virustotal.com/gui/file/f14c5bad5219b1ed5166eb02f5ff08a890a181cef2af565f3fe7bcea9c870e22/detection key.sharedrive.ink # Reference: https://twitter.com/malwrhunterteam/status/1598405604317442048 # Reference: https://twitter.com/jaydinbas/status/1598722899556577280 # Reference: https://www.virustotal.com/gui/file/741be5e53a5dc7cebaa63d6ff624c5eff1a0e1817ede1e7fc0473a28b1ed7a33/detection dsx-app.com # Reference: https://community.emergingthreats.net/t/ruleset-update-summary-2022-12-02-v10187/190 bloxholder.com oilycargo.com rebelthumb.net strainservice.com telloo.io # Reference: https://twitter.com/h2jazi/status/1602302208325947394 # Reference: https://www.virustotal.com/gui/file/69e5cc9d865301f7e8dd7d4dbf5624db2859c614112d339b2fc07ea6176c776d/detection microshare.cloud one.microshare.cloud # Reference: https://twitter.com/h2jazi/status/1602314597926576131 # Reference: https://twitter.com/h2jazi/status/1602314600753598465 # Reference: https://www.virustotal.com/gui/file/bdd109cba8346548dd6fe5110180aa23eb9f5805c90733025344a5881c15c985/detection thecloudnet.org # Reference: https://twitter.com/jaydinbas/status/1608077663532449792 # Reference: https://www.virustotal.com/gui/file/c52028b494c37505cbe073e3b0fcdeb6b7b48636c6fd00a41108e6dc1a66a4ce/detection professiondesc.com # Reference: https://twitter.com/Des00464472/status/1610535596262580230 # Reference: https://www.virustotal.com/gui/ip-address/172.86.121.130/relations # Reference: https://www.virustotal.com/gui/ip-address/45.153.242.37/relations # Reference: https://www.virustotal.com/gui/file/e04848c1e2908335975dd52793c94624d06a598fdd75d5d3eb6ea8c5d569b8bc/detection auto-protection.cloud auto-protection.services azure-protect.cloud azure-protection.online auto-secure.cloud beyondnextventures.us doc-protection.cloud docs-view.cloud mizuhogroup.uk offerings.cloud online-protection.cloud protection-service.cloud smbcgroup.uk tptf.cloud tptf.ltd azure.auto-protection.cloud azure.auto-protection.services azure.auto-secure.cloud azure.doc-protection.cloud azure.doc-protection.online azure.docs-view.cloud azure.online-protection.cloud azure.protection-service.cloud cloud.beyondnextventures.us cloud.mizuhogroup.uk cloud.smbcgroup.uk docs.tptf.cloud secure.azure-protection.online secure.azure-protect.cloud secure.azure-protection.online # Reference: https://twitter.com/Des00464472/status/1613893230004965381 # Reference: https://www.virustotal.com/gui/file/9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592/detection easyview.kr/board/mb_admin.php mudeungsan.or.kr/gbbs/bbs/template/g_botton.php neohr.co.kr/bbs/data/notice/notice.php # Reference: https://twitter.com/h2jazi/status/1618630926891913217 blurbshop.com cloudfly.org dailynewsagent.com oneweb-host.com shopwebstudio.com turacodi.com # Reference: https://twitter.com/jaydinbas/status/1623295609703636993 # Reference: https://www.virustotal.com/gui/file/3a4aed5b9ad0827696a1bb5f3497a6a2aa26b453d27bfacbe3c8c47673aac98d/detection doc-share.cloud safe.doc-share.cloud # Reference: https://asec.ahnlab.com/ko/48416/ # Reference: https://otx.alienvault.com/pulse/63ff76797371033cf70b2df3 ctmnews.kr dalbinews.co.kr kfcjn.com lightingmart.co.kr studyholic.co.kr # Reference: https://www.malwarebytes.com/blog/news/2022/12/lazarus-group-uses-fake-cryptocurrency-apps-to-plant-applejeus-malware wirexpro.com # Reference: https://twitter.com/souiten/status/1653999722477268992 # Reference: https://www.virustotal.com/gui/file/69ef7c4cb3849283c03eaa593b02ebbfd1d08d25ef9a58355d2a9909678d6c6d/detection share.googlefiledrive.com # Reference: https://twitter.com/ESETresearch/status/1656385173968019456 # Reference: https://twitter.com/ESETresearch/status/1656386549594857472 # Reference: https://www.virustotal.com/gui/ip-address/104.168.138.7/relations # Reference: https://www.virustotal.com/gui/file/c28e4031129f3e6e5c6fbd7b1cebd8dd21b6f87a8564b0fb9ee741a9b8bc0197/detection # Reference: https://www.virustotal.com/gui/file/5f00106f7f15e0ca00df4dbb0eeccd57930b4b81bc9aa3fca0c5af4eda339ab7/detection coto.live cryptyk.cloud cryptyk.info gumicryptos.com hyperchaincapital.online parallaxdigital.online prosec.ink autoprotect.com.se cloud.cryptyk.info cloud.prosec.ink cloudprotect.us.org cryptyk.ddns.net cryptyk.hopto.org cryptyk.sytes.net cryptyk.webredirect.org document.coto.live document.sharedrive.ink docusend.coto.live hostings.webredirect.org # Reference: https://www.virustotal.com/gui/ip-address/104.168.214.151/relations azure-defender.cloud azuredefender.online blockfi.loans daiwa.ventures doc-send.cloud doc-send.com docs-send.com drop-box.cloud gumi-cryptos.loan job-description.online jobdescription.online nextera.capital privatenetwork.online smart-contracts.blog usncet.org verifydocument.online abs.twitter.expublic.linkpc.net autoprotect.gb.net boa.azuredefender.online boa.job-description.online boa.jobdescription.online cloud.daiwa.ventures coinbase.expublic.linkpc.net daiwa.azure-defender.cloud defi.smart-contracts.blog dynamic.expublic.linkpc.net exceptions.coinbase.expublic.linkpc.net exceptions.expublic.linkpc.net expublic.linkpc.net github.expublic.linkpc.net google.coinbase.expublic.linkpc.net hwsrv-1033810.hostwindsdns.com internal-server.nextera.capital internal.daiwa.ventures internal.usncet.org onedrive.azure-defender.cloud shared.doc-send.cloud shared.drop-box.cloud # Reference: https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499 http://3.89.226.234 http://40.121.90.194 eflow.co.kr/member_image/about.php projectcell.niv.co.in/non_scientific/service.php sora.bz/xoops_root_path/templates_c/login.php sora.bz/xoops_root_path/uploads/information/about.php