揭秘APT-C-26(Lazarus)组织利用PyPI对Windows、Linux和macOS平台的攻击行动

2024-07-05 Qihoo360 APT-C-26 (Lazarus) Uses PyPI to Attack Windows, Linux, and macOS

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247499462&idx=1&sn=7cc55f3cc2740e8818648efbec21615f

Thumbnail for 揭秘APT-C-26(Lazarus)组织利用PyPI对Windows、Linux和macOS平台的攻击行动

360 Advanced Threat Research Institute attributes a multi-platform software supply chain campaign to APT-C-26, also known as Lazarus, using malicious PyPI packages to deliver payloads on Windows, Linux, and macOS. Windows packages decrypt DLL stages, run them through rundll32, drop OneDrive.pri and credential.sys, attempt persistence through scheduled tasks, registry keys, or startup folders, and load Comebacker to fetch later payloads. Linux and macOS packages use encoded Python to download oshelper or os_helper from attacker infrastructure such as pypi.online, arcashop.org, and jdkgradle.com, then communicate with C2 using custom HTTP parameters. The attribution is based on Comebacker use, PDB overlap with prior Lazarus npm activity, similar PyPI delivery patterns, and overlapping C2 infrastructure.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN arcashop.org 2024-02-29 2025-09-01
DOMAIN jdkgradle.com 2024-02-29 2025-09-01
HASH 4b3462420d5b05c78cfefec0e233b4ef 2024-07-05 2024-07-05
HASH 420f6e424b1b4a5b9d817c73f9eafa84 2024-07-05 2024-07-05
HASH 330fff5b3c54a03fd59a64981e96814d 2024-07-05 2024-07-05
HASH f50c83a4147b86cdb20cc1fbae458865 2024-07-05 2024-07-05
HASH 744187fb884a7650f4981d0d28ffdfd4 2024-07-05 2024-07-05
HASH 494f2cc788afc585b4a5bd39ecb6dcca 2024-07-05 2024-07-05
HASH 67d112a63fd9c9c9ebb022675e794322 2024-07-05 2024-07-05
HASH 133b1621d76bd7f1f4c814f53cd501bc 2024-07-05 2024-07-05
HASH 8eca54af4e9e013acff7b2f18ac6ccff 2024-07-05 2024-07-05
HASH 05957d98a75c04597649295dc846682d 2024-07-05 2024-07-05
HASH 10f190b9bbb875d3b2582ae9229da634 2024-07-05 2024-07-05
HASH 11c0ce888a5aedf82c509c4dca1b5b00 2024-07-05 2024-07-05
HASH f2013e689dad863e02bfda9481f37085 2024-07-05 2024-07-05
HASH 73850470a358c79b0a67eb809491dfdb 2024-07-05 2024-07-05
HASH 864cbadfcc4a6d3554c032e7eb30d03f 2024-07-05 2024-07-05
HASH 8c351d35369a63d6c4a1478428a593d7 2024-07-05 2024-07-05
HASH 7f30ca2454e02be1d5e71b3682b04ea5 2024-07-05 2024-07-05
HASH 15a5fc35905624174077afcc1eaaa4ea 2024-07-05 2024-07-05
HASH 5a25375f2b23680690fe82c99cf3d314 2024-07-05 2024-07-05
HASH 1352f2621107e503cddde3bcc0d53d52 2024-07-05 2024-07-05
HASH b62c912de846e743effdf7e5654a7605 2024-07-05 2024-07-05
HASH 1f76eb089ef9f9cbf6840eb5231b2e75 2024-07-05 2024-07-05
HASH 267ef172f81bb8577e5371fbf20f7306 2024-07-05 2024-07-05
URL https://arcashop.org/boards.php 2024-07-05 2024-07-05
URL https://pypi.online/cloud.php?t… 2024-07-05 2024-07-05
HASH 33c9a47debdb07824c6c51e13740bdfe 2024-02-29 2024-07-05
URL https://jdkgradle.com/jdk/updat… 2024-02-29 2024-07-05
DOMAIN fasttet.com 2024-02-21 2024-07-05
IPv4 91.206.178.125 2023-11-04 2024-07-05

Related Actors

Related Reports

« Back