항공·방위 산업을 표적으로 한 Lazarus 그룹의 Comebacker 변종 공격
2025-11-07 • ENKI • Lazarus Group Comebacker variant attack targeting the aerospace and defense industries •
ENKI analyzes a Lazarus Group Comebacker variant recovered from office-theme[.]com, where malicious DOCX files with VBA macros acted as droppers for a staged loader chain. The lures impersonated aerospace and defense-related organizations including Edge Group, IIT Kanpur, and Airbus, suggesting spear-phishing against sector-specific targets. The DOCX macros decrypted and dropped a loader and lure document, installed persistence through LNK and startup-folder mechanisms, and executed USOPrivate.dll through rundll32. The final Comebacker payload contacted hxxps://hiremployee[.]com over HTTPS with AES-128-CBC-protected traffic, while related infrastructure such as birancearea[.]com and a March 2025 sample showed changes in loader encryption and C2 communications.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7e61c884ce5207839e0df7a22f08f0a… | 2025-11-07 | 2025-11-07 |
| HASH | f2b3867aa06fb38d1505b3c2b9e523d… | 2025-11-07 | 2025-11-07 |
| HASH | 96b973e577458e5b912715171070c0a… | 2025-11-07 | 2025-11-07 |
| HASH | b7d625679fbcc86510119920ffdd6d2… | 2025-11-07 | 2025-11-07 |
| HASH | 14213c013d79ea4bc8309f730e26d52… | 2025-11-07 | 2025-11-07 |
| HASH | b357b3882cf8107b1cb59015c4be3e0… | 2025-11-07 | 2025-11-07 |
| HASH | c4a5179a42d9ff2774f7f1f937086c8… | 2025-11-07 | 2025-11-07 |
| HASH | ad9c5aca9977d04c73be579199a8270… | 2025-11-07 | 2025-11-07 |
| HASH | 046caa2db6cd14509741890e971ddc8… | 2025-11-07 | 2025-11-07 |
| URL | https://birancearea.com/adminv2 | 2025-11-07 | 2025-11-07 |
| URL | https://hiremployee.com | 2025-11-07 | 2025-11-07 |
| DOMAIN | hiremployee.com | 2025-11-07 | 2025-11-07 |
| DOMAIN | birancearea.com | 2025-11-07 | 2025-11-07 |
| DOMAIN | office-theme.com | 2025-11-07 | 2025-11-07 |
| HASH | a75886b016d84c3eaacaf01a3c61e04… | 2021-01-25 | 2025-11-07 |
Related Actors
Related Reports
Shares tags: Comebacker, Lazarus • Shares 15 IOCs • Same author: ENKI • Published within a week
2025-08-13 •
56% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1218.010
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1573
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
Shares tags: Lazarus, T1059.003, T1140
2025-08-25 •
50% Match
#Lazarus
#GolangGhost
#T1059.003
#T1140
#T1005
#T1070.004
#T1041
#T1113
#T1071.001
#T1115
#T1083
#T1056.001
#T1204.002
#T1566.002
#T1555.003
#T1057
#T1059.005
#T1518.001
#T1566.001
#T1547.001
#T1059.001
#T1497.001
#T1219
#T1574.002
#T1562.001
#T1622
#T1027.002
#T1573.001
#T1190
#T1123
#T1132.002
#T1564.001
#T1548.002
#T1055.012
#T1027.007
#T1217
#T1106
#T1027.009
#T1036.003
#T1055.002
#T1036.007
#T1059.010
#T1136.001
#T1134.004
#T1614.001
#T1574.007
#T1098.007
#T1010
#T1071.004
#T1021.002
#T1021.006
Shares tags: Lazarus, T1059.003, T1140
2025-11-17 •
48% Match
#Lazarus
#ScoringMathTea
#T1071.001
#T1497
#T1620
#T1622
#T1573.001
#T1027.007
#T1036.012
#T1564.004
#T1106
Shares tags: Lazarus, T1071.001, T1620 • Published within a month
2025-10-18 •
48% Match
#Lazarus
#T1027.013
#T1567.002
#T1041
#T1204.002
#T1547.001
#T1566
#T1486
#T1027.002
#T1189
#T1048.003
#T1134.002
#T1027.007
#T1068
#T1021.001
#T1574.001
#T1095
#T1047
#T1574.013
#T1561.001
#T1027.009
#T1074
Shares tags: Lazarus, T1027.013, T1204.002 • Published within a month
2021-12-02 •
48% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1573.001
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
#T0865
Shares tags: Lazarus, T1059.003, T1140