{
    "type": "bundle",
    "id": "bundle--e25e6026-a014-48e0-b17c-a68fb4ef6897",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5",
            "created": "2023-03-08T12:51:41.595163Z",
            "modified": "2023-03-08T14:31:55.177985Z",
            "name": "GregLesewich",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--e3827424-2106-4ba2-97e9-b5523baed1d7",
            "created": "2026-06-24T20:59:37.758814Z",
            "modified": "2026-06-24T20:59:37.758814Z",
            "name": "YARA Rule",
            "pattern": "rule APT_NK_TA430_HazyLoad_Mem { meta: description = \"GLES Rule: track HazyLoad proxy tool in memory\" triage_description = \"detect proxy-related strings loaded in memory by HazyLoad loader\" reference = \"https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\" reference = \"https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/\" author = \"Greg Lesnewich\" date = \"2023-12-14\" version = \"1.0\" family = \"HazyLoad\" triage_score = 4 hash = \"f794dd23878fbae2472178d00867302be69df5e5986f2f3991c4a15150a339b5\" strings: $string1 = \"[-] socket create error\" ascii wide $string2 = \"[-] socket connect error\" ascii wide $string3 = \"[-] WSAStartup error\" ascii wide $string4 = \"[+] Success to connect proxy\" ascii wide $string5 = \"[+] Success to handshake proxy\" ascii wide $string6 = \"[-] Main Thread Create error.\" ascii wide $string7 = \"[+] disconnected from proxy\" ascii wide $string8 = \"[+] port [1-65535]\" ascii wide $string9 = \"[+] %s:%d\" ascii wide $string10 = \"Usage: socks4 [options] \" ascii wide $string11 = \"Options:\" ascii wide $string12 = \" -i ip of socks4 proxy \" ascii wide $string13 = \" -p port of socks4 proxy \" ascii wide $string14 = \"[-] invalid option: \\\"%s\\\"\" ascii wide $string15 = \"[-] option \\\"-c\\\" ip of socks4 proxy\" ascii wide $string16 = \"[-] option \\\"-s\\\" port of socks4 proxy\" ascii wide $string17 = \"[-] invalid option: \\\"%c\\\"\" ascii wide condition: 12 of them }",
            "pattern_type": "yara",
            "valid_from": "2024-01-01T00:00:00Z"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--09ed5dbd-6a42-400c-a3a1-d511d5f3e2e4",
            "hashes": {
                "SHA-256": "f794dd23878fbae2472178d00867302be69df5e5986f2f3991c4a15150a339b5"
            }
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--77f42224-6801-50e4-a5d7-2a2d7b78cd83",
            "created": "2026-06-24T20:59:37.76374Z",
            "modified": "2026-06-24T20:59:37.76374Z",
            "name": "TA430"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--19df3b8d-28da-47e6-bb1f-368ba0674486",
            "created_by_ref": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5",
            "created": "2026-06-24T20:59:37.764833Z",
            "modified": "2026-06-24T20:59:37.764833Z",
            "name": "100DaysofYARA - In Memory Detection",
            "published": "2024-01-01T00:00:00Z",
            "object_refs": [
                "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5",
                "indicator--e3827424-2106-4ba2-97e9-b5523baed1d7",
                "file--09ed5dbd-6a42-400c-a3a1-d511d5f3e2e4",
                "threat-actor--77f42224-6801-50e4-a5d7-2a2d7b78cd83"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://g-les.github.io/yara/2024/01/01/100DaysofYARA_MemoryDetection.html"
                }
            ]
        }
    ]
}