2023_8336_SEONGSU.pdf (808 KB)

Kaspersky's Botconf presentation tracks Lazarus/Hidden Cobra's DeathNote, also known as DreamJob, from older malware clusters into updated multi-stage infection chains. The source highlights newer initial downloaders, trojanized applications and PDF-reader components, remote-template delivery, RC4-configured rundll32 execution, and DLL side-loading through CameraSettingsUIHost.exe and Foxit Reader paths. It describes memory-resident stealers, ThreatNeedle/ForestTigerHjk64 variants, ServiceMove abuse of PerceptionSimulation, and a shift toward defense-industry targeting while searching for high-value hosts in GMT+8 or GMT+9 environments. The presentation frames the campaign as persistent and increasingly sophisticated, with open-source malware use and a need to understand the full intrusion context.