A "Naver"-ending game of Lazarus APT
2022-04-26 • Zscaler •
https://www.zscaler.com/blogs/security-research/naver-ending-game-lazarus-apt
Zscaler ThreatLabz linked a South Korea-focused phishing and malware campaign to Lazarus with high confidence after correlating reused infrastructure, attacker-controlled Dropbox accounts, registrant email addresses, sender infrastructure, and domains tied to earlier Naver-themed activity. The actor evolved from 2021 Naver credential phishing into 2022 lures spoofing Korean entities such as KRNIC, AhnLab, Binance, and other cryptocurrency or security brands. The attack chains used spear-phishing emails with macro documents or password-protected XLS files, Dropbox-hosted staging, and attacker C2 domains fetched by later-stage binaries. The attribution relied on overlaps including IPs such as 23.81.246.131, historical domain resolutions, and infrastructure also associated with Lazarus activity reported by other researchers.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | navermailcorp.com | 2022-04-26 | 2025-11-09 |
| IPv4 | 172.93.201.253 | 2022-04-26 | 2022-11-03 |
| HASH | c32f40f304777df7cfab428a54bb818b | 2022-04-26 | 2022-08-30 |
| HASH | bd416ea51f94d815b5b5b66861cbdcc5 | 2022-04-26 | 2022-08-30 |
| HASH | 114f22f3dd6928bed5c779fa918a8f11 | 2022-04-26 | 2022-08-30 |
| HASH | 728b908e90930c73edeb1bf58b6a3a64 | 2022-04-26 | 2022-08-30 |
| HASH | e732bc87033a935bd2d3d56c7772641b | 2022-04-26 | 2022-08-30 |
| HASH | 0c2dde41d508941cf215fe8f1f7e03a7 | 2022-04-26 | 2022-08-30 |
| HASH | 1a536709554860fcc2c147374556205d | 2022-04-26 | 2022-08-30 |
| HASH | 90f2b7845c203035f0d7096aa28dda83 | 2022-04-26 | 2022-08-30 |
| HASH | 2677f9871cb340750e582cb677d40e81 | 2022-04-26 | 2022-08-30 |
| HASH | bb9ee3a6504fbf6a5486af04dbbb5da5 | 2022-04-26 | 2022-08-30 |
| HASH | a225b7aff737dea737cd969fb307df23 | 2022-04-26 | 2022-08-30 |
| HASH | 37505b6ff02a679e70885ccd60c13f3b | 2022-04-26 | 2022-08-30 |
| HASH | e2e5644e77e75e422bde075f409d882e | 2022-04-26 | 2022-08-30 |
| HASH | d7f6b09775b8d90d79404eda715461b7 | 2022-04-26 | 2022-08-30 |
| HASH | 96d86472ff283f6959b7a779f004dfba | 2022-04-26 | 2022-08-30 |
| HASH | 4548c7f157d300ec39b1821db4daa970 | 2022-04-26 | 2022-08-30 |
| HASH | db0483aced77a7db130a6100aef67967 | 2022-04-26 | 2022-08-30 |
| HASH | 6df608342938f0d30a058c48bb9d8d4d | 2022-04-26 | 2022-08-30 |
| HASH | 7b07cd6bb6b5d4ed6a2892a738fe892b | 2022-04-11 | 2022-08-30 |
| HASH | d19dd02cf375d0d03f557556d5207061 | 2022-04-11 | 2022-08-30 |
| HASH | bdfb5071f5374f5c0a3714464b1fa5e6 | 2022-04-11 | 2022-08-30 |
| HASH | 1fd8fef169bf48cfdcf506151264128c | 2022-04-11 | 2022-08-30 |
| HASH | 556abc167348fe96abfbf5079c3ad488 | 2022-04-11 | 2022-08-30 |
| HASH | 210db61d1b11c1d233fd8a0645946074 | 2022-04-11 | 2022-08-30 |
| HASH | 44be20c67a80af8066f9401c5bee43cb | 2022-04-11 | 2022-08-30 |
| HASH | 4382384feb5ad6b574f68e431006905e | 2022-04-11 | 2022-08-30 |
| HASH | 1559aeb8e464759247e4588cb6a09877 | 2022-04-26 | 2022-04-26 |
| HASH | a2aca7b66f678b85fc7b4015af21c5ee | 2022-04-26 | 2022-04-26 |
| HASH | 37b7415442ab8ca01e08b2d7bfe809e2 | 2022-04-26 | 2022-04-26 |
| HASH | ecb2d07ede5a401c83a5fca8e00fa37a | 2022-04-26 | 2022-04-26 |
| HASH | 430d944786e05042cdbe1d795ded2199 | 2022-04-26 | 2022-04-26 |
| HASH | e25ac08833416b8c7191639b60edfa21 | 2022-04-26 | 2022-04-26 |
| HASH | 044e701e8d288075b0fb6cd118aa94db | 2022-04-26 | 2022-04-26 |
| HASH | 78aa7e785a96f2826ee09a1aa9ab776e | 2022-04-26 | 2022-04-26 |
| HASH | 0ef32b48f6ca3a1a22ab87058b3d8aa0 | 2022-04-26 | 2022-04-26 |
| HASH | 493f59b6933e59029bf3106fd4a2998d | 2022-04-26 | 2022-04-26 |
| HASH | a0f565f7f579f0d397a42db5a95d4ae8 | 2022-04-26 | 2022-04-26 |
| HASH | 137910039cb94c0301154f3d1ec9ba29 | 2022-04-26 | 2022-04-26 |
| HASH | c156572dd81c3b0072f62484e90e47a0 | 2022-04-26 | 2022-04-26 |
| HASH | 783e7c3ba39daa28301b841785794d76 | 2022-04-26 | 2022-04-26 |
| HASH | ce00749c908de017010055a83ac0654f | 2022-04-26 | 2022-04-26 |
| DOMAIN | navermailservice.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | naveicoipc.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navercorpservice.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | naveicorp.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | cloudcentre.xyz | 2022-04-26 | 2022-04-26 |
| DOMAIN | naversecurityteam.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navermailmanage.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navermcorp.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navercscorp.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | naveicoipa.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navermanageteam.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navermanage.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | noreplya.xyz | 2022-04-26 | 2022-04-26 |
| DOMAIN | naveicoip.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | naverserviceteam.com | 2022-04-26 | 2022-04-26 |
| DOMAIN | navernidmail.com | 2022-04-26 | 2022-04-26 |
| IPv4 | 23.81.246.131 | 2022-04-26 | 2022-04-26 |
| IPv4 | 45.147.231.213 | 2022-04-26 | 2022-04-26 |
| IPv4 | 222.112.127.9 | 2022-04-26 | 2022-04-26 |
| HASH | e3ffda448df223b240a20dae41e20cef | 2022-04-11 | 2022-04-26 |
| HASH | 9ad00e513364e9f44f1b6712907cba9b | 2022-04-11 | 2022-04-26 |
| HASH | c0b24dc8f53227ce0c64439b302ca930 | 2022-04-11 | 2022-04-26 |
| HASH | 9775ef6514916977d73e39a6b09029bc | 2022-04-11 | 2022-04-26 |
| HASH | 825730d9dd22dbae7f2bd89131466415 | 2022-04-11 | 2022-04-26 |
| HASH | 1769a818548a0b52c7be2a0a213a9384 | 2022-04-11 | 2022-04-26 |
| HASH | 15a7125fe9e629122e1d1389062af712 | 2022-04-11 | 2022-04-26 |
| HASH | b587851d8a42fc8c23f638bbc2eb866b | 2022-04-11 | 2022-04-26 |
| URL | https://dl.dropboxusercontent.c… | 2022-03-31 | 2022-04-26 |
| DOMAIN | disneycareers.net | 2022-03-24 | 2022-04-26 |
Related Actors
Related Reports
Shares tags: Phishing, Lazarus
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month
2022-03-31 •
60% Match
#DeFi
#Lazarus
#T1082
#T1070.004
#T1041
#T1071.001
#T1083
#T1204.002
#T1124
#T1057
#T1547.001
#T1573.001
#T1070.006
Shares tag: Lazarus • Published within a month
Shares tags: Phishing, Lazarus