APT-C-26(Lazarus)组织使用武器化的开源PDF阅读器的攻击活动分析
2024-01-19 • Qihoo360 • Analysis of attack activities of APT-C-26 (Lazarus) group using weaponized open source PDF readers •
360 researchers attributed a campaign with high confidence to APT-C-26, also described as Lazarus, in which attackers weaponized the open source SumatraPDF Reader. The attackers built trust with targets over Telegram, sent a modified PDF reader and a crafted PDF, and triggered encrypted payloads when the victim opened the document. The chain uses multiple loader stages, writes usrgroup.dat and thumbcache_512.db under AppData, and persists or executes through scheduled tasks or registry changes before a downloader contacts attacker-controlled C2. The report cites infrastructure such as blockchain-newtech.com and 103.179.142.171 and notes that the technique matches earlier Lazarus use of weaponized open source projects.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | blockchain-newtech.com | 2023-12-08 | 2024-05-28 |
| DOMAIN | codevexillium.org | 2021-01-25 | 2024-04-17 |
| URL | https://blockchain-newtech.com/… | 2023-12-08 | 2024-02-28 |
| HASH | 1bdf2e0bf8671f1993cd65ed37bbb148 | 2024-01-19 | 2024-01-19 |
| IPv4 | 103.179.142.171 | 2023-11-04 | 2024-01-19 |
| URL | https://codevexillium.org/image… | 2021-01-25 | 2024-01-19 |