APT-C-26(Lazarus)组织使用武器化的IPMsg软件的攻击活动分析
2024-12-26 • Qihoo360 • Cyber threat report on APT-C-26, IPMsg •
The report analyzes an APT-C-26/Lazarus campaign that delivered a weaponized IPMsg installer to targets. When executed, the installer dropped a malicious DLL while also launching the legitimate IPMsg Installer 5.6.18.0 to reduce user suspicion. The DLL chain decrypted and loaded multiple additional DLLs, used validation checks to hinder standalone sandbox execution, communicated with C2 over HTTP using encoded parameters and random strings, validated downloaded payloads by MD5, decrypted them with HC-256, and ultimately established a backdoor capable of fetching and executing further payloads.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | a7b23cd8b09a3ce918a77de355e9d3e5 | 2024-12-26 | 2025-05-16 |
| URL | https://cryptocopedia.com/upgra… | 2024-12-26 | 2025-05-16 |
| DOMAIN | cryptocopedia.com | 2024-07-08 | 2025-05-16 |
| URL | https://cryptocopedia.com/explo… | 2024-12-26 | 2024-12-26 |
Related Actors
Related Reports
Shares tag: APT-C-26 • Same author: Qihoo360 • Published within a month
Shares tag: APT-C-26 • Same author: Qihoo360
Shares tag: IPMsg • Shares 3 IOCs
Shares tag: APT-C-26 • Same author: Qihoo360
Shares tag: APT-C-26 • Same author: Qihoo360
Shares tag: APT-C-26 • Same author: Qihoo360