DRATzarus - Comprehensive Threat Intelligence Report - Bloo

DRATzarus - Comprehensive Threat Intelligence Report

2025-08-13 • Bloo •

https://bloo.io/research/malware/dratzarus

#DRATzarus #Lazarus #T1059.003 #T1140 #T1005 #T1041 #T1113 #T1071.001 #T1083 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1547.001 #T1105 #T1027.002 #T1548.002 #T1036.003 #T1010 #T1021.002 #T1569.002 #T1543.003

Thumbnail for DRATzarus - Comprehensive Threat Intelligence Report

DRATzarus, also tracked as ThreatNeedle, is described as a Lazarus Group remote access trojan used since at least mid-2020 against defense and aerospace organizations. The excerpt says delivery commonly relies on targeted spear-phishing with COVID-19 or fake job lures that lead victims to open malicious documents and install the backdoor. Once active, DRATzarus can provide in-memory remote control, file manipulation, arbitrary command execution, credential harvesting, payload deployment, and lateral movement, including use of a compromised internal server as a proxy to reach segmented networks. The body lists C2 domains, registry artifacts, hashes, and geographically distributed infrastructure across Europe, Asia, and South Korea, underscoring its value for defenders tracking Lazarus espionage against strategic industries.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	69d71f06fbfe177fb1a5f57b9c3ae587	2025-08-13	2025-08-13
HASH	23b04b18c75aa7d286fea5d28d41a830	2025-08-13	2025-08-13
HASH	956e5138940a4f44d1c2c24f122966bd	2025-08-13	2025-08-13
HASH	b191cc4d73a247afe0a62a8c38dc9137	2025-08-13	2025-08-13
HASH	9e440e231ef2c62c78147169a26a1bd3	2025-08-13	2025-08-13
HASH	09aa1427f26e7dd48955f09a9c604564	2025-08-13	2025-08-13
HASH	486f25db5ca980ef4a7f6dfbf9e2a1ad	2025-08-13	2025-08-13
HASH	0f967343e50500494cf3481ce4de698c	2025-08-13	2025-08-13
HASH	4cebc83229a40c25434c51ee3d6be13e	2025-08-13	2025-08-13
HASH	07b22533d08f32d48485a521dbc1974d	2025-08-13	2025-08-13
IPv4	151.106.30.120	2025-08-13	2025-08-13
HASH	254a7a0c1db2bea788ca826f4b5bf51a	2021-02-25	2025-08-13
HASH	ac86d95e959452d189e30fa6ded05069	2021-02-25	2025-08-13
HASH	09580ea6f1fe941f1984b4e1e442e0a5	2021-02-25	2025-08-13
HASH	6f0c7cbd57439e391c93a2101f958ccd	2021-02-25	2025-08-13
HASH	0aceeb2d38fe8b5ef2899dd6b80bfc08	2021-02-25	2025-08-13
HASH	bea90d0ef40a657cb291d25c4573768d	2021-02-25	2025-08-13
DOMAIN	newidealupvc.com	2021-02-25	2025-08-13
DOMAIN	cloudarray.com	2021-02-25	2025-08-13
DOMAIN	prototypetrains.com	2021-02-25	2025-08-13
DOMAIN	kbcwainwrightchallenge.org.uk	2021-02-25	2025-08-13
DOMAIN	waterdoblog.com	2021-02-25	2025-08-13
DOMAIN	forum.iron-maiden.ru	2021-02-25	2025-08-13
HASH	e7aa0237fc3db67a96ebd877806a2c88	2020-08-19	2025-08-13

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2025-08-25 • 82% Match

GolangGhost - Comprehensive Threat Intelligence Report

Bloo

#Lazarus #GolangGhost #T1059.003 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1071.001 #T1115 #T1083 #T1056.001 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1518.001 #T1566.001 #T1547.001 #T1059.001 #T1497.001 #T1219 #T1574.002 #T1562.001 #T1622 #T1027.002 #T1573.001 #T1190 #T1123 #T1132.002 #T1564.001 #T1548.002 #T1055.012 #T1027.007 #T1217 #T1106 #T1027.009 #T1036.003 #T1055.002 #T1036.007 #T1059.010 #T1136.001 #T1134.004 #T1614.001 #T1574.007 #T1098.007 #T1010 #T1071.004 #T1021.002 #T1021.006

Shares tags: Lazarus, T1059.003, T1140 • Same author: Bloo • Published within a month

2025-08-13 • 70% Match

APT PROFILE – LAZARUS GROUP

Cyfirma

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004

Shares tags: Lazarus, T1059.003, T1140 • Published within a week

2021-02-25 • 63% Match

Lazarus targets defense industry with ThreatNeedle

Kaspersky

#ThreatNeedle #Defense #Lazarus #T1082 #T1059.003 #T1140 #T1070.004 #T1041 #T1071.001 #T1112 #T1083 #T1204.002 #T1566.002 #T1057 #T1547.001 #T1135 #T1070.002 #T1049 #T1132.002 #T1016 #T1036.004 #T1090.001 #T1036.003 #T1560.001 #T1021.002 #T1033 #T1569.002 #T1543.003 #T1104 #T1557.001 #T1070.003 #T1007 #T1572

Shares tags: Lazarus, T1059.003, T1140 • Shares 11 IOCs

2021-12-02 • 50% Match

APT Profile: Who is Lazarus Group?

SOCRadar

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865

Shares tags: Lazarus, T1059.003, T1140

2024-07-19 • 49% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Lazarus, T1059.003, T1140

2025-09-02 • 45% Match

Threat Actor Profile: Lazarus Group

Cyble

#Lazarus #T1059.003 #T1566.002 #T1566.003 #T1566.001 #T1053.005 #T1059.001 #T1203 #T1189 #T1047

Shares tags: Lazarus, T1059.003, T1566.002 • Published within a month

« Back