{ "type": "bundle", "id": "bundle--b1372572-3f4b-4127-959e-04db08808f86", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--dfd8e829-2936-4f98-b0a2-5598bf4b12d7", "created": "2023-03-08T12:51:58.042997Z", "modified": "2023-03-08T12:51:58.043076Z", "name": "Marcoramilli", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--32a11104-57c5-45d4-b8a6-ff979d01e960", "hashes": { "SHA-256": "bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364" } }, { "type": "file", "spec_version": "2.1", "id": "file--8c34a60f-c3b7-4828-8097-55b88d877be2", "hashes": { "SHA-256": "3cc9d9a12f3b884582e5c4daf7d83c4a510172a836de90b87439388e3cde3682" } }, { "type": "file", "spec_version": "2.1", "id": "file--2ac94e00-6955-4d5d-9340-b240db856ea7", "hashes": { "SHA-256": "c5c1ca4382f397481174914b1931e851a9c61f029e6b3eb8a65c9e92ddf7aa4c" } }, { "type": "file", "spec_version": "2.1", "id": "file--57cdcaba-a58c-4811-b9d1-c1c0e1aae4b7", "hashes": { "SHA-256": "a0664ac662802905329ec6ab3b3ae843f191e6555b707f305f8f5a0599ca3f68" } }, { "type": "file", "spec_version": "2.1", "id": "file--522d04ef-13ad-45d4-b15a-2ce531aae32a", "hashes": { "SHA-256": "93a01fbbdd63943c151679d037d32b1d82a55d66c6cb93c40ff63f2b770e5ca9" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9e361b51-78f6-48ab-a3af-c19bf6aa4ee6", "created": "2026-06-24T19:51:37.371939Z", "modified": "2026-06-24T19:51:37.371939Z", "name": "YARA Rule", "pattern": "rule lazarus_dtrack { meta: description = \"lazarus - dtrack on nuclear implant KKNPP\" date = \"2019-11-02\" hash1 = \"bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364\" strings: $x1 = \"move /y %s \\\\\\\\10.38.1.35\\\\C$\\\\Windows\\\\Temp\\\\MpLogs\\\\\" fullword ascii $x2 = \"Execute_%s.log\" fullword ascii $x3 = \"%s\\\\%s\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\" fullword ascii $s4 = \"CCS_/c ping -n 3 127.0.0.1 >NUL & echo EEEE > \\\"%s\\\"\" fullword ascii $s5 = \"%s\\\\%s\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\History\" fullword ascii $s6 = \"Usage: .system COMMAND\" fullword ascii $s7 = \"Usage: .dump ?--preserve-rowids? ?--newlines? ?LIKE-PATTERN?\" fullword ascii $s8 = \"CCS_shell32.dll\" fullword ascii $s9 = \"%s:%d: expected %d columns but found %d - filling the rest with NULL\" fullword ascii $s10 = \"%s:%d: expected %d columns but found %d - extras ignored\" fullword ascii $s11 = \"%s\\\\%s\\\\AppData\\\\Application Data\\\\Mozilla\\\\Firefox\\\\Profiles\" fullword ascii $s12 = \"net use \\\\\\\\10.38.1.35\\\\C$ su.controller5kk /user:KKNPP\\\\administrator\" fullword ascii $s13 = \"VALUES(0,'memo','Missing SELFTEST table - default checks only',''), (1,'run','PRAGMA integrity_check','ok')\" fullword ascii $s14 = \"CCS_Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36\" fullword ascii $s15 = \"Usage %s sub-command ?switches...?\" fullword ascii $s16 = \"Usage: .log FILENAME\" fullword ascii $s17 = \"Content-Disposition: form-data; name=\\\"result\\\"; filename=\\\"%s.bmp\\\"\" fullword ascii $s18 = \"%z%sSELECT pti.name FROM \\\"%w\\\".sqlite_master AS sm JOIN pragma_table_info(sm.name,%Q) AS pti WHERE sm.type='table'\" fullword ascii $s19 = \"CCS_kernel32.dll\" fullword ascii $s20 = \"CCS_Advapi32.dll\" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and ( pe.imphash() == \"75171549224b4292974d6ee3cf397db8\" or ( 1 of ($x*) or 4 of them ) ) }", "pattern_type": "yara", "valid_from": "2019-11-04T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--f9160671-3696-4820-b808-52987fe7d27e", "hashes": { "MD5": "75171549224b4292974d6ee3cf397db8" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--a6b38f84-4a9c-5481-ad0c-9b5ee8bd5a96", "created": "2026-06-24T19:51:37.375149Z", "modified": "2026-06-24T19:51:37.375149Z", "name": "APT38" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-24T19:51:37.378814Z", "modified": "2026-06-24T19:51:37.378814Z", "name": "Lazarus" }, { "type": "report", "spec_version": "2.1", "id": "report--546b737a-7e71-4846-89a4-d4948dada970", "created_by_ref": "identity--dfd8e829-2936-4f98-b0a2-5598bf4b12d7", "created": "2026-06-24T19:51:37.379944Z", "modified": "2026-06-24T19:51:37.379944Z", "name": "Is Lazarus/APT38 Targeting Critical Infrastructures ?", "published": "2019-11-04T00:00:00Z", "object_refs": [ "identity--dfd8e829-2936-4f98-b0a2-5598bf4b12d7", "file--32a11104-57c5-45d4-b8a6-ff979d01e960", "file--8c34a60f-c3b7-4828-8097-55b88d877be2", "file--2ac94e00-6955-4d5d-9340-b240db856ea7", "file--57cdcaba-a58c-4811-b9d1-c1c0e1aae4b7", "file--522d04ef-13ad-45d4-b15a-2ce531aae32a", "indicator--9e361b51-78f6-48ab-a3af-c19bf6aa4ee6", "file--f9160671-3696-4820-b808-52987fe7d27e", "threat-actor--a6b38f84-4a9c-5481-ad0c-9b5ee8bd5a96", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b" ], "external_references": [ { "source_name": "source", "url": "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/amp/" } ] } ] }