{ "type": "bundle", "id": "bundle--03f7265a-3ad4-4b11-bac7-e60fe0f2e3fd", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--ca5dce6f-a489-41da-b7fd-a36c98c913fa", "created": "2023-03-08T12:51:50.646001Z", "modified": "2023-03-08T12:51:50.646079Z", "name": "Att", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--a4e7b58f-8575-4b46-b44f-d29bb584db46", "created": "2026-06-24T19:20:44.378239Z", "modified": "2026-06-24T19:20:44.378239Z", "name": "YARA Rule", "pattern": "rule LazarusCampaign_Payload_Jun2021 : WindowsMalware { meta: author = \"AlienLabs\" description = \"Detects Lazarus campaign downloader Jun2021.\" reference = \"https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c\" SHA256 = \"f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0\" strings: $a1 = \"Office ClickToRun\" wide ascii $a2 = \"C:\\\\Drivers\\\\\" condition: uint16(0) == 0x5A4D and all of them }", "pattern_type": "yara", "valid_from": "2021-07-06T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7438e13b-7e7b-4870-9666-063a41e1af60", "created": "2026-06-24T19:20:44.379064Z", "modified": "2026-06-24T19:20:44.379064Z", "name": "YARA Rule", "pattern": "rule LazarusCampaign_MacroDoc_Jun2021 : WindowsMalware { meta: author = \"AlienLabs\" description = \"Detects Lazarus campaign macro document Jun2021.\" reference = \"https://otx.alienvault.com/pulse/294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c\" SHA256 = \"294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c\" strings: $a1 = \"ZSBydW4gaW4gRE9TIG1vZGUuDQ0KJA\" ascii //run in DOS mode. - base64 encoded $a2 = \"c:\\\\Drivers\" $a3 = \"AAAAAAAAAA=\" ascii // base64 content $a4 = \"CreateObject(\\\"Scripting.FileSystemObject\\\").CreateTextFile\" $a5 = \"cmd /c copy\" $a6 = {73 79 73 74 65 6d 33 32 5c 2a 65 72 74 75 74 2a 2e 65 78 65} // system32\\*ertut*.exe $a7 = {25 73 79 73 74 65 6d 72 6f 6f 74 25 5c 65 78 70 2a 2e 65 78 65} // %systemroot%\\exp*.exe $a8 = \"sleep 1000\" $a9 = \"cmd /c explorer.exe /root\" $a10 = \"-decode \" $b = \"tAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v\" ascii //This program cannot - base64 encoded condition: uint16(0) == 0xCFD0 and filesize < 2000KB and $b and 5 of ($a*) }", "pattern_type": "yara", "valid_from": "2021-07-06T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--5f8c9a36-4df3-416e-85ab-75a1d0174774", "hashes": { "SHA-256": "9362425ae690b5bf74782eafe959195f25ac8bad370794efd4a08048141efb32" } }, { "type": "file", "spec_version": "2.1", "id": "file--78c0db1b-02d0-4f89-9db0-798bb1220153", "hashes": { "SHA-256": "ffec6e6d4e314f64f5d31c62024252abde7f77acdd63991cb16923ff17828885" } }, { "type": "file", "spec_version": "2.1", "id": "file--4a9b2cea-501c-4674-b71f-9015ed71f395", "hashes": { "SHA-256": "65f7211c3d7fde25154b4226a7bef0712579e0093020510f6a4bb4912a674695" } }, { "type": "file", "spec_version": "2.1", "id": "file--414047b8-02be-4b9c-a4e8-ab19ebe60de1", "hashes": { "SHA-256": "1690ce43530acf725f33aa30f715855d226d63276557d0e33fbcaf9b5ff9b84c" } }, { "type": "file", "spec_version": "2.1", "id": "file--7e7d14d8-9555-4492-ac8c-49f9a2d2bf3f", "hashes": { "SHA-256": "97515b70184f4553e5ae6b51d06a148b30d0a6632c077b98ad320e3c27cfd96f" } }, { "type": "file", "spec_version": "2.1", "id": "file--fb0b552e-f5be-421d-ba7d-e5f5f847d7d9", "hashes": { "SHA-256": "8e1746829851d28c555c143ce62283bc011bbd2acfa60909566339118c9c5c97" } }, { "type": "file", "spec_version": "2.1", "id": "file--bfc5c992-5ffa-4c74-a5c0-bf7aa973dab0", "hashes": { "SHA-256": "5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe" } }, { "type": "file", "spec_version": "2.1", "id": "file--8ea298c0-62ce-473c-a6ef-1f08b3a868d5", "hashes": { "SHA-256": "ebd6663d1df8228684a0b2146b68ce10169fc41c5e91c443fdf6f844f5ffeb62" } }, { "type": "file", "spec_version": "2.1", "id": "file--b3af2dc5-7535-4f64-b19e-20f2a2246c51", "hashes": { "SHA-256": "3b33b0739107411b978c3cbafb312a44b7488bd7adabae3e7b02059240b6dc83" } }, { "type": "file", "spec_version": "2.1", "id": "file--8feba35b-d645-4108-b4b3-b6d425d8f305", "hashes": { "SHA-256": "294acafed42c6a4f546486636b4859c074e53d74be049df99932804be048f42c" } }, { "type": "file", "spec_version": "2.1", "id": "file--53f608e4-90ec-4f45-9ea1-b072d7c29a1d", "hashes": { "SHA-256": "f5563f0e63d9deed90b683a15ebd2a1fda6b72987742afb40a1202ddb9e867d0" } }, { "type": "file", "spec_version": "2.1", "id": "file--aa1c5e3c-0327-412f-b1c9-fc2dcfce97b8", "hashes": { "SHA-256": "f53d4b3eb76851e88c6f30f1ecc67796bbd6678b8e2e9bc0a8f2582c42a467c6" } }, { "type": "file", "spec_version": "2.1", "id": "file--8778f84b-bb04-4f93-b3bc-fac9f4de05a6", "hashes": { "SHA-256": "e6dff9a5f74fff3a95e2dcb48b81b05af5cf5be73823d56c10eee80c8f17c845" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--686ce3ab-6576-4b40-aefc-097279a8944f", "value": "shopweblive.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--9360e98b-dea9-4c98-ba7b-3bb23d60d3a5", "value": "allgraphicart.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-24T19:20:44.391114Z", "modified": "2026-06-24T19:20:44.391114Z", "name": "Lazarus" }, { "type": "report", "spec_version": "2.1", "id": "report--fde08e08-7c4e-4346-9f6e-64a9fdc81ade", "created_by_ref": "identity--ca5dce6f-a489-41da-b7fd-a36c98c913fa", "created": "2026-06-24T19:20:44.404283Z", "modified": "2026-06-24T19:20:44.404283Z", "name": "Lazarus campaign TTPs and evolution", "published": "2021-07-06T00:00:00Z", "object_refs": [ "identity--ca5dce6f-a489-41da-b7fd-a36c98c913fa", "indicator--a4e7b58f-8575-4b46-b44f-d29bb584db46", "indicator--7438e13b-7e7b-4870-9666-063a41e1af60", "file--5f8c9a36-4df3-416e-85ab-75a1d0174774", "file--78c0db1b-02d0-4f89-9db0-798bb1220153", "file--4a9b2cea-501c-4674-b71f-9015ed71f395", "file--414047b8-02be-4b9c-a4e8-ab19ebe60de1", "file--7e7d14d8-9555-4492-ac8c-49f9a2d2bf3f", "file--fb0b552e-f5be-421d-ba7d-e5f5f847d7d9", "file--bfc5c992-5ffa-4c74-a5c0-bf7aa973dab0", "file--8ea298c0-62ce-473c-a6ef-1f08b3a868d5", "file--b3af2dc5-7535-4f64-b19e-20f2a2246c51", "file--8feba35b-d645-4108-b4b3-b6d425d8f305", "file--53f608e4-90ec-4f45-9ea1-b072d7c29a1d", "file--aa1c5e3c-0327-412f-b1c9-fc2dcfce97b8", "file--8778f84b-bb04-4f93-b3bc-fac9f4de05a6", "domain-name--686ce3ab-6576-4b40-aefc-097279a8944f", "domain-name--9360e98b-dea9-4c98-ba7b-3bb23d60d3a5", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b" ], "external_references": [ { "source_name": "source", "url": "https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution" } ] } ] }