Lazarus covets COVID-19-related intelligence
2020-12-23 • Kaspersky •
https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
Kaspersky reported two Lazarus-linked intrusions against COVID-19-related targets: a government health ministry compromised in October 2020 and a pharmaceutical company breached in September 2020. The ministry case used the wAgent malware cluster, including rundll32 execution of javac.dat with an AES key, in-memory payload loading, randomized C2 URL paths and POST parameter names, and follow-on shell commands for host and domain reconnaissance. The pharmaceutical case involved Bookcode malware previously associated with a South Korean software supply-chain attack. The report ties the incidents to Lazarus through malware and post-exploitation overlaps and shows the group collecting intelligence from pandemic-response and vaccine-related environments.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 4088946632e75498d9c478da782aa880 | 2020-12-23 | 2023-04-12 |
| HASH | 26545f5abb70fc32ac62fdab6d0ea5b2 | 2020-12-23 | 2020-12-23 |
| HASH | 0e44fcafab066abe99fe64ec6c46c84e | 2020-12-23 | 2020-12-23 |
| HASH | 5983db89609d0d94c3bcc88c6342b354 | 2020-12-23 | 2020-12-23 |
| HASH | 4814b06d056950749d07be2c799e8dc2 | 2020-12-23 | 2020-12-23 |
| HASH | dc3c2663bd9a991e0fbec791c20cbf92 | 2020-12-23 | 2020-12-23 |
| HASH | 9c6ba9678ff986bcf858de18a3114ef3 | 2020-12-23 | 2020-12-23 |
| URL | http://client.livesistemas.com/… | 2020-12-23 | 2020-12-23 |
| URL | https://www.locknlockmall.com/c… | 2020-12-23 | 2020-12-23 |
| URL | https://www.kne.co.kr/upload/Cu… | 2020-12-23 | 2020-12-23 |
| URL | http://www.k-kiosk.com/bbs/noti… | 2020-12-23 | 2020-12-23 |
| URL | https://www.gongim.com/board/aj… | 2020-12-23 | 2020-12-23 |
| URL | http://sistema.celllab.com.br/w… | 2020-12-23 | 2020-12-23 |
| URL | http://www.bytecortex.com.br/el… | 2020-12-23 | 2020-12-23 |
| URL | http://www.cometnet.biz/framewo… | 2020-12-23 | 2020-12-23 |
| URL | https://iski.silogica.net/event… | 2020-12-23 | 2020-12-23 |
| URL | https://sac.najatelecom.com.br/… | 2020-12-23 | 2020-12-23 |
| DOMAIN | iski.silogica.net | 2020-12-23 | 2020-12-23 |
| DOMAIN | javac.io | 2020-12-23 | 2020-12-23 |
| DOMAIN | client.livesistemas.com | 2020-12-23 | 2020-12-23 |
| DOMAIN | sistema.celllab.com.br | 2020-12-23 | 2020-12-23 |
| DOMAIN | sac.najatelecom.com.br | 2020-12-23 | 2020-12-23 |
Related Actors
Related Reports
2021-02-25 •
64% Match
#ThreatNeedle
#Defense
#Lazarus
#T1082
#T1059.003
#T1140
#T1070.004
#T1041
#T1071.001
#T1112
#T1083
#T1204.002
#T1566.002
#T1057
#T1547.001
#T1135
#T1070.002
#T1049
#T1132.002
#T1016
#T1036.004
#T1090.001
#T1036.003
#T1560.001
#T1021.002
#T1033
#T1569.002
#T1543.003
#T1104
#T1557.001
#T1070.003
#T1007
#T1572
Shares tags: Lazarus, T1082, T1059.003 • Same author: Kaspersky
2025-08-13 •
48% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1218.010
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1573
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
Shares tags: Lazarus, T1082, T1059.003
2021-12-02 •
48% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1573.001
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
#T0865
Shares tags: Lazarus, T1082, T1059.003
2025-04-24 •
47% Match
#ThreatNeedle
#LPEClient
#SIGNBT
#AGAMEMNON
#Lazarus
#Innorix
#SyncHole
#CrossEX
#T1027.013
#T1082
#T1140
#T1071.001
#T1083
#T1057
#T1583.003
#T1583.001
#T1105
#T1620
#T1574.002
#T1135
#T1573.001
#T1190
#T1189
#T1049
#T1573.002
#T1016
#T1087.001
#T1218.011
#T1584.001
#T1574.001
#T1564.004
#T1027.009
#T1569.002
#T1543.003
#T1087.002
#T1570
#T1608.004
#T1547.005
#T1007
Shares tags: Lazarus, T1082, T1140 • Same author: Kaspersky
2020-12-15 •
46% Match
#Whitepaper
#YARA
#Lazarus
#T1005
#T1070.004
#T1071.001
#T1497
#T1204.002
#T1566.001
#T1547.001
#T1552.001
#T1135
#T1003.001
#T1068
#T1048
#T1560.001
#T1136.001
#T1021.002
#T1087.002
#T1039
Shares tags: Lazarus, T1071.001, T1021.002 • Published within a month
2017-11-14 •
44% Match
#Volgmer
#Lazarus
#T1082
#T1059.003
#T1005
#T1041
#T1071.001
#T1112
#T1518.001
#T1566.001
#T1001.003
#T1105
#T1571
#T1049
#T1016
#T1036.004
#T1070.006
#T1573
#T1055.001
#T1569.002
#T1543.003
#T1027.001
Shares tags: Lazarus, T1082, T1059.003