Lazarus group Campaign Targeting The Cryptocurrency Vertical
2020-08-18 • With Secure •
Attachments
F-Secure investigated a Lazarus Group intrusion against an organization in the cryptocurrency sector and tied it to a broader phishing campaign active since at least January 2018. Initial access came through a LinkedIn-delivered job advert lure that used a malicious Word macro, an LNK file, mshta, bit.ly redirection, VBScript, and PowerShell to retrieve further payloads. The operators deployed Themida-packed network backdoors, a custom PE loader registered through the LSA Security Packages mechanism, and main implants loaded into lsass.exe that could download files, execute commands, communicate with C2, and steal credentials. The intrusion also showed strong operational security: Lazarus disabled Windows Defender controls, used Mimikatz-style credential theft, modified registry settings, and securely deleted tooling and logs, leaving EDR telemetry as a key evidence source.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | share.googlefiledrive.com | 2020-08-18 | 2023-05-11 |
| DOMAIN | drives.googldrive.xyz | 2020-08-18 | 2022-01-13 |
| DOMAIN | googleexplore.net | 2020-06-24 | 2022-01-13 |
| DOMAIN | twosigma.publicvm.com | 2020-06-24 | 2022-01-13 |
| DOMAIN | mail.gdriveupload.info | 2020-05-06 | 2022-01-13 |
| DOMAIN | mail.googleupload.info | 2020-05-06 | 2022-01-13 |
| DOMAIN | googledrive.publicvm.com | 2019-07-09 | 2022-01-13 |
| HASH | 8b6887c5ec6fadaefee78f089e9a347… | 2020-08-18 | 2021-05-24 |
| DOMAIN | googleupdate.publicvm.com | 2020-06-24 | 2021-05-24 |
| DOMAIN | chromeupdate.publicvm.com | 2020-06-24 | 2021-05-24 |
| DOMAIN | 1driv.org | 2020-06-24 | 2021-05-24 |
| DOMAIN | onedriveupdate.publicvm.com | 2020-06-24 | 2021-05-24 |
| DOMAIN | uploadsfiles.xyz | 2020-06-24 | 2021-05-24 |
| IPv4 | 66.181.166.15 | 2020-06-24 | 2021-05-24 |
| DOMAIN | drivegooglshare.xyz | 2020-05-06 | 2021-05-24 |
| DOMAIN | msupdatepms.xyz | 2020-04-02 | 2021-05-24 |
| DOMAIN | mskpupdate.publicvm.com | 2019-07-09 | 2021-05-24 |
| DOMAIN | drivegoogle.publicvm.com | 2019-07-09 | 2021-05-24 |
| DOMAIN | twosigmateam.info | 2020-08-18 | 2021-01-28 |
| DOMAIN | name.ownemail.me | 2020-08-18 | 2021-01-28 |
| DOMAIN | mse.theworkpc.com | 2020-08-18 | 2021-01-28 |
| DOMAIN | office.onedriveglobal.com | 2020-08-18 | 2020-09-30 |
| DOMAIN | onedrive.onedriveglobal.com | 2020-08-18 | 2020-09-30 |
| YARA | lazarus_network_backdoor_unpack… | 2020-08-18 | 2020-08-18 |
| YARA | lazarus_lssvc_ntuser_unpacked | 2020-08-18 | 2020-08-18 |
| YARA | lazarus_rc4_loop | 2020-08-18 | 2020-08-18 |
| HASH | f8915227c25c5ac552d66f3708f615c… | 2020-08-18 | 2020-08-18 |
| HASH | 72e0965385eae2d3a2f20feb361ce54… | 2020-08-18 | 2020-08-18 |
| HASH | 00efd0888b1772382ff75931ee186cb… | 2020-08-18 | 2020-08-18 |
| HASH | 7ad1f7c989d7d8937bf9a1aca255c27… | 2020-08-18 | 2020-08-18 |
| HASH | dfa115eec65529d0fa393e154f79323… | 2020-08-18 | 2020-08-18 |
| HASH | a2f0a1d469d73a11c69afc9eb12000f… | 2020-08-18 | 2020-08-18 |
| HASH | 519f100ddc98cfb9aca3e13c0095bdd… | 2020-08-18 | 2020-08-18 |
| HASH | 306deba9a8dbb6f5ab88f2386cbe1d4… | 2020-08-18 | 2020-08-18 |
| HASH | 09f0e82a3bad997c32605a1d3f9e40a… | 2020-08-18 | 2020-08-18 |
| HASH | c909d2214af7449e9aabc3dad45465e… | 2020-08-18 | 2020-08-18 |
| HASH | ef3c435a184a1f2a756a597967504ae… | 2020-08-18 | 2020-08-18 |
| HASH | 4786d881b14712866fe9953ad039197… | 2020-08-18 | 2020-08-18 |
| HASH | 209c82f38d445ce0750ceeb192c28e6… | 2020-08-18 | 2020-08-18 |
| HASH | 831ba6efa4a49eb1c7ff749fe442b39… | 2020-08-18 | 2020-08-18 |
| HASH | 5c8291d7a3bf4e7f958f33ba3cb3fb3… | 2020-08-18 | 2020-08-18 |
| HASH | 4fcd5969811399850fb7d56b82a125f… | 2020-08-18 | 2020-08-18 |
| HASH | d81471ce32b8109fea01956bc96253f… | 2020-08-18 | 2020-08-18 |
| HASH | a794b496c5f359374c4bde7934dbac1… | 2020-08-18 | 2020-08-18 |
| HASH | 61da70fc736b7146319928de39109f4… | 2020-08-18 | 2020-08-18 |
| HASH | b0dd8c5bc3a8609f4c963c572f92f5a… | 2020-08-18 | 2020-08-18 |
| HASH | 919380f60b8e644ebdf68bbc64dd14e… | 2020-08-18 | 2020-08-18 |
| HASH | e784a3169431980569d2376c611748b… | 2020-08-18 | 2020-08-18 |
| HASH | ae7e1c00018ca7522834072c4adb54b… | 2020-08-18 | 2020-08-18 |
| HASH | ba54f79c32806b8d7e8f023b8339b18… | 2020-08-18 | 2020-08-18 |
| HASH | 0f413432d5f4fc1479ea058d6f45c62… | 2020-08-18 | 2020-08-18 |
| HASH | e099ae57f9d5b63a8297f958973c650… | 2020-08-18 | 2020-08-18 |
| HASH | 7f60e13ed2e35bb2cfe4e243c71532b… | 2020-08-18 | 2020-08-18 |
| HASH | 8f924f8cc8457e7e77c791896e4f19f… | 2020-08-18 | 2020-08-18 |
| HASH | 994b3b76317cd9f6d5d1777119e1025… | 2020-08-18 | 2020-08-18 |
| HASH | a837287bf214666ca214b5530dd56ed… | 2020-08-18 | 2020-08-18 |
| HASH | 481629605412b02746f6ed7c102a391… | 2020-08-18 | 2020-08-18 |
| HASH | 25d490dea789a84aaea3b6a94787956… | 2020-08-18 | 2020-08-18 |
| HASH | b050545a7ffcbbcf96dc79354a6988f… | 2020-08-18 | 2020-08-18 |
| HASH | 439fcbfd868078a4f774c17400c3af9… | 2020-08-18 | 2020-08-18 |
| URL | https://bitly.com/2Dd0psl | 2020-08-18 | 2020-08-18 |
| DOMAIN | wordpress.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | down.onedrivrshares.xyz | 2020-08-18 | 2020-08-18 |
| DOMAIN | map.navicheck.xyz | 2020-08-18 | 2020-08-18 |
| DOMAIN | cryptofund.servehttp.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | blockchaincap.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | cloud.bugscrowd.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | azcloud.jetos.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | antlercap.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | drive.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | code.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | luisgarcia.myftp.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | p2p.downefile.xyz | 2020-08-18 | 2020-08-18 |
| DOMAIN | open.gdriveshareslink.xyz | 2020-08-18 | 2020-08-18 |
| DOMAIN | sequoiacaps.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | share.onedriveglobal.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | idgcapital.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | icloud-mail.net | 2020-08-18 | 2020-08-18 |
| DOMAIN | up.drvupdate.xyz | 2020-08-18 | 2020-08-18 |
| DOMAIN | share.goglesheet.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | toyota-ai.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | waterm.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | store.onedriveglobal.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | matrix-partners.theworkpc.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | sequoiacapitals.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | cryptostore.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | sshare.onedriveglobal.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | twosigma.theworkpc.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | twosigma.linkpc.net | 2020-08-18 | 2020-08-18 |
| DOMAIN | reghelp.webredirect.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | drivegoogles.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | docs.googledrives.info | 2020-08-18 | 2020-08-18 |
| DOMAIN | downloadsvc.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | sendgrid.webredirect.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | robugnito.publicvm.com | 2020-08-18 | 2020-08-18 |
| DOMAIN | cloudssl.dns-cloud.net | 2020-08-18 | 2020-08-18 |
| DOMAIN | doc.uploadsfiles.xyz | 2020-08-18 | 2020-08-18 |
| DOMAIN | al6z.org | 2020-08-18 | 2020-08-18 |
| DOMAIN | bourncap.com | 2020-08-18 | 2020-08-18 |
| IPv4 | 95.0.200.212 | 2020-08-18 | 2020-08-18 |
| IPv4 | 200.4.220.172 | 2020-08-18 | 2020-08-18 |
| IPv4 | 103.5.124.94 | 2020-08-18 | 2020-08-18 |
| IPv4 | 75.146.197.161 | 2020-08-18 | 2020-08-18 |
| IPv4 | 114.113.63.130 | 2020-08-18 | 2020-08-18 |
| IPv4 | 103.95.99.3 | 2020-08-18 | 2020-08-18 |
| DOMAIN | microsoft-update10v.amazonaws1.… | 2020-05-06 | 2020-08-18 |
| DOMAIN | check.onedrvdn.co | 2020-05-06 | 2020-08-18 |
| DOMAIN | support.gdrvcheck.co | 2020-05-06 | 2020-08-18 |
| DOMAIN | scloud.wechart.org | 2020-05-06 | 2020-08-18 |
| DOMAIN | gdocs.googleupload.info | 2020-05-06 | 2020-08-18 |
| HASH | a50ec2f42bec1c43e952de2728de021… | 2020-01-08 | 2020-08-18 |
| HASH | 1533374acf886bc3015c4cba3da1c67… | 2019-07-09 | 2020-08-18 |
| HASH | a464781b616c86bbd68dbf909826444… | 2019-07-09 | 2020-08-18 |
| HASH | 997c4f7695a6a615da069d5f839582f… | 2019-07-09 | 2020-08-18 |
| HASH | 7446efa798cfa7908e78e7fb2bf3ac5… | 2019-07-09 | 2020-08-18 |
| DOMAIN | gbackup.gogleshare.xyz | 2019-07-09 | 2020-08-18 |
| DOMAIN | eu.euprotect.net | 2019-07-09 | 2020-08-18 |
| DOMAIN | drive.gogleshare.xyz | 2019-07-09 | 2020-08-18 |
| DOMAIN | download.showprice.xyz | 2019-07-09 | 2020-08-18 |
| DOMAIN | googldocs.org | 2019-07-09 | 2020-08-18 |
| DOMAIN | drverify.dns-cloud.net | 2019-07-09 | 2020-08-18 |
| DOMAIN | europasec.dnsabr.com | 2019-07-09 | 2020-08-18 |
Related Actors
Related Reports
2020-10-23 •
51% Match
#Lazarus
#T1053.005
#T1562.001
#T1003.001
#T1021.001
#T1055.002
#T1070.001
#T1021.005
Shares tags: Lazarus, T1053.005, T1003.001 • Same author: With Secure
Shares tags: Lazarus, T1566.003, T1059.005 • Shares 1 IOC • Same author: With Secure
2025-08-13 •
41% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1218.010
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1573
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
Shares tags: Lazarus, T1059.003, T1070.004
2021-12-02 •
41% Match
#Lazarus
#T1102.002
#T1082
#T1059.003
#T1567.002
#T1140
#T1584.004
#T1005
#T1070.004
#T1587.001
#T1041
#T1560
#T1608.001
#T1071.001
#T1046
#T1083
#T1056.001
#T1204.001
#T1036
#T1027
#T1204.002
#T1566.002
#T1566.003
#T1124
#T1057
#T1059.005
#T1583.006
#T1566.001
#T1547.001
#T1585.002
#T1053.005
#T1583.001
#T1059.001
#T1036.005
#T1132.001
#T1001.003
#T1585.001
#T1497.001
#T1105
#T1553.002
#T1620
#T1574.002
#T1562.001
#T1027.002
#T1489
#T1078
#T1008
#T1573.001
#T1571
#T1491.001
#T1218
#T1220
#T1203
#T1189
#T1049
#T1564.001
#T1098
#T1016
#T1074.001
#T1588.002
#T1562.004
#T1591
#T1218.011
#T1583.004
#T1036.004
#T1588.003
#T1593.001
#T1218.005
#T1589.002
#T1584.001
#T1070.006
#T1048.003
#T1134.002
#T1027.007
#T1021.001
#T1106
#T1090.001
#T1070
#T1047
#T1574.013
#T1561.001
#T1036.003
#T1529
#T1055.001
#T1614.001
#T1010
#T1021.002
#T1033
#T1543.003
#T1485
#T1090.002
#T1542.003
#T1560.002
#T1012
#T1110
#T1547.009
#T1110.003
#T1534
#T1588.004
#T1104
#T1591.004
#T1561.002
#T1608.002
#T1202
#T1221
#T1557.001
#T1087.002
#T1560.003
#T1070.003
#T1021.004
#T0865
Shares tags: Lazarus, T1059.003, T1070.004
2020-09-16 •
41% Match
#Lazarus
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month