{
    "type": "bundle",
    "id": "bundle--6647e9c6-d7d9-429f-be5e-1277d51ba467",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--0c272ef1-5f0e-48c5-9f31-03a81abefc67",
            "created": "2023-08-07T00:00:03.006951Z",
            "modified": "2024-08-12T00:23:21.615538Z",
            "name": "Checkmarx",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--75aa261e-3025-4b0a-87af-4f67f86fa402",
            "created": "2026-06-24T19:51:13.821919Z",
            "modified": "2026-06-24T19:51:13.821919Z",
            "name": "YARA Rule",
            "pattern": "rule lazarus_2\r\n{\r\nmeta:\r\ndescription = \"Detects code which North Korea backed group known as lazarus, used to target its victims\"\r\nstrings:\r\n$pattern1 = /getsvnroot\\('[\\w\\.]+', '\\/getupdate\\.php', token, path\\.join\\(dir ,'check\\w+\\.js'\\)\\);/\r\n$pattern2 = \"function getsvnroot(domain, entry, token, path)\"\r\n$pattern3 = \"const token = fs.readFileSync(path.join(dir,'jsontoken'))\"\r\ncondition:\r\nall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2023-08-02T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--1f9c89b5-3179-4dc7-be68-aeff5bda805b",
            "created": "2026-06-24T19:51:13.822728Z",
            "modified": "2026-06-24T19:51:13.822728Z",
            "name": "YARA Rule",
            "pattern": "rule lazarus_1\r\n{\r\nmeta:\r\ndescription = \"Detects code which North Korea backed group known as lazarus, used to target its victims\"\r\nstrings:\r\n$pattern1 = /checksvn\\(path\\.join\\(dir,'\\/\\w+token'\\), 'http:\\/\\/[\\w\\.]+\\/checkupdate\\.php'\\);/\r\n$pattern2 = /checksvn\\(path\\.join\\(dir,'\\/\\w+token'\\), 'https:\\/\\/[\\w\\.]+\\/checkupdate\\.php'\\);/\r\n$pattern3 = \"process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = 0\"\r\n$pattern4 = \"Tk9ERV9UTFNfUkVKRUNUX1VOQVVUSE9SSVpFRA==\"\r\n$pattern5 = \"function checksvn(version, projectUrl)\"\r\ncondition:\r\n($pattern1 or $pattern2) and ($pattern3 or $pattern4) and $pattern5\r\n}",
            "pattern_type": "yara",
            "valid_from": "2023-08-02T00:00:00Z"
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--f63c0401-88b5-4689-bc44-4946280f2228",
            "value": "https://cryptopriceoffer.com/checkupdate.php"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--d35df7e3-e1a2-4c8c-b74f-f5f9c66bec87",
            "value": "npmaudit.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--5c2c16fd-430c-462d-9d5c-9b3a8773eb48",
            "value": "cryptopriceoffer.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--37294f87-8830-4d5d-8f6d-87c7cc7bc2c6",
            "value": "coingeckoprice.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--9ffe09d5-2aa3-473e-a8be-ab4e5e4489f3",
            "value": "npmjscloud.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--1050cb82-253c-434c-b2fe-0809aecac079",
            "value": "tradingprice.net"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--ee86e641-8629-44f7-8bfb-9af319295a33",
            "value": "npmrepos.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--9a40d3cb-28ae-4106-949b-26015de2da39",
            "value": "npmcloudjs.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--8af6b192-9a3b-45b0-b81c-3b3ba28d0da1",
            "value": "bi2price.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--3904f580-5d00-4f00-90b6-12a2e9d3ef62",
            "value": "npmjsregister.com"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--832c6236-8da3-5a3f-9c46-fd0d5f10458d",
            "created": "2026-06-24T19:51:13.82898Z",
            "modified": "2026-06-24T19:51:13.82898Z",
            "name": "JadeSleet"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--03683b05-21c0-4e1f-86f4-a8f1e9c4ee1f",
            "created_by_ref": "identity--0c272ef1-5f0e-48c5-9f31-03a81abefc67",
            "created": "2026-06-24T19:51:13.831538Z",
            "modified": "2026-06-24T19:51:13.831538Z",
            "name": "Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector",
            "published": "2023-08-02T00:00:00Z",
            "object_refs": [
                "identity--0c272ef1-5f0e-48c5-9f31-03a81abefc67",
                "indicator--75aa261e-3025-4b0a-87af-4f67f86fa402",
                "indicator--1f9c89b5-3179-4dc7-be68-aeff5bda805b",
                "url--f63c0401-88b5-4689-bc44-4946280f2228",
                "domain-name--d35df7e3-e1a2-4c8c-b74f-f5f9c66bec87",
                "domain-name--5c2c16fd-430c-462d-9d5c-9b3a8773eb48",
                "domain-name--37294f87-8830-4d5d-8f6d-87c7cc7bc2c6",
                "domain-name--9ffe09d5-2aa3-473e-a8be-ab4e5e4489f3",
                "domain-name--1050cb82-253c-434c-b2fe-0809aecac079",
                "domain-name--ee86e641-8629-44f7-8bfb-9af319295a33",
                "domain-name--9a40d3cb-28ae-4106-949b-26015de2da39",
                "domain-name--8af6b192-9a3b-45b0-b81c-3b3ba28d0da1",
                "domain-name--3904f580-5d00-4f00-90b6-12a2e9d3ef62",
                "threat-actor--832c6236-8da3-5a3f-9c46-fd0d5f10458d"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://medium.com/checkmarx-security/lazarus-group-launches-first-open-source-supply-chain-attacks-targeting-crypto-sector-cabc626e404e"
                }
            ]
        }
    ]
}