Lazarus Group targets Aerospace and Defense with new Comebacker variant
2025-11-07 • ENKI •
ENKI identified a Lazarus-attributed Comebacker variant delivered through malicious Word documents staged on office-theme[.]com and themed around aerospace and defense organizations. When macros run, the dropper decrypts a loader and decoy document, writes wpsoffice_aam.ocx and USOPrivate.dll, creates Startup-folder persistence, and executes the final Comebacker payload in memory. Comebacker beacons over HTTPS to hiremployee[.]com with AES-encrypted and Base64-encoded traffic, then can download encrypted follow-on payloads after MD5 validation and ChaCha20 decryption. Infrastructure pivoting found birancearea[.]com and a related March 2025 Comebacker sample, indicating the campaign may have been active before the observed June 2025 documents.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 7e61c884ce5207839e0df7a22f08f0a… | 2025-11-07 | 2025-11-07 |
| HASH | f2b3867aa06fb38d1505b3c2b9e523d… | 2025-11-07 | 2025-11-07 |
| HASH | 96b973e577458e5b912715171070c0a… | 2025-11-07 | 2025-11-07 |
| HASH | b7d625679fbcc86510119920ffdd6d2… | 2025-11-07 | 2025-11-07 |
| HASH | 14213c013d79ea4bc8309f730e26d52… | 2025-11-07 | 2025-11-07 |
| HASH | b357b3882cf8107b1cb59015c4be3e0… | 2025-11-07 | 2025-11-07 |
| HASH | c4a5179a42d9ff2774f7f1f937086c8… | 2025-11-07 | 2025-11-07 |
| HASH | ad9c5aca9977d04c73be579199a8270… | 2025-11-07 | 2025-11-07 |
| HASH | 046caa2db6cd14509741890e971ddc8… | 2025-11-07 | 2025-11-07 |
| URL | https://birancearea.com/adminv2 | 2025-11-07 | 2025-11-07 |
| URL | https://hiremployee.com | 2025-11-07 | 2025-11-07 |
| DOMAIN | hiremployee.com | 2025-11-07 | 2025-11-07 |
| DOMAIN | birancearea.com | 2025-11-07 | 2025-11-07 |
| DOMAIN | office-theme.com | 2025-11-07 | 2025-11-07 |
| HASH | a75886b016d84c3eaacaf01a3c61e04… | 2021-01-25 | 2025-11-07 |