Lazarus Group Uses CookiePlus Malware to Target Nuclear Engineers – Active IOCs
2024-12-23 • Rewterz •
Lazarus is reported to have targeted at least two employees at an unidentified nuclear-related business in January 2024 through Operation Dream Job, also tracked as NukeSped. The campaign used fake skills tests and trojanized remote-access tools such as VNC or PuTTY, including AmazonVNC.exe and DLL side-loading through vnclang.dll, to deliver MISTPEN, LPEClient, RollMid, CookieTime, and the modular CookiePlus backdoor. CookiePlus masqueraded as software components such as a Notepad++ plugin or DirectX-Wrappers, retrieved Base64-encoded RSA-encrypted payloads from C2, and could run DLLs or shellcode that gathered system data and controlled sleep behavior.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 58f2972c6a8fc743543f7b8c4df085c… | 2024-12-23 | 2026-04-03 |
| HASH | f5873ecd60390e7b86db5ddaf158ed2… | 2024-12-23 | 2025-11-20 |
| HASH | 8edcd1d8d390d61587d334f4527e569… | 2024-12-23 | 2024-12-23 |
| HASH | 1876e829b675e86e950f2e701ab9b2c… | 2024-12-23 | 2024-12-23 |
| HASH | ba5f3bbe77eef8e730fde5f7ab493e4… | 2024-12-23 | 2024-12-23 |
| HASH | 6f9b79c20330a7c8ade8285866e5602… | 2024-12-23 | 2024-12-23 |
| HASH | 57d60872a6239449116c9c609838906… | 2024-12-23 | 2024-12-23 |
| HASH | 0d17d477207d717f4e1be67e96c925a… | 2024-12-23 | 2024-12-23 |
| HASH | 95dc085b0fea4a8d80df11ba1409a2d… | 2024-12-23 | 2024-12-23 |
| HASH | 2a900fbfdd65dafe6fadc4d5706e151… | 2024-12-23 | 2024-12-23 |
| HASH | cf8c0999c148d764667b1a269c28bdcb | 2024-12-19 | 2024-12-23 |
| HASH | 4c4abe85a1c68ba8385d2cb928ac5646 | 2024-12-19 | 2024-12-23 |
| HASH | 00a2952a279f9c84ae71367d5b8990c1 | 2024-12-19 | 2024-12-23 |
| HASH | 5eac943e23429a77d9766078e760fc0b | 2024-12-19 | 2024-12-23 |
| HASH | 80ab98c10c23b7281a2bf1489fc98c0d | 2024-12-19 | 2024-12-23 |