Lazarus Resurfaces, Targets Global Banks and Bitcoin Users

2018-02-12 • Mcafee •

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/

#Cryptocurrency #Finance #Lazarus

McAfee ATR details HaoBao, a Lazarus phishing campaign that revived recruiter-themed malicious Word documents to target Bitcoin users and global financial organizations. Victims were prompted to enable macros, after which VBA code decrypted and wrote an implant to the temp directory, launched it with campaign-specific switches such as /haobao, created Startup-folder persistence, and displayed a benign decoy job description. The implants gathered host, user, process, and Bitcoin-Qt registry information before XOR and Base64 encoding the data for HTTP POST communication. Reported infrastructure included worker.co.kr at 210.122.7.129, deltaemis.com, and palgong-cc.co.kr at 221.164.168.185, with Dropbox used to distribute malicious documents. The campaign matters because McAfee observed previously unseen implants and a shift toward cryptocurrency-focused collection alongside Lazarus activity against financial targets.

Indicators of Compromise

Type	Value	First Seen	Last Seen
DOMAIN	palgong-cc.co.kr	2018-02-12	2025-10-18
DOMAIN	worker.co.kr	2018-01-31	2025-10-18
HASH	7e70793c1ca82006775a0cac2bd75cc…	2018-02-12	2018-02-12
HASH	a79488b114f57bd3d8a7fa29e7647e2…	2018-02-12	2018-02-12
HASH	afb2595ce1ecf0fdb9631752e32f0e3…	2018-02-12	2018-02-12
HASH	535f212b320df049ae8b8ebe0a4f93e…	2018-02-12	2018-02-12
HASH	d4c93b85ffe88ddd552860b148831026	2018-02-12	2018-02-12
HASH	e8faa68daf62fbe2e10b3bac775cce5…	2018-02-12	2018-02-12
HASH	bdaedb14723c6c8a4688cc8fc1cfe668	2018-02-12	2018-02-12
HASH	dc06b737ce6ada23b4d179d81dc7d91…	2018-02-12	2018-02-12
HASH	1dd8eba55b16b90f7e8055edca6f495…	2018-02-12	2018-02-12
URL	https://www.dropbox.com/s/qje0y…	2018-02-12	2018-02-12
URL	http://deltaemis.com/CRCForm/3E…	2018-02-12	2018-02-12
URL	https://dl.dropboxusercontent.c…	2018-02-12	2018-02-12
URL	https://dl.dropboxusercontent.c…	2018-02-12	2018-02-12
URL	https://www.dropbox.com/s/q7w33…	2018-02-12	2018-02-12
DOMAIN	deltaemis.com	2018-02-12	2018-02-12
IPv4	221.164.168.185	2018-02-12	2018-02-12
IPv4	70.42.52.80	2018-02-12	2018-02-12
IPv4	210.122.7.129	2018-01-31	2018-02-12

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2018-01-24 • 66% Match

Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More

Trend Micro

#Cryptocurrency #RATANKBA #Lazarus

Shares tags: Cryptocurrency, Lazarus • Published within a month

2018-01-16 • 66% Match

North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

Recorded Future

#Cryptocurrency #CVE-2017-8291 #Lazarus

Shares tags: Cryptocurrency, Lazarus • Published within a month

2026-05-29 • 60% Match

Lazarus Expands Financial Espionage Operations With Memory-Resident RemotePE RAT

Poly Swarm

#Cryptocurrency #AppleJeus #Fileless #Finance #UNC4736 #FinancialGain #Espionage #CitrineSleet #Lazarus #GleamingPisces #POOLRAT #PondRAT #RemotePE #ThemeForestRAT #T1071.001 #T1027 #T1055 #T1562.006

Shares tags: Cryptocurrency, Finance, Lazarus

2018-03-28 • 56% Match