{ "type": "bundle", "id": "bundle--9bcb3683-9821-4804-beb5-0d319458374c", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8668d146-eeac-4e79-a044-f0e8f62445be", "created": "2023-03-08T12:51:46.256897Z", "modified": "2023-03-09T23:01:57.67829Z", "name": "ESET", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--01dfda2e-b5a8-4cd8-8cf6-9f7cb337be42", "hashes": { "SHA-256": "cc307cfb401d1ae616445e78b610ab72e1c7fb49b298ea003dd26ea80372089a" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91345244-c916-4fd3-aac4-63f91de7a931", "value": "23.254.211.230" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--042b4e86-3aa7-440a-8a65-2e58c41f6849", "value": "172.93.201.88" }, { "type": "file", "spec_version": "2.1", "id": "file--e68ed59b-3df0-4b87-8eca-7149f5cac720", "hashes": { "SHA-256": "492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd" } }, { "type": "file", "spec_version": "2.1", "id": "file--c88f64ce-6c0e-4d3b-9458-eac13d4200e6", "hashes": { "SHA-1": "3a63477a078ce10e53dfb5639e35d74f93cefa81" } }, { "type": "file", "spec_version": "2.1", "id": "file--d9113dee-f806-4680-8024-867e5af1afbb", "hashes": { "SHA-1": "9d8bade2030c93d0a010aa57b90915eb7d99ec82" } }, { "type": "file", "spec_version": "2.1", "id": "file--9a0b40ae-6bd2-45e4-a4be-b6f29468a764", "hashes": { "MD5": "3cf7232e5185109321921046d039cf10" } }, { "type": "file", "spec_version": "2.1", "id": "file--ff209256-8d15-452c-b168-bfa89ba65190", "hashes": { "MD5": "aac5a52b939f3fe792726a13ff7a1747" } }, { "type": "file", "spec_version": "2.1", "id": "file--2fecd424-195a-493e-b478-7d8158f4745c", "hashes": { "SHA-1": "0ca1723afe261cd85b05c9ef424fc50290dce7df" } }, { "type": "file", "spec_version": "2.1", "id": "file--1dff9890-b3fc-4f6f-8aae-bc31cd377fad", "hashes": { "SHA-256": "f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff652ca" } }, { "type": "file", "spec_version": "2.1", "id": "file--0438db89-20c0-474e-84d9-3ee193c93943", "hashes": { "SHA-1": "f6760fb1f8b019af2304ea6410001b63a1809f1d" } }, { "type": "file", "spec_version": "2.1", "id": "file--135e48c5-ca7e-4505-b480-de3f9e200b32", "hashes": { "MD5": "fc41cb8425b6432af8403959bb59430d" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--6946663f-bd7f-4c12-ae3d-27078c170d03", "value": "38.108.185.79" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--2ec1c37d-d46f-4542-b41c-e74203e9f187", "value": "38.108.185.115" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e5e1acc1-ffc9-41a0-aa27-f170852a8d4f", "value": "journalide.org" }, { "type": "file", "spec_version": "2.1", "id": "file--38ad0efe-3b9d-4d4a-ba13-917f7e6be387", "hashes": { "SHA-1": "2acc6f1d4656978f4d503929b8c804530d7e7cf6" } }, { "type": "file", "spec_version": "2.1", "id": "file--2c906541-b87c-4749-ad04-d40a49a1abaf", "hashes": { "SHA-1": "d288766fa268bc2534f85fd06a5d52264e646c47" } }, { "type": "file", "spec_version": "2.1", "id": "file--77f5af89-c5b3-44c4-9824-75f78b48d1f1", "hashes": { "SHA-1": "7491bd61ed15298ce5ee5ffd01c8c82a2cdb40ec" } }, { "type": "file", "spec_version": "2.1", "id": "file--5be15bf7-3933-473c-9374-2168475384d5", "hashes": { "SHA-1": "58b0516d28bd7218b1908fb266b8fe7582e22a5f" } }, { "type": "file", "spec_version": "2.1", "id": "file--c0edd9cc-5042-4071-b155-3bfb037846bf", "hashes": { "SHA-256": "eebb01932de0b5605dd460cc82844d8693c00ea8ab5ffdf8dbede6528c1c18fd" } }, { "type": "file", "spec_version": "2.1", "id": "file--754b264e-50b2-421c-be49-6b3f5f721cb8", "hashes": { "MD5": "cedb9cdbad254f60cfb215b9bff84fb9" } }, { "type": "file", "spec_version": "2.1", "id": "file--9542d271-86c6-4f6a-92fb-d6e1e47a96c7", "hashes": { "SHA-1": "1c66e67a8531e3ff1c64ae57e6edfde7bef2352d" } }, { "type": "file", "spec_version": "2.1", "id": "file--03e99ce9-76d6-4fbe-90a7-916487630f4b", "hashes": { "SHA-1": "dcef83d8ee080b54dc54759c59f955e73d67aa65" } }, { "type": "file", "spec_version": "2.1", "id": "file--17cab31c-74fd-46ea-b77e-67b3252283e6", "hashes": { "SHA-1": "3b88cda62cdd918b62ef5aa8c5a73a46f176d18b" } }, { "type": "file", "spec_version": "2.1", "id": "file--f1f2c8e0-67e4-438e-8759-aa3338c80efd", "hashes": { "SHA-1": "cad1120d91b812acafef7175f949dd1b09c6c21a" } }, { "type": "file", "spec_version": "2.1", "id": "file--e8b34e31-87d6-4837-ab56-c9580f9dfaa2", "hashes": { "SHA-1": "5b03294b72c0caa5fb20e7817002c600645eb475" } }, { "type": "file", "spec_version": "2.1", "id": "file--b5c372c4-0af9-4205-8e4e-f982d341a9e7", "hashes": { "SHA-1": "65122e5129fc74d6b5ebafcc3376abae0145bc14" } }, { "type": "url", "spec_version": "2.1", "id": "url--e5ae0977-3698-4969-9019-87c939c6401c", "value": "https://journalide.org/djour.php" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--464d903c-47ae-49f4-a411-f3df6b1e0030", "created": "2026-06-24T18:12:30.327431Z", "modified": "2026-06-24T18:12:30.327431Z", "name": "YARA Rule", "pattern": "/*\r\nThe following rule will only work with YARA version >= 3.11.0\r\n*/\r\nimport \"pe\"\r\nrule RichHeaders_Lazarus_NukeSped_IconicPayloads_3CX_Q12023\r\n{\r\nmeta:\r\ndescription = \" Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12\"\r\nauthor = \"ESET Research\"\r\ndate = \"2023-03-31\"\r\nhash = \"3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B\"\r\nhash = \"CAD1120D91B812ACAFEF7175F949DD1B09C6C21A\"\r\nhash = \"5B03294B72C0CAA5FB20E7817002C600645EB475\"\r\nhash = \"7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC\"\r\ncondition:\r\npe.rich_signature.toolid(259, 30818) == 9 and\r\npe.rich_signature.toolid(256, 31329) == 1 and\r\npe.rich_signature.toolid(261, 30818) >= 30 and pe.rich_signature.toolid(261, 30818) <= 38 and\r\npe.rich_signature.toolid(261, 29395) >= 134 and pe.rich_signature.toolid(261, 29395) <= 164 and\r\npe.rich_signature.toolid(257, 29395) >= 6 and pe.rich_signature.toolid(257, 29395) <= 14\r\n}", "pattern_type": "yara", "valid_from": "2023-04-20T00:00:00Z" }, { "type": "url", "spec_version": "2.1", "id": "url--b08ee5a3-01f3-4a9e-b216-30c600523ede", "value": "https://od.lk/d/NTJfMzg4MDE1NzJf/vxmedia" }, { "type": "report", "spec_version": "2.1", "id": "report--766ca1e5-0d57-44ba-b602-f192f1ad64da", "created_by_ref": "identity--8668d146-eeac-4e79-a044-f0e8f62445be", "created": "2026-06-24T18:12:30.360031Z", "modified": "2026-06-24T18:12:30.360031Z", "name": "Linux malware strengthens links between Lazarus and the 3CX supply\u2011chain attack", "published": "2023-04-20T00:00:00Z", "object_refs": [ "identity--8668d146-eeac-4e79-a044-f0e8f62445be", "file--01dfda2e-b5a8-4cd8-8cf6-9f7cb337be42", "ipv4-addr--91345244-c916-4fd3-aac4-63f91de7a931", "ipv4-addr--042b4e86-3aa7-440a-8a65-2e58c41f6849", "file--e68ed59b-3df0-4b87-8eca-7149f5cac720", "file--c88f64ce-6c0e-4d3b-9458-eac13d4200e6", "file--d9113dee-f806-4680-8024-867e5af1afbb", "file--9a0b40ae-6bd2-45e4-a4be-b6f29468a764", "file--ff209256-8d15-452c-b168-bfa89ba65190", "file--2fecd424-195a-493e-b478-7d8158f4745c", "file--1dff9890-b3fc-4f6f-8aae-bc31cd377fad", "file--0438db89-20c0-474e-84d9-3ee193c93943", "file--135e48c5-ca7e-4505-b480-de3f9e200b32", "ipv4-addr--6946663f-bd7f-4c12-ae3d-27078c170d03", "ipv4-addr--2ec1c37d-d46f-4542-b41c-e74203e9f187", "domain-name--e5e1acc1-ffc9-41a0-aa27-f170852a8d4f", "file--38ad0efe-3b9d-4d4a-ba13-917f7e6be387", "file--2c906541-b87c-4749-ad04-d40a49a1abaf", "file--77f5af89-c5b3-44c4-9824-75f78b48d1f1", "file--5be15bf7-3933-473c-9374-2168475384d5", "file--c0edd9cc-5042-4071-b155-3bfb037846bf", "file--754b264e-50b2-421c-be49-6b3f5f721cb8", "file--9542d271-86c6-4f6a-92fb-d6e1e47a96c7", "file--03e99ce9-76d6-4fbe-90a7-916487630f4b", "file--17cab31c-74fd-46ea-b77e-67b3252283e6", "file--f1f2c8e0-67e4-438e-8759-aa3338c80efd", "file--e8b34e31-87d6-4837-ab56-c9580f9dfaa2", "file--b5c372c4-0af9-4205-8e4e-f982d341a9e7", "url--e5ae0977-3698-4969-9019-87c939c6401c", "indicator--464d903c-47ae-49f4-a411-f3df6b1e0030", "url--b08ee5a3-01f3-4a9e-b216-30c600523ede" ], "external_references": [ { "source_name": "source", "url": "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/" } ] } ] }