Mac Backdoor Linked to Lazarus Targets Korean Users

2019-11-20 • Trend Micro •

https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/

#macOS #NukeSped #Lazarus

Thumbnail for Mac Backdoor Linked to Lazarus Targets Korean Users

Trend Micro describes a Lazarus-attributed macOS NUKESPED campaign targeting Korean users through a macro-enabled Excel lure and a separate malicious Flash Player app bundle. The macro contacted crabbedly[.]club, craypot[.]live, and indagator[.]club, while the Mac bundle ran a decoy Flash Player, dropped a hidden Backdoor.MacOS.NUKESPED.A file, and installed persistence with ~/Library/LaunchAgents/com.adobe.macromedia.plist. The backdoor used command-driven C2 functions such as host information collection and configuration updates, showing Lazarus moving from cross-platform macro delivery toward more OS-specific macOS tradecraft.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	d91c233b2f1177357387c29d92bd3f2…	2019-11-20	2020-07-27
HASH	735365ef9aa6cca946cfef9a4b85f68…	2019-11-12	2020-07-27
HASH	6f7a5f1d52d3bfc6f175bf2bbb665e4…	2019-11-20	2019-11-20
URL	https://indagator.club/board.php	2019-11-12	2019-11-20
URL	https://craypot.live/board.php	2019-11-04	2019-11-20
URL	https://crabbedly.club/board.php	2019-11-04	2019-11-20
DOMAIN	indagator.club	2019-11-04	2019-11-20
DOMAIN	craypot.live	2019-11-04	2019-11-20
DOMAIN	crabbedly.club	2019-11-04	2019-11-20

Related Actors

Lazarus

Novetta

First seen: Feb 2016

Last seen: Jun 2026

Related Reports

2019-11-12 • 84% Match

A Look into the Lazarus Group's Operations in October 2019

Strangereal Intel

#Lazarus #T1082 #T1005 #T1112 #T1115 #T1124 #T1057 #T1059 #T1055 #T1049 #T1087 #T1016 #T1010 #T1012 #T1132 #T1060 #T1064 #T1085 #T1086 #T1022 #T1179 #T1089

Shares tag: Lazarus • Shares 7 IOCs • Published within a month

2019-11-04 • 75% Match