Malware Analysis Targeting Windows and macOS by the Lazarus Group

2025-10-13 Logpresso

https://logpresso.com/en/blog/2025-10-13-lazarus-apt-attack-en

Thumbnail for Malware Analysis Targeting Windows and macOS by the Lazarus Group

Logpresso attributes a September 2025 Lazarus campaign to malware disguised as Nvidia updates, arm64-fixer, and mac_camera.driver for Windows and macOS systems. Victims are prompted to install Node.js and run main.js, which contacts C2 infrastructure, downloads an encrypted Python payload, and decrypts it through string reversal, Base64 decoding, and zlib decompression. The payload collects host metadata, geolocation, Chromium browser credentials, and credit card data, then exfiltrates it and polls for remote commands after reboot. On Windows, drvupdate.exe is identified as a Nukesped component with Base64 plus XOR string decoding, a C2 handshake, and remote shell execution through cmd.exe.

Indicators of Compromise

Type Value First Seen Last Seen
HASH ef7b96bffe252ede8259fea30fc3a9a3 2025-10-13 2026-01-14
HASH 0dae0f501fca7db547726c78db4ae172 2025-10-13 2026-01-14
HASH 37911a1e8ca8a481cd989fafe7bfb75a 2025-10-13 2026-01-14
HASH 5a20eb4497913196212601430bd8da9d 2025-10-13 2026-01-14
HASH 846b1734829ef754a42d915474b43192 2025-10-13 2026-01-14
HASH 8731b650457211decd5a7aa940dd8f0e 2025-10-13 2026-01-14
HASH 57a3b11361ea5908d7f79395f12e14f8 2025-10-13 2026-01-14
HASH 945acbf53bd61ee1d6475c47f1db15d8 2025-10-13 2026-01-14
HASH 0550b73535fc3de5aec297707df73646 2025-10-13 2026-01-14
HASH 858b616a388f6220e2fbcdaf545a9695 2025-10-13 2026-01-14
HASH 6559d05cfcf294ef325a3eb772c3d3ba 2025-10-13 2026-01-14
HASH 2d8c8c6323a4fea1952405f2daad5d7a 2025-10-13 2026-01-14
HASH 09d2336c6b76fa499f52773d930788a4 2025-10-13 2026-01-14
HASH 0b73c183056cdbacddcd5eb0d1191b3b 2025-10-13 2026-01-14
HASH fcc0114e34b352d9d3312118c6fd9341 2025-10-13 2026-01-14
HASH 8e8066fa5de1b8cad438c2323bdf2304 2025-10-13 2026-01-14
HASH f277110800d861faa6a737c8d668d297 2025-10-13 2026-01-14
HASH fc7b67af44b474db1bbc808a8f2a25f0 2025-10-13 2026-01-14
URL https://driverservices.store/ 2025-10-13 2026-01-14
URL https://block-digital.online/dr… 2025-10-13 2026-01-14
URL http://block-digital.online/dri… 2025-10-13 2026-01-14
URL http://avalabs-digital.store/cp… 2025-10-13 2026-01-14
URL http://avalabs-digital.store/up… 2025-10-13 2026-01-14
URL https://block-digital.online/dr… 2025-10-13 2026-01-14
URL http://driverservices.store/vis… 2025-10-13 2026-01-14
URL http://driverservices.store/ 2025-10-13 2026-01-14
URL https://avalabs-digital.store/u… 2025-10-13 2026-01-14
URL http://avalabs-digital.store/ 2025-10-13 2026-01-14
URL http://block-digital.online/cpa… 2025-10-13 2026-01-14
URL http://driverservices.store/vis… 2025-10-13 2026-01-14
URL https://driverservices.store/vi… 2025-10-13 2026-01-14
URL https://www.driverservices.stor… 2025-10-13 2026-01-14
URL https://driverservices.store/vi… 2025-10-13 2026-01-14
URL https://driverservices.store/vi… 2025-10-13 2026-01-14
URL https://block-digital.online/dr… 2025-10-13 2026-01-14
URL https://block-digital.online/dr… 2025-10-13 2026-01-14
URL https://block-digital.online/ 2025-10-13 2026-01-14
URL http://block-digital.online/ 2025-10-13 2026-01-14
URL http://www.driverservices.store/ 2025-10-13 2026-01-14
URL https://www.block-digital.onlin… 2025-10-13 2026-01-14
URL https://webmail.driverservices.… 2025-10-13 2026-01-14
URL https://avalabs-digital.store/u… 2025-10-13 2026-01-14
URL http://block-digital.online/dri… 2025-10-13 2026-01-14
URL https://driverservices.store/vi… 2025-10-13 2026-01-14
URL https://driverservices.store/vi… 2025-10-13 2026-01-14
URL https://block-digital.online/dr… 2025-10-13 2026-01-14
URL http://driverservices.store/vis… 2025-10-13 2026-01-14
URL http://webmail.driverservices.s… 2025-10-13 2026-01-14
URL https://avalabs-digital.store/u… 2025-10-13 2026-01-14
URL https://driverservices.store/vi… 2025-10-13 2026-01-14
DOMAIN webmail.driverservices.store 2025-10-13 2026-01-14
DOMAIN avalabs-digital.store 2025-10-13 2026-01-14
IPv4 198.54.119.94 2025-10-13 2026-01-14
IPv4 192.64.119.25 2025-10-13 2026-01-14
IPv4 198.54.116.177 2025-10-13 2026-01-14
IPv4 141.98.168.79 2025-10-13 2026-01-14
IPv4 69.10.53.86 2025-10-13 2026-01-14
IPv4 199.188.200.147 2025-09-25 2026-01-14
HASH 6175efd148a89ca61b6835c77acc7a8d 2025-08-28 2026-01-14
HASH 983a8a6f4d0a8c887536f5787a6b01a2 2025-08-28 2026-01-14
HASH f9e18687a38e968811b93351e9fca089 2025-08-28 2026-01-14
HASH 8c274285c5f8914cdbb090d72d1720d3 2025-08-28 2026-01-14
HASH 3ef7717c8bcb26396fc50ed92e812d13 2025-08-28 2026-01-14
HASH 15e48aef2e26f2367e5002e6c3148e1f 2025-08-28 2026-01-14
HASH 13400d5c844b7ab9aacc81822b1e7f02 2025-08-28 2026-01-14
HASH a4e58b91531d199f268c5ea02c7bf456 2025-08-28 2026-01-14
HASH b52e105bd040bda6639e958f7d9e3090 2025-08-28 2026-01-14
HASH cdf296d7404bd6193514284f021bfa54 2025-08-28 2026-01-14
HASH cbd183f5e5ed7d295d83e29b62b15431 2025-08-28 2026-01-14
URL https://driverservices.store/vi… 2025-08-28 2026-01-14
URL https://driverservices.store/vi… 2025-08-28 2026-01-14
URL https://block-digital.online/dr… 2025-08-28 2026-01-14
URL https://driverservices.store/vi… 2025-08-28 2026-01-14
URL https://driverservices.store/vi… 2025-08-28 2026-01-14
DOMAIN block-digital.online 2025-08-28 2026-01-14
DOMAIN driverservices.store 2025-08-28 2026-01-14
IPv4 103.231.75.101 2025-08-28 2026-01-14
IPv4 45.89.53.54 2025-08-28 2026-01-14
IPv4 45.159.248.110 2025-08-28 2026-01-14

Related Actors

Related Reports

« Back