{ "type": "bundle", "id": "bundle--453cd93f-62ea-42d9-8ef9-c601525eee3e", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--04104b6b-5207-4e88-904b-8fec73739552", "created": "2026-01-25T08:53:44.226941Z", "modified": "2026-01-25T08:53:44.226977Z", "name": "WithSecure", "identity_class": "organization" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--ccb91149-afc3-4fed-bc31-64bba6ec42e5", "value": "175.45.176.27" }, { "type": "file", "spec_version": "2.1", "id": "file--232394fc-9ba4-4c92-8a6a-2aacf788630a", "hashes": { "MD5": "879fa942f9f097b74fd6f7dabcf1745a" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--8769d0d7-210e-4a82-9c61-ead13359c015", "value": "23.237.32.34" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5aeff424-569c-4416-ba3b-8894f89f6325", "created": "2026-06-24T21:10:40.432297Z", "modified": "2026-06-24T21:10:40.432297Z", "name": "YARA Rule", "pattern": "rule lazarus_bindshell\r\n{\r\nmeta:\r\n\t\t\r\nauthor=\" Withsecure Threat Intelligence \"\r\n\t\t\r\ndescription=\"Detects bind shell from Lazarus group\"\r\n\t\tdate=\"2023-01-01\"\r\nstrings:\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\r\n$str_comspec = \"COMSPEC\"\r\n$str_consolewindow = \"GetConsoleWindow\"\r\n$str_ShowWindow = \"ShowWindow\"\r\n$str_WSASocketA = \"WSASocketA\"\r\n$str_CreateProcessA = \"CreateProcessA\"\r\n$str_port = {B9 4D 05 00 00 89}\r\n\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2023-02-02T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--35511188-a752-49aa-96c4-56a81baaaa72", "created": "2026-06-24T21:10:40.433361Z", "modified": "2026-06-24T21:10:40.433361Z", "name": "YARA Rule", "pattern": "rule lazarus_grease2\r\n{\r\nmeta:\r\n\t\t\r\nauthor=\" Withsecure Threat Intelligence \"\r\n\t\t\r\ndescription=\"Detects GREASE2 malware\"\r\n\t\tdate=\"2023-01-01\"\r\nstrings:\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\r\n$str_rdpconf = \"c: \\\\windows\\\\temp\\\\RDPConf.exe\" fullword nocase\r\n$str_rdpwinst = \"c: \\\\windows\\\\temp\\\\RDPWInst.exe\" fullword nocase\r\n$str_net_user = \"net user\u201d\r\n$str_admins_add = \"net localgroup administrators\"\r\n\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2023-02-02T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--12d4ce92-1453-402d-808b-eadb5d1b34b3", "created": "2026-06-24T21:10:40.434353Z", "modified": "2026-06-24T21:10:40.434353Z", "name": "YARA Rule", "pattern": "rule lazarus_dtrack_unpacked\r\n{\r\nmeta:\r\n\t\t\r\nauthor=\" Withsecure Threat Intelligence \"\r\n\t\t\r\ndescription=\"Detects lazarus acres.exe 64bit rat written with QT framework\"\r\n\t\tdate=\"2023-01-01\"\r\nstrings:\r\n\t\t\r\n$str_nopineapple = \"< No Pineapple! >\"\r\n\t\t\r\n$str_qt_library = \"Qt 5.12.10\"\r\n\t\t\r\n$str_xor = {8B 10 83 F6 ?? 83 FA 01 77}\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2023-02-02T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6a52c820-b0de-4d57-a392-1c0f67d124ca", "created": "2026-06-24T21:10:40.43519Z", "modified": "2026-06-24T21:10:40.43519Z", "name": "YARA Rule", "pattern": "rule lazarus_dtrack_unpacked\r\n{\r\nmeta:\r\n\t\t\r\nauthor=\"Withsecure Threat Intelligence\"\r\n\t\t\r\ndescription=\"Detects unpacked dtrack variant with smb data staging\"\r\n\t\tdate=\"2023-01-01\"\r\nstrings:\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\t\t\r\n\r\n$str_mutex = \"MTX_Global\"\r\n$str_cmd_1 = \"/c net use \\\\\\\\\" wide\r\n$str_cmd_2 = \"/c ping -n 3 127.0.01 > NUL % echo EEE > \\\"%s\\\"\" wide\r\n$str_cmd_3 = \"/c move /y %s \\\\\\\\\" wide\r\n$str_cmd_4 = \"/c systeminfo > \\\"%s\\\" & tasklist > \\\"%s\\\" & netstat -naop tcp > \\\"%s\\\"\" wide\r\n\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2023-02-02T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--db45511d-9c62-4bbd-8ddf-b7807f60d952", "hashes": { "SHA-1": "af9bc7ef25755982a00aca920ee7ad51f76c5cc2" } }, { "type": "file", "spec_version": "2.1", "id": "file--f8c8733b-ee80-47e6-9544-f029148f5c9c", "hashes": { "SHA-1": "61156df8e4a5eadac8137c1cbd55145eab654726" } }, { "type": "file", "spec_version": "2.1", "id": "file--89a21228-5818-4c90-97b8-a255cc3c00de", "hashes": { "SHA-1": "aa489231455dc2e56e2399edd7c10b5522608a7d" } }, { "type": "file", "spec_version": "2.1", "id": "file--5545d8db-139c-4c2e-9d92-55a962f3e906", "hashes": { "SHA-1": "7c40d4ded95f425fa01895f9d4359c9ef250290a" } }, { "type": "file", "spec_version": "2.1", "id": "file--922e6ff2-da8d-411b-bd9d-555e9d112779", "hashes": { "SHA-1": "8b0fb0e478d18a358783429eaed53ca0fe892b37" } }, { "type": "file", "spec_version": "2.1", "id": "file--0acc55cb-e42a-4774-8af4-78044edff237", "hashes": { "SHA-1": "cbf1529bf025523532666b0b3d2adbdae657db16" } }, { "type": "file", "spec_version": "2.1", "id": "file--07efa6ce-d7fc-4a8a-903b-21e9b4679dd8", "hashes": { "SHA-1": "46a934e7b42bfb0a2a9bcecade78f63375192924" } }, { "type": "file", "spec_version": "2.1", "id": "file--fa23c4bf-e1af-477a-bb68-df87109372ca", "hashes": { "SHA-1": "407b934895741a1d3b197e4e3c3d2e3284ebc76a" } }, { "type": "file", "spec_version": "2.1", "id": "file--596284c3-df84-4986-8772-bb4a591eee7b", "hashes": { "SHA-1": "88df19687e6aa8da376e37a8d71421b5b78a2cb4" } }, { "type": "file", "spec_version": "2.1", "id": "file--a685c7ec-0b88-4ef0-ae00-8640bc5df318", "hashes": { "SHA-1": "b2b36600ce41129fa85a15a7177a61b7cb714000" } }, { "type": "file", "spec_version": "2.1", "id": "file--24e4ae7e-1902-4737-8da3-2e1a829a4ac4", "hashes": { "SHA-1": "8c384b77b7100d6469e5e7b5cfa779dbcbcaa9ab" } }, { "type": "file", "spec_version": "2.1", "id": "file--3f033020-4435-4487-98b3-0849c6c310c3", "hashes": { "SHA-1": "f7564e93c5b4ec2de6f4f88c80c9691dc068206f" } }, { "type": "file", "spec_version": "2.1", "id": "file--342bbdfc-87f8-4d9d-8ddf-eff2adcdcc8e", "hashes": { "SHA-1": "47f12a1976552a1319bd58d813f213d7ebdef4fa" } }, { "type": "file", "spec_version": "2.1", "id": "file--c5031cc6-80dd-476e-adec-68deb2b2fcbb", "hashes": { "MD5": "9784a36611c68337698d3be972bd5dca" } }, { "type": "file", "spec_version": "2.1", "id": "file--58b89e9e-a6d6-45e3-b6eb-dde2dd0d9b64", "hashes": { "MD5": "b3b9d4a2cac8ea76f570bbde5249f076" } }, { "type": "file", "spec_version": "2.1", "id": "file--ae7328a3-4739-42bb-8b6a-11237ae2f702", "hashes": { "SHA-1": "45b35d1176598be7755a6d56ad8009bb03f3c5b1" } }, { "type": "file", "spec_version": "2.1", "id": "file--79ca1787-f187-4858-a495-486e3c040df2", "hashes": { "SHA-1": "6d0bffe68bc8992b60dc294ec68dd2b44a5fc6f4" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--f59cc4bb-8287-4cd8-9c6f-d315751182a5", "value": "quickconnect.io" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--60dbd769-d483-47f9-bd43-6f052f375f10", "value": "synology.me" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--e7b7069e-e100-46f5-8c67-65b29557ef95", "value": "146.185.26.150" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--59d04e4a-db83-4d4d-8064-de8aa90540b6", "value": "104.225.129.103" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--3941cfdc-6629-4ce3-b9a3-04cd3eda0df9", "value": "154.6.26.2" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--126642bc-bd8a-4fc7-9072-ffc153d62925", "value": "104.225.129.86" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--36344666-839f-465a-ab1e-ebbaee9e9fbc", "value": "15.207.207.64" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--67cce65e-459c-4620-9996-8c7d9fbebce7", "value": "209.95.60.92" }, { "type": "report", "spec_version": "2.1", "id": "report--1fc67da2-cc51-417a-96a4-49b8fabe152b", "created_by_ref": "identity--04104b6b-5207-4e88-904b-8fec73739552", "created": "2026-06-24T21:10:40.506786Z", "modified": "2026-06-24T21:10:40.506786Z", "name": "No Pineapple! - DPRK Targeting of Medical Research and Technology Sector", "published": "2023-02-02T00:00:00Z", "object_refs": [ "identity--04104b6b-5207-4e88-904b-8fec73739552", "ipv4-addr--ccb91149-afc3-4fed-bc31-64bba6ec42e5", "file--232394fc-9ba4-4c92-8a6a-2aacf788630a", "ipv4-addr--8769d0d7-210e-4a82-9c61-ead13359c015", "indicator--5aeff424-569c-4416-ba3b-8894f89f6325", "indicator--35511188-a752-49aa-96c4-56a81baaaa72", "indicator--12d4ce92-1453-402d-808b-eadb5d1b34b3", "indicator--6a52c820-b0de-4d57-a392-1c0f67d124ca", "file--db45511d-9c62-4bbd-8ddf-b7807f60d952", "file--f8c8733b-ee80-47e6-9544-f029148f5c9c", "file--89a21228-5818-4c90-97b8-a255cc3c00de", "file--5545d8db-139c-4c2e-9d92-55a962f3e906", "file--922e6ff2-da8d-411b-bd9d-555e9d112779", "file--0acc55cb-e42a-4774-8af4-78044edff237", "file--07efa6ce-d7fc-4a8a-903b-21e9b4679dd8", "file--fa23c4bf-e1af-477a-bb68-df87109372ca", "file--596284c3-df84-4986-8772-bb4a591eee7b", "file--a685c7ec-0b88-4ef0-ae00-8640bc5df318", "file--24e4ae7e-1902-4737-8da3-2e1a829a4ac4", "file--3f033020-4435-4487-98b3-0849c6c310c3", "file--342bbdfc-87f8-4d9d-8ddf-eff2adcdcc8e", "file--c5031cc6-80dd-476e-adec-68deb2b2fcbb", "file--58b89e9e-a6d6-45e3-b6eb-dde2dd0d9b64", "file--ae7328a3-4739-42bb-8b6a-11237ae2f702", "file--79ca1787-f187-4858-a495-486e3c040df2", "domain-name--f59cc4bb-8287-4cd8-9c6f-d315751182a5", "domain-name--60dbd769-d483-47f9-bd43-6f052f375f10", "ipv4-addr--e7b7069e-e100-46f5-8c67-65b29557ef95", "ipv4-addr--59d04e4a-db83-4d4d-8064-de8aa90540b6", "ipv4-addr--3941cfdc-6629-4ce3-b9a3-04cd3eda0df9", "ipv4-addr--126642bc-bd8a-4fc7-9072-ffc153d62925", "ipv4-addr--36344666-839f-465a-ab1e-ebbaee9e9fbc", "ipv4-addr--67cce65e-459c-4620-9996-8c7d9fbebce7" ], "external_references": [ { "source_name": "source", "url": "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf" } ] } ] }