Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
2023-12-11 • Cisco Talos •
https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
Cisco Talos describes Operation Blacksmith, a Lazarus/Andariel-linked campaign that opportunistically targeted manufacturing, agriculture, and physical security organizations by exploiting vulnerable infrastructure such as Log4j. The campaign deployed three DLang-based malware families: NineRAT, which uses Telegram bots and channels for command and control, DLRAT, and the BottomLoader downloader. Talos links the activity to North Korea's Lazarus umbrella and notes overlap with Onyx Sleet/Andariel tradecraft, including hands-on-keyboard post-compromise activity and credential collection.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 162.19.71.175 | 2023-12-11 | 2024-07-25 |
| HASH | 47e017b40d418374c0889e4d22aa486… | 2023-12-11 | 2023-12-11 |
| HASH | 0e416e3cc1673d8fc3e7b2469e491c0… | 2023-12-11 | 2023-12-11 |
| HASH | f91188d23b14526676706a5c9ead05c… | 2023-12-11 | 2023-12-11 |
| HASH | 000752074544950ae9020a35ccd77de… | 2023-12-11 | 2023-12-11 |
| HASH | 9a48357c06758217b3a99cdf4ab8326… | 2023-12-11 | 2023-12-11 |
| HASH | 5b02fc3cfb5d74c09cab724b5b54c53… | 2023-12-11 | 2023-12-11 |
| HASH | ba8cd92cc059232203bcadee260ddba… | 2023-12-11 | 2023-12-11 |
| HASH | 534f5612954db99c86baa67ef51a3ad… | 2023-12-11 | 2023-12-11 |
| HASH | e615ea30dd37644526060689544c1a1… | 2023-12-11 | 2023-12-11 |
| HASH | 82d4a0fef550af4f01a07041c16d851… | 2023-12-11 | 2023-12-11 |
| DOMAIN | tech.micrsofts.com | 2023-12-11 | 2023-12-11 |
| IPv4 | 155.94.208.209 | 2023-12-11 | 2023-12-11 |
| IPv4 | 185.29.8.53 | 2023-12-11 | 2023-12-11 |
| IPv4 | 201.77.179.66 | 2023-12-11 | 2023-12-11 |
| IPv4 | 27.102.113.93 | 2023-12-11 | 2023-12-11 |