Operation_Fast_Cash_-_Hidden_Cobras_AIX_PowerPC_malware_dissected.pdf (6 MB)

Hidden Cobra, also known as Lazarus or APT38, is tied in the PDF to FASTCash activity against banking payment-switch infrastructure. The recovered analysis describes a 2018 incident where attackers manipulated transaction response messages on an IBM AIX PowerPC payment-switch server to enable fraudulent ATM cash withdrawals across 23 countries. The source notes US-CERT reporting on three malicious shared-object libraries and an injection executable used to alter payment transaction handling, while distinguishing unrelated IBM AIX tooling from the FASTCash malware set. Defenders should focus review on payment-switch compromise, stolen banking credentials, XCOFF malware artifacts, shared-library injection, and validation of the hashes and file roles in the original report.