{ "type": "bundle", "id": "bundle--0c91e30f-1e79-4a29-b60c-546784da6bc9", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--60cb6a34-4e05-49c1-bb42-0e45dd948a20", "created": "2025-09-01T13:54:43.426929Z", "modified": "2025-09-01T13:59:04.85352Z", "name": "Foxit", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--81f80cb9-9ad1-4886-854d-fc7940ce1c75", "created": "2026-06-24T16:06:05.037152Z", "modified": "2026-06-24T16:06:05.037152Z", "name": "YARA Rule", "pattern": "rule Lazarus_RemotePE_DPAPI_Encrypted_config {\nmeta:\n description = \"Detects RemotePE DPAPI-encrypted config on disk\"\n author = \"Fox-IT Security Research Team\"\ncondition:\n filesize == 3094\n and uint32(0) == 0x00000001\n and uint32(0x8E) == 0x00000B40\n}", "pattern_type": "yara", "valid_from": "2026-05-22T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9d306913-74df-4f67-ab7f-dc13e6296fe2", "created": "2026-06-24T16:06:05.037968Z", "modified": "2026-06-24T16:06:05.037968Z", "name": "YARA Rule", "pattern": "rule Lazarus_RemotePE_class_strings {\nmeta:\n description = \"RemotePE class strings.\"\nstrings:\n $a = \"IMiddleController\" ascii wide xor\n $b = \"IChannelController\" ascii wide xor\n $c = \"IConfigProfile\" ascii wide xor\n $d = \"IKernelModule\" ascii wide xor\ncondition:\n all of them\n}", "pattern_type": "yara", "valid_from": "2026-05-22T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c64a7bba-6bdb-46c6-a98a-ef30acbb5af7", "created": "2026-06-24T16:06:05.038582Z", "modified": "2026-06-24T16:06:05.038582Z", "name": "YARA Rule", "pattern": "rule Lazarus_RemotePE_C2_strings {\nmeta:\n description = \"RemotePE strings used for C2.\"\nstrings:\n $a = \"MicrosoftApplicationsTelemetryDeviceId\" wide ascii xor\n $b = \"armAuthorization\" wide ascii xor\n $c = \"ai_session\" wide ascii xor\ncondition:\n uint16(0) == 0x5A4D and all of them\n}", "pattern_type": "yara", "valid_from": "2026-05-22T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d8b145d9-f90c-4bdb-9581-6fecc1eef8b9", "created": "2026-06-24T16:06:05.039167Z", "modified": "2026-06-24T16:06:05.039167Z", "name": "YARA Rule", "pattern": "rule Lazarus_DPAPILoader_Hunting {\nmeta:\n description = \"Hunting rule to detect DPAPILoader, a loader used to load RemotePE.\"\n author = \"Fox-IT / NCC Group\"\nstrings:\n $msg_1 = \"[!] Could not allocate memory at the desired base!\\n\"\n $msg_2 = \"[!] Virtual section size is out ouf bounds: \"\n $msg_3 = \"[!] Invalid relocDir pointer\\n\"\n $msg_4 = \"[-] Not supported relocations format at %d: %d\\n\"\n $msg_5 = \"[!] Cannot fill imports into 32 bit PE via 64 bit loader!\\n\"\ncondition:\n any of them and pe.imports(\"Crypt32.dll\", \"CryptUnprotectData\")\n}", "pattern_type": "yara", "valid_from": "2026-05-22T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--abdad7ac-1cb1-49be-8035-ca1dabc15aa3", "hashes": { "MD5": "557551f8468b55e64af8969e71f9246f", "SHA-1": "2eaefd5a62a3a0d0181f1bee5a5aa0979fa51cf4", "SHA-256": "710f15302859c7af1c1e25219d704841b3fdbc48f16a5a574d5ab6cf4f4842e8" } }, { "type": "file", "spec_version": "2.1", "id": "file--96ce9973-6a43-4aad-af68-c925cbf198a1", "hashes": { "MD5": "6f15a1f78380d204f7f2369749c72b4b", "SHA-1": "d32753d7dac47032f96542d6120f101a5cadbb39", "SHA-256": "62e040a32aac2d2faa8d2bffa2cf7ab662228cebf9bb78eaa0a633c0b729d119" } }, { "type": "file", "spec_version": "2.1", "id": "file--59a024da-22d9-4891-9f7c-56bbf2e64169", "hashes": { "MD5": "ac468b5536a0b3f8c6b88968a7f3761f", "SHA-1": "111904fcc3e2f0fba7b24913a8f54d2b3fd9de06", "SHA-256": "6b33d20196267b0d64bca815ca863558d26b17cee77caf62a6cce8eae555ac8d" } }, { "type": "file", "spec_version": "2.1", "id": "file--22c923d5-44fe-4f5a-a6ee-9bd4e88f70e6", "hashes": { "MD5": "781e02b32ed5dff6e512d9850a5b5403", "SHA-1": "ea5cfdcab1e4894bebdb8f0a9652c4a4ae190933", "SHA-256": "37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef" } }, { "type": "file", "spec_version": "2.1", "id": "file--dfbf3eb8-73d8-40fe-945f-08b29f4f46cb", "hashes": { "MD5": "75a46b23825ce7aa4ca297d93450f4e2", "SHA-1": "3b994549ab4fd9024b2f0155094d7aa43b70bb8f", "SHA-256": "aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039" } }, { "type": "file", "spec_version": "2.1", "id": "file--a76512df-0293-4fe0-9b38-0b3c128950b7", "hashes": { "MD5": "40c45ad6fef563af8a73dd48a38dc8ba", "SHA-1": "81c744562d568a0e8a6938df0abc5fba7cfcb3b4", "SHA-256": "4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--100762c4-03e2-4bc4-8ef2-2fd4fab6dceb", "value": "devicelinkintel.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--716790da-6b1d-4a64-9ac5-adcefc5da609", "value": "intelcloudinsights.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--943ded89-6a63-471f-b47a-0b2645c079e5", "value": "akamaicloud.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--9987ca50-7bb0-4b1f-9b07-0968ad13150f", "value": "msdeliverycontent.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--247649e5-b0e8-49d8-afba-6cba54b21f58", "value": "livedrivefiles.com" }, { "type": "file", "spec_version": "2.1", "id": "file--76c75d43-6ec4-4976-b786-282a02f2601b", "hashes": { "MD5": "85766786fd00957737f1c88632ab9e0d", "SHA-1": "3142704d014ed89d1b4d538b6aa796bd371b6990", "SHA-256": "7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68" } }, { "type": "file", "spec_version": "2.1", "id": "file--6372bed2-cb11-44ab-a676-4399d5f82e3f", "hashes": { "MD5": "23c2569a65870a9e412d98d5b3bdc554", "SHA-1": "91def0a4dd9b35510d7f8897bc114f975a5d7e2b", "SHA-256": "159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e54f765e-5e1d-4d44-98de-275c5af513f8", "value": "aes-secure.net" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--847e3c57-9044-4f6f-b61a-c854bfa3ea04", "value": "azureglobalaccelerator.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-24T16:06:05.049059Z", "modified": "2026-06-24T16:06:05.049059Z", "name": "Lazarus" }, { "type": "report", "spec_version": "2.1", "id": "report--9f541b6d-f1c5-4187-8bc8-ac322a351930", "created_by_ref": "identity--60cb6a34-4e05-49c1-bb42-0e45dd948a20", "created": "2026-06-24T16:06:05.05169Z", "modified": "2026-06-24T16:06:05.05169Z", "name": "RemotePE: The Lazarus RAT that lives in memory", "published": "2026-05-22T00:00:00Z", "object_refs": [ "identity--60cb6a34-4e05-49c1-bb42-0e45dd948a20", "indicator--81f80cb9-9ad1-4886-854d-fc7940ce1c75", "indicator--9d306913-74df-4f67-ab7f-dc13e6296fe2", "indicator--c64a7bba-6bdb-46c6-a98a-ef30acbb5af7", "indicator--d8b145d9-f90c-4bdb-9581-6fecc1eef8b9", "file--abdad7ac-1cb1-49be-8035-ca1dabc15aa3", "file--96ce9973-6a43-4aad-af68-c925cbf198a1", "file--59a024da-22d9-4891-9f7c-56bbf2e64169", "file--22c923d5-44fe-4f5a-a6ee-9bd4e88f70e6", "file--dfbf3eb8-73d8-40fe-945f-08b29f4f46cb", "file--a76512df-0293-4fe0-9b38-0b3c128950b7", "domain-name--100762c4-03e2-4bc4-8ef2-2fd4fab6dceb", "domain-name--716790da-6b1d-4a64-9ac5-adcefc5da609", "domain-name--943ded89-6a63-471f-b47a-0b2645c079e5", "domain-name--9987ca50-7bb0-4b1f-9b07-0968ad13150f", "domain-name--247649e5-b0e8-49d8-afba-6cba54b21f58", "file--76c75d43-6ec4-4976-b786-282a02f2601b", "file--6372bed2-cb11-44ab-a676-4399d5f82e3f", "domain-name--e54f765e-5e1d-4d44-98de-275c5af513f8", "domain-name--847e3c57-9044-4f6f-b61a-c854bfa3ea04", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b" ], "external_references": [ { "source_name": "source", "url": "https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/" } ] } ] }