{ "type": "bundle", "id": "bundle--50604fbd-09f5-4def-886f-8f91a319c0ef", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--6093c656-dd0f-4972-b2c8-760541671328", "created": "2023-03-08T12:51:56.338602Z", "modified": "2023-03-08T12:51:56.338683Z", "name": "Carbonblack", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c84aa0e4-eb91-42bf-8a8e-94ac156bc5a6", "created": "2026-06-24T18:11:36.717982Z", "modified": "2026-06-24T18:11:36.717982Z", "name": "YARA Rule", "pattern": "rule lazarus_hotcroissant_2020_Q1 : TAU APT Lazarus\r\n{\r\nmeta:\r\nauthor = \u201cCarbonBlack Threat Research\u201d // sknight\r\ndate = \u201c2020-Mar-25\u201d\r\nValidity = 10\r\nseverity = 10\r\nJira = \u201cTR-4456\u201d\r\nTID = \u201cT1140, T1082, T1033, T1005, T1113, T1094, T1024, T1132, T1065\u201d\r\ndescription = \u201cLazarus HotCroissant backdoor\u201d\r\nlink = \u201chttps://www.us-cert.gov/ncas/analysis-reports/ar20-045d\u201d\r\nrule_version = 1\r\nyara_version = \u201c3.11.0\u201d\r\nConfidence = \u201cProd\u201d\r\nPriority = \u201cMedium\u201d\r\nTLP = \u201cWhite\u201d\r\nexemplar_hashes = \u201c8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085, 7ec13c5258e4b3455f2e8af1c55ac74de6195b837235b58bc32f95dd6f25370c\u201d\r\nstrings:\r\n// Crypto keys\r\n$b1 = { 8b d6 b8 00 [1-6] 17 [1-6] 29 70 49 02 }\r\n// Crypto algorithm\r\n$b2 = { 8A 1C 3E 32 DA 32 D8 32 D9 88 1C 3E 8A D8 32 D9 22 DA 8B 55 FC 8D 3C D5 00 00 00 00 33 FA 81 E7 F8 07 00 00 C1 E7 14 C1 EA 08 0B D7 8D 3C 00 33 F8 22 C8 C1 E7 04 33 F8 32 CB 8B D8 83 E7 80 C1 E3 07 33 FB C1 E7 11 C1 E8 08 }\r\ncondition:\r\nuint16(0) == 0x5A4D and\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\nany of ($b*)\r\n}", "pattern_type": "yara", "valid_from": "2020-04-16T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--bd49e27a-c305-4073-bce5-abaf98b1d5b1", "hashes": { "SHA-256": "0a0c09f81a3fac2af99fab077e8c81a6674adc190a1077b04e2956f1968aeff3" } }, { "type": "file", "spec_version": "2.1", "id": "file--56eedb77-c5a1-471d-b9d6-e33b7ce84294", "hashes": { "SHA-256": "57d1df9f6c079e67e883a25cfbb124d33812b5fcdb6288977c4b8ebc1c3350de" } }, { "type": "file", "spec_version": "2.1", "id": "file--1ae19ee2-0306-4ebc-a940-b35e575a89ce", "hashes": { "SHA-256": "b689815a0c97414e0bba0f6cf72029691c8254041e105ed69f6f921d49e88a4d" } }, { "type": "file", "spec_version": "2.1", "id": "file--88a43d4d-9ad9-49c0-bdc7-738c9468563e", "hashes": { "SHA-256": "0ea57d676fe7bb7f75387becffffbd7e6037151e581389d5b864270b296bb765" } }, { "type": "file", "spec_version": "2.1", "id": "file--cd6299a6-48eb-4b6d-950c-1214dcb3db34", "hashes": { "SHA-256": "7ec13c5258e4b3455f2e8af1c55ac74de6195b837235b58bc32f95dd6f25370c" } }, { "type": "file", "spec_version": "2.1", "id": "file--010150dc-a05e-4ff5-9de9-2beaefd299a5", "hashes": { "SHA-256": "a9915977c810fb2d61be8ff9d177de4d10bd3b24bdcbb3bb8ab73bcfdc501995" } }, { "type": "file", "spec_version": "2.1", "id": "file--ae7c9b76-0336-4630-b471-837412e3fb64", "hashes": { "SHA-256": "c9455e218220e81670ddd3c534011a68863ca9e09ab8215cc72da543ca910b81" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--f81efe24-6619-4e0c-8911-7b8837221c5b", "value": "172.93.110.85" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--5bb3d9b4-64bf-4923-814a-fa206e6ceb7e", "value": "176.31.15.195" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--799fab0d-3d62-443b-b9b6-820cebe02f30", "value": "111.68.7.74" }, { "type": "file", "spec_version": "2.1", "id": "file--7a99c029-266e-4b18-b606-3f36f78e8abb", "hashes": { "SHA-256": "315c06bd8c75f99722fd014b4fb4bd8934049cde09afead9b46bddf4cdd63171" } }, { "type": "file", "spec_version": "2.1", "id": "file--a7affff3-3e01-40b2-9af7-8bb1db7172c6", "hashes": { "SHA-256": "8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--597127b6-5211-4a13-aa58-132aac821d4c", "value": "94.177.123.138" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--ad92d7b0-8b5f-4340-9d99-4d6e0df2b1de", "value": "51.254.60.208" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--4e2cb06f-8155-4a14-b1fa-8a6436a7628b", "value": "192.99.223.115" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--a45609a3-3449-4dfa-ad02-9027d062dd79", "value": "165.194.123.67" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-24T18:11:36.729862Z", "modified": "2026-06-24T18:11:36.729862Z", "name": "Lazarus" }, { "type": "report", "spec_version": "2.1", "id": "report--c79b44c3-8709-4ebf-bcec-b21ea0ee7a81", "created_by_ref": "identity--6093c656-dd0f-4972-b2c8-760541671328", "created": "2026-06-24T18:11:36.744363Z", "modified": "2026-06-24T18:11:36.744363Z", "name": "The Evolution of Lazarus", "published": "2020-04-16T00:00:00Z", "object_refs": [ "identity--6093c656-dd0f-4972-b2c8-760541671328", "indicator--c84aa0e4-eb91-42bf-8a8e-94ac156bc5a6", "file--bd49e27a-c305-4073-bce5-abaf98b1d5b1", "file--56eedb77-c5a1-471d-b9d6-e33b7ce84294", "file--1ae19ee2-0306-4ebc-a940-b35e575a89ce", "file--88a43d4d-9ad9-49c0-bdc7-738c9468563e", "file--cd6299a6-48eb-4b6d-950c-1214dcb3db34", "file--010150dc-a05e-4ff5-9de9-2beaefd299a5", "file--ae7c9b76-0336-4630-b471-837412e3fb64", "ipv4-addr--f81efe24-6619-4e0c-8911-7b8837221c5b", "ipv4-addr--5bb3d9b4-64bf-4923-814a-fa206e6ceb7e", "ipv4-addr--799fab0d-3d62-443b-b9b6-820cebe02f30", "file--7a99c029-266e-4b18-b606-3f36f78e8abb", "file--a7affff3-3e01-40b2-9af7-8bb1db7172c6", "ipv4-addr--597127b6-5211-4a13-aa58-132aac821d4c", "ipv4-addr--ad92d7b0-8b5f-4340-9d99-4d6e0df2b1de", "ipv4-addr--4e2cb06f-8155-4a14-b1fa-8a6436a7628b", "ipv4-addr--a45609a3-3449-4dfa-ad02-9027d062dd79", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b" ], "external_references": [ { "source_name": "source", "url": "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" } ] } ] }