Weaponizing a Lazarus Group Implant
2020-02-22 • Objective-see •
Objective-See examined how a Lazarus AppleJeus macOS loader could be repurposed for red-team or offensive use. The source explains that the Lazarus malware’s first-stage loader beacons to a remote server and can execute second-stage payloads directly from memory. Its persistence relies on a LaunchDaemon path under the UnionCrypto application directory, and the write-up focuses on understanding the protocol well enough to redirect payload delivery. Although framed as repurposing research, the report preserves useful technical detail on AppleJeus loader behavior, fileless execution, and macOS persistence.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | unioncrypto.vip | 2019-12-03 | 2021-02-17 |
| HASH | ca57054ea39f84a6f5ba0c65539a0762 | 2020-02-22 | 2020-02-22 |
| HASH | 6588d262529dc372c400bef8478c2eec | 2019-12-03 | 2020-02-22 |
| URL | https://unioncrypto.vip/update | 2019-12-03 | 2020-02-22 |
| URL | https://unioncrypto.vip/ | 2019-12-03 | 2020-02-22 |
Related Actors
Related Reports
Shares tags: AppleJeus, Lazarus • Shares 4 IOCs • Same author: Objective-see
Shares tag: AppleJeus • Shares 3 IOCs
Shares tags: AppleJeus, Lazarus • Published within a month
Shares tag: macOS • Shares 4 IOCs • Same author: Objective-see
Shares tags: macOS, Lazarus
Shares tag: Lazarus • Published within a month