Picus Labs has expanded the Picus Threat Library with new simulations that emulate malware and tradecraft linked to Lazarus, also tracked as Hidden Cobra, Zinc, and Nickel Cobra. Active since at least 2009, Lazarus is widely assessed as a North Korea backed threat actor with a global footprint. The group blends espionage, financial theft, and disruptive operations, which allows it to fund activity while pursuing strategic objectives. Reported targeting spans aerospace, financial services, government agencies, media organizations, logistics providers, and technology companies. By reproducing Lazarus techniques in a safe, controlled way, the updated Picus content helps security teams measure real detection coverage, identify gaps, and prioritize fixes based on evidence.
Lazarus maintains a large and evolving toolkit that mixes custom malware with off the shelf utilities. Public reporting references more than 100 tools in use across campaigns, including Bankshot for banking fraud, Dacls for cross platform remote access, HOPLIGHT and TYPEFRAME as backdoors, KEYMARBLE for command and control, Proxysvc and RATANKBA for lateral movement and persistence, Volgmer and RawDisk for destructive or wiper like actions, Mimikatz for credential theft, and the WannaCry ransomware used for global disruption. Operations frequently begin with spearphishing, watering hole compromises, or exploitation of edge services, followed by careful reconnaissance, credential harvesting, and staged data theft. Infrastructure rotates regularly, payloads are packed and obfuscated to evade analysis, and living off the land techniques reduce the chance of simple signature based detection.
Lazarus’ Latest Targeted Phishing Campaign
Lazarus used a complex targeted phishing attack on security researchers in one of their most recent campaigns. To maximize the effectiveness of its attacks, Lazarus is known to employ new strategies and custom toolkits. To drop its Loader in this campaign, Lazarus used an interesting technique of BMP files embedded with malicious HTA artifacts in its latest targeted phishing campaign [1].
In detail, the Lazarus threat actor used a clever technique to evade security controls by embedding its malicious HTA file as a compressed zlib file inside a PNG file, which was then decompressed during runtime by converting itself to the BMP format. A loader was dropped as part of the payload, which decoded and decrypted the second stage payload and stored it in memory. The payload in the second stage will receive and execute commands/shellcode, as well as exfiltrate data and communicate with a command and control server.
Picus Labs has updated the Picus Threat Library with this .doc malware and the malicious .exe file downloaded by this malware.
|
Picus ID |
Threat Name |
|
884096 |
Malware Downloader used by Lazarus APT Group .DOC File Download Variant-1 |
|
340431 |
340431 Malware used by Lazarus (Hidden Cobra) Group .EXE File Download Variant-6 |
Other Threats of Lazarus in Picus Threat Library
Picus Threat Library consists of 56 threats of the Lazarus (Hidden Cobra) threat actor, including:
MITRE ATT&CK Techniques used by Lazarus in This Campaign
References