← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Three Lazarus RATs coming for your cheese – Fox-IT International blog
WHITE Lazarus mengkuong 2025-09-03 Modified: 2025-10-03
80
IOCs
HIGH VOLUME
A team of researchers from Fox-IT and NCC Group has identified and identified the Lazarus cyber-attack group, which targets companies active in the cryptocurrency sector and financial services sector in 2024 and 2025.
pondratthemeforestratpoolratremotepec2 serverwindowslinuxfigureperfhloaderratstelegramlazaruspythonformatsequelvirustotalwindowquasarfacebooksessionenvapplejeusmacos
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
SessionEnv AppleJeus Linux macOS Windows Lazarus
Indicators of Compromise (80)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL YARA domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2017-16237 2025-09-03
FileHash-MD5 19dbffec4e359a198daf4ffca1ab9165 MD5 of 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a 2025-09-03
FileHash-MD5 23c2569a65870a9e412d98d5b3bdc554 MD5 of 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 2025-09-03
FileHash-MD5 33c9a47debdb07824c6c51e13740bdfe MD5 of 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2025-09-03
FileHash-MD5 435c7b4fd5e1eaafcb5826a7e7c16a83 2025-09-03
FileHash-MD5 451c23709ecd5a8461ad060f6346930c MD5 of 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2025-09-03
FileHash-MD5 6f2f61783a4a59449db4ba37211fa331 2025-09-03
FileHash-MD5 75a46b23825ce7aa4ca297d93450f4e2 MD5 of aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 2025-09-03
FileHash-MD5 7cc55f3cc2740e8818648efbec21615f 2025-09-03
FileHash-MD5 893fed20a939e613f2b108096573eb8b MD5 of 9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14 2025-09-03
FileHash-MD5 d3ee425502cb60db1e75ef5bfd232c72 MD5 of 8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f 2025-09-03
FileHash-SHA1 1a6366a45cb892cf76af8ba25d114334f1e34532 SHA1 of 435c7b4fd5e1eaafcb5826a7e7c16a83 2025-09-03
FileHash-SHA1 22bbcab055bea7bd45e0081da61b6a567e32accb SHA1 of 9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14 2025-09-03
FileHash-SHA1 24cc64543f339d701b7fe6c7e05f41cb54c9dc83 SHA1 of 8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f 2025-09-03
FileHash-SHA1 3b994549ab4fd9024b2f0155094d7aa43b70bb8f SHA1 of aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 2025-09-03
FileHash-SHA1 58b0516d28bd7218b1908fb266b8fe7582e22a5f SHA1 of 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2025-09-03
FileHash-SHA1 6f391d282a37b770abcedd08c4c0e2156076cd8e SHA1 of 6f2f61783a4a59449db4ba37211fa331 2025-09-03
FileHash-SHA1 7b6e6487b803bbe85d7466b89da51a269fa4fc29 SHA1 of 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2025-09-03
FileHash-SHA1 91def0a4dd9b35510d7f8897bc114f975a5d7e2b SHA1 of 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 2025-09-03
FileHash-SHA1 d7ba13662fbfb254acaad7ae10ad51e0bd631933 SHA1 of 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a 2025-09-03
FileHash-SHA256 159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3 2025-09-03
FileHash-SHA256 1a051e4a3b62cd2d4f175fb443f5172da0b40af27c5d1ffae21fde13536dd3e1 2025-09-03
FileHash-SHA256 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a 2025-09-03
FileHash-SHA256 2c164237de4d5904a66c71843529e37cea5418cdcbc993278329806d97a336a5 2025-09-03
FileHash-SHA256 37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef 2025-09-03
FileHash-SHA256 3c8f5cc608e3a4a755fe1a2b099154153fb7a88e581f3b122777da399e698cca 2025-09-03
FileHash-SHA256 4715e5522fc91a423a5fcad397b571c5654dc0c4202459fdca06841eba1ae9b3 2025-09-03
FileHash-SHA256 479cc0a490ffa98652683796c5cef12f3e6380107aac83321a9705048b801b54 SHA256 of 435c7b4fd5e1eaafcb5826a7e7c16a83 2025-09-03
FileHash-SHA256 4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874 2025-09-03
FileHash-SHA256 59a651dfce580d28d17b2f716878a8eff8d20152b364cf873111451a55b7224d 2025-09-03
FileHash-SHA256 5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8 2025-09-03
FileHash-SHA256 6510d460395ca3643133817b40d9df4fa0d9dbe8e60b514fdc2d4e26b567dfbd 2025-09-03
FileHash-SHA256 774c71664d5d25775478607e74555462773e525e18237947355228337f433a3b 2025-09-03
FileHash-SHA256 7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68 2025-09-03
FileHash-SHA256 85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516 2025-09-03
FileHash-SHA256 8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f 2025-09-03
FileHash-SHA256 973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c 2025-09-03
FileHash-SHA256 9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14 2025-09-03
FileHash-SHA256 aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039 2025-09-03
FileHash-SHA256 c66ba5c68ba12eaf045ed415dfa72ec5d7174970e91b45fda9ebb32e0a37784a 2025-09-03
FileHash-SHA256 cc4c18fefb61ec5b3c69c31beaa07a4918e0b0184cb43447f672f62134eb402b 2025-09-03
FileHash-SHA256 d998de6e40637188ccbb8ab4a27a1e76f392cb23df5a6a242ab9df8ee4ab3936 2025-09-03
FileHash-SHA256 e4ce73b4dbbd360a17f482abcae2d479bc95ea546d67ec257785fa51872b2e3f 2025-09-03
FileHash-SHA256 f0321c93c93fa162855f8ea4356628eef7f528449204f42fbfa002955a0ba528 2025-09-03
FileHash-SHA256 f3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703 SHA256 of 6f2f61783a4a59449db4ba37211fa331 2025-09-03
FileHash-SHA256 f4d8e1a687e7f7336162d3caed9b25d9d3e6cfe75c89495f75a92ca87025374b 2025-09-03
FileHash-SHA256 ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9 2025-09-03
URL https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/ 2025-09-03
URL https://vipyrsec.com/research/elf64-rat-malware/ 2025-09-03
YARA 10da1920639e009539ac4e8b8c740a2c335bf630 XOR key used for shellcode obfuscation. 2025-09-03
YARA 442f4abac74d844256e3ff60f929b358ded71881 Hunting rule to detect DPAPILoader, a loader used to load RemotePE. 2025-09-03
YARA 56f9b97fee195ed8dea39552eac288aa58cfaf48 RemotePE class strings. 2025-09-03
YARA bddd1fb74bbed46f07743af28cb1e1468df3d3bd ThemeForest RC4 key used for config file. 2025-09-03
YARA bef8714787a76d33d74dc23e7c750e74b57f6f04 RemotePE strings used for C2. 2025-09-03
YARA f8df313a370bc856a0f2c05c6d27e56c56b7448f ThemeForestRAT strings used for C2. 2025-09-03
domain aaaaaaa.aaa 2025-09-03
domain aes-secure.net 2025-09-03
domain apdl.cf 2025-09-03
domain arcashop.org 2025-09-03
domain azuredeploypackages.net 2025-09-03
domain azureglobalaccelerator.com 2025-09-03
domain calendly.live 2025-09-03
domain dpkgrepo.com 2025-09-03
domain file.name 2025-09-03
domain ftxstock.com 2025-09-03
domain jdkgradle.com 2025-09-03
domain keondigital.com 2025-09-03
domain latamics.org 2025-09-03
domain lmaxtrd.com 2025-09-03
domain nansenpro.com 2025-09-03
domain oncehub.co 2025-09-03
domain paxosfuture.com 2025-09-03
domain picktime.live 2025-09-03
domain pypilibrary.com 2025-09-03
domain pypistorage.com 2025-09-03
domain vipyrsec.com 2025-09-03
hostname decoded.avast.io 2025-09-03
hostname go.oncehub.co 2025-09-03
hostname www.natefi.org 2025-09-03
hostname www.plexisco.com 2025-09-03
References (1)
↗ https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/