Lazarus Group

Trojanized cryptocurrency trading applications distributed as legitimate software. Targets Windows and macOS to steal cryptocurrency wallet credentials and keys.

Primary RAT using dual-proxy communication with RC4 encryption. Provides full remote access including file management, process manipulation, and system information gathering.

Sophisticated RAT with proxy-aware C2 communication. Used in defense contractor targeting campaigns with capabilities for screen capture, file transfer, and process manipulation.

Advanced backdoor used in defense industry espionage campaigns. Capable of pivoting between IT and restricted OT networks within compromised organizations.

Modular spyware used for keylogging, browser history theft, and collecting running processes. Evolved from DarkSeoul tools used in attacks against South Korea.

Highly customizable backdoor family used across multiple Lazarus campaigns. Supports extensive plugins for reconnaissance, exfiltration, and lateral movement.

Cross-platform malware framework (Windows, Linux, macOS) with modular plugin architecture. Supports file manipulation, proxying, and loading additional modules from C2.

Used extensively for post-exploitation in financial sector attacks. Beacons deployed via spear-phishing or trojanized apps for lateral movement and data exfiltration.

Deployed for credential harvesting from Windows systems. Used to obtain NTLM hashes and Kerberos tickets for lateral movement within financial institution networks.

Used for fileless malware execution, downloading secondary payloads, and living-off-the-land reconnaissance in compromised enterprise environments.

Self-propagating ransomware worm that exploited EternalBlue (MS17-010). Infected 300,000+ computers across 150 countries in 2017, causing billions in damages.

Custom malware deployed on banking switch application servers to intercept and approve fraudulent ATM withdrawal requests. Used in ATM jackpotting campaigns across Asia and Africa.

Custom tunneling tool that creates encrypted channels between compromised networks and C2 infrastructure, allowing data exfiltration through proxied connections.

Supply chain attacks via malicious packages on npm and PyPI registries targeting cryptocurrency developers. Packages contain hidden backdoors activated on install.

Elaborate fake recruiter personas on LinkedIn to target cryptocurrency and defense sector employees. Delivers trojanized coding challenges or job-related documents.

Trojanized versions of legitimate PyPI packages targeting Python developers. Used as part of supply chain attacks against cryptocurrency companies.

Remote access tool used by Andariel subgroup for data exfiltration

Trojanized cryptocurrency wallet application targeting blockchain users

Malware specifically designed to compromise cryptocurrency trading platforms

Remote access backdoor with extensive data collection capabilities

Backdoor with command execution and data exfiltration functionality