EXECUTIVE SUMMARY: EMERGING LAZARUS GROUP ACTIVITY TARGETING SWIFT NODES

BLUF

Lazarus Group has initiated a new campaign targeting SWIFT payment gateways in the APAC region using a novel DLL side-loading technique. Immediate patching of SolarWinds Orion instances is recommended.

Key Judgements

• High Confidence: The campaign utilizes a modified version of the BlindCan RAT, previously associated with the Hidden Cobra subgroup.
• Medium Confidence: Initial access is gained via targeted spear-phishing campaigns pretending to be recruiter outreach from major crypto exchanges.
• Low Confidence: There are indicators suggesting collaboration with an unknown broker for initial access, though this remains unverified.

Detailed Analysis

Detailed signals intelligence indicates a resumption of activity following a 3-month dormant period. The actors are deploying a new variant of their primary backdoor.

"The malware waits for user inactivity before communicating with C2 servers located in compromised university networks."

Impact Assessment

If successful, this campaign could allow for:

1. Fraudulent fund transfers.
2. Long-term espionage on financial transaction data.
3. Destruction of evidence via wiper malware.

| Indicator | Type | notes | | :--- | :--- | :--- | | 192.168.1.1 | IP Address | Internal test C2 (Sample) | | malicious_update.exe | File | Hash: a1b2c3d4... |

Recommendations

1. Block all traffic to verified C2 ranges.
2. Review firewall logs for outbound SMB traffic on non-standard ports.
3. Rotate SWIFT operator credentials immediately.