Lazarus False Flag Operations
Lazarus Group false flag malware campaigns designed to misattribute attacks to other threat actors.
Start date
1 January 2017
End date
—
Techniques
14
Indicators of compromise
20
7 md55 sha2565 sha12 domain1 ip
Attributed actors
Techniques (14)
command-and-control2
T1105Ingress Tool Transfer
T1071.001Web Protocols
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution2
T1059.003Windows Command Shell
T1059.001PowerShell
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access1
T1566.001Spearphishing Attachment
persistence1
T1547.001Registry Run Keys / Startup Folder
privilege-escalation2
T1547.001Registry Run Keys / Startup Folder
T1055Process Injection
stealth5
T1036.005Match Legitimate Resource Name or Location
T1070.004File Deletion
T1055Process Injection
T1036Masquerading
T1027Obfuscated Files or Information
Indicators of compromise (20)
MD57
889e320cf66520485e1a0475107d7419confirmed
16bbc967a8b6a365871a05c74a4f345bconfirmed
9216b29114fb6713ef228370cbfe4045confirmed
6dffcfa68433f886b2e88fd984b4995aconfirmed
8e32fccd70cec634d13795bcb1da85ffconfirmed
6ed0020b0851fb71d5b0076f4ee95f3cconfirmed
e29fe3c181ac9ddbb242688b151f3310confirmed
SHA2565
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05confirmed
2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55cconfirmed
c1b29afcfddb79cfd57545b8600922150843ae2b170fff9aeacdeaa17adbf792confirmed
8cad61422d032119219f465331308c5a61e21c9a3a431b88e1f8b25129b7e2a1confirmed
6c1d8c4afbc7f85f05fb2e4d17e5553255b0195a0b56ba5309e362e2156debfcconfirmed
SHA15
e431261c63f94a174a1308defccc674dabbe3609confirmed
f5fc9d893ae99f97e43adcef49801782daced2d7confirmed
9858d5cb2a6614be3c48e33911bf9f7978b441bfconfirmed
7260340b7d7b08b7a9c7e27d9226e17b7170a436confirmed
ba5a2230ff2068b7fb22de3b83031457d18c3298confirmed
DOMAIN2
mx1.era.citon.comconfirmed
pandorasong.comconfirmed
IP1
216.251.161.198confirmed