疑似APT-C-26(Lazarus)组织升级监控程序的攻击行动分析
2026-07-15 • Qihoo360 • Analysis of an Attack Campaign Involving an Upgraded Monitoring Tool by Suspected APT-C-26 (Lazarus) •
APT-C-26 (Lazarus) added a dedicated keylogging component, KKernel.exe, to a previously observed custom remote desktop surveillance platform. It installs as KKernelService, escapes Session 0 by spawning an agent in the active user session, and restarts the agent if it terminates. The agent captures keystrokes through raw input, low-level hooks, and 10 ms asynchronous polling while recording the foreground window and process context under C:\ProgramData\Windows\WMI\Temp. Every 30 seconds, the malware sends new keystroke and debug logs to the previously configured C2 server and truncates the local files after successful transmission.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 453F2DE79F5B4BED8D47AAEC2D1941F9 | 2026-07-15 | 2026-07-15 |
| HASH | 304F2CA41006333650C80DC82EE3CA88 | 2026-07-15 | 2026-07-15 |
| HASH | 2E0C9085612944899519F8DDC71F48D9 | 2026-07-15 | 2026-07-15 |
| HASH | 350623d317587b0a21caa2d0f92af6b0 | 2026-07-15 | 2026-07-15 |