疑似APT-C-26(Lazarus)组织升级监控程序的攻击行动分析

2026-07-15 Qihoo360 Analysis of an Attack Campaign Involving an Upgraded Monitoring Tool by Suspected APT-C-26 (Lazarus)

https://mp.weixin.qq.com/s/6hjjsEuuOTk8_FJrXWe9Ew

Thumbnail for 疑似APT-C-26(Lazarus)组织升级监控程序的攻击行动分析

APT-C-26 (Lazarus) added a dedicated keylogging component, KKernel.exe, to a previously observed custom remote desktop surveillance platform. It installs as KKernelService, escapes Session 0 by spawning an agent in the active user session, and restarts the agent if it terminates. The agent captures keystrokes through raw input, low-level hooks, and 10 ms asynchronous polling while recording the foreground window and process context under C:\ProgramData\Windows\WMI\Temp. Every 30 seconds, the malware sends new keystroke and debug logs to the previously configured C2 server and truncates the local files after successful transmission.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 453F2DE79F5B4BED8D47AAEC2D1941F9 2026-07-15 2026-07-15
HASH 304F2CA41006333650C80DC82EE3CA88 2026-07-15 2026-07-15
HASH 2E0C9085612944899519F8DDC71F48D9 2026-07-15 2026-07-15
HASH 350623d317587b0a21caa2d0f92af6b0 2026-07-15 2026-07-15

Related Actors

Related Reports

« Back