{
    "type": "bundle",
    "id": "bundle--711636d2-fcb9-428b-a376-070ed728d2be",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--5efc5aa2-43a0-4fd3-ba2d-92dc78fab5fb",
            "created": "2026-06-26T04:50:03.287297Z",
            "modified": "2026-06-26T06:28:38.945347Z",
            "name": "Cognyte",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--50a0857e-4b17-4447-8658-6dc90c95850a",
            "created": "2026-06-30T20:41:46.366862Z",
            "modified": "2026-06-30T20:41:46.366862Z",
            "name": "YARA Rule",
            "pattern": "rule Lazarus_RemotePE_DPAPI_Encrypted_config {\n  meta:\n    description = \"Detects RemotePE DPAPI-encrypted config on disk\"\n    author      = \"Fox-IT Security Research Team\"\n  condition:\n    filesize == 3094\n    and uint32(0) == 0x00000001      // DPAPI blob version = 1\n    and uint32(0x8E) == 0x00000B40   // dwDataLen = 0xB40 (padded config)\n}",
            "pattern_type": "yara",
            "valid_from": "2026-05-22T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--b912c785-3e1d-41bf-8cd7-479197da57b7",
            "created": "2026-06-30T20:41:46.367634Z",
            "modified": "2026-06-30T20:41:46.367634Z",
            "name": "YARA Rule",
            "pattern": "rule Lazarus_RemotePE_class_strings {\r\nmeta:\r\ndescription = \"RemotePE class strings.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$a = \"IMiddleController\" ascii wide xor\r\n$b = \"IChannelController\" ascii wide xor\r\n$c = \"IConfigProfile\" ascii wide xor\r\n$d = \"IKernelModule\" ascii wide xor\r\ncondition:\r\nall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2025-09-01T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--75d492f0-ab93-48b8-bc1c-536d3343e560",
            "created": "2026-06-30T20:41:46.368214Z",
            "modified": "2026-06-30T20:41:46.368214Z",
            "name": "YARA Rule",
            "pattern": "rule Lazarus_RemotePE_C2_strings {\r\nmeta:\r\ndescription = \"RemotePE strings used for C2.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$a = \"MicrosoftApplicationsTelemetryDeviceId\" wide ascii xor\r\n$b = \"armAuthorization\" wide ascii xor\r\n$c = \"ai_session\" wide ascii xor\r\ncondition:\r\nuint16(0) == 0x5A4D and all of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2025-09-01T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--9f7d85af-b57c-49f8-a594-2a40f5d972f2",
            "created": "2026-06-30T20:41:46.368852Z",
            "modified": "2026-06-30T20:41:46.368852Z",
            "name": "YARA Rule",
            "pattern": "import \"pe\"\r\nrule Lazarus_DPAPILoader_Hunting {\r\nmeta:\r\ndescription = \"Hunting rule to detect DPAPILoader, a loader used to load RemotePE.\"\r\nauthor = \"Fox-IT / NCC Group\"\r\nstrings:\r\n$msg_1 = \"[!] Could not allocate memory at the desired base!\\n\"\r\n$msg_2 = \"[!] Virtual section size is out ouf bounds: \"\r\n$msg_3 = \"[!] Invalid relocDir pointer\\n\"\r\n$msg_4 = \"[-] Not supported relocations format at %d: %d\\n\"\r\n$msg_5 = \"[!] Cannot fill imports into 32 bit PE via 64 bit loader!\\n\"\r\ncondition:\r\nany of them and pe.imports(\"Crypt32.dll\", \"CryptUnprotectData\")\r\n}",
            "pattern_type": "yara",
            "valid_from": "2025-09-01T00:00:00Z"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b",
            "created": "2026-06-30T20:41:46.373937Z",
            "modified": "2026-06-30T20:41:46.373937Z",
            "name": "Lazarus"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--7ac0007a-4f9d-461b-a9c5-79212af18c14",
            "created_by_ref": "identity--5efc5aa2-43a0-4fd3-ba2d-92dc78fab5fb",
            "created": "2026-06-30T20:41:46.381535Z",
            "modified": "2026-06-30T20:41:46.381535Z",
            "name": "Lazarus Targets the Financial Sector with Memory-Only Malware Toolset",
            "published": "2026-06-23T00:00:00Z",
            "object_refs": [
                "identity--5efc5aa2-43a0-4fd3-ba2d-92dc78fab5fb",
                "indicator--50a0857e-4b17-4447-8658-6dc90c95850a",
                "indicator--b912c785-3e1d-41bf-8cd7-479197da57b7",
                "indicator--75d492f0-ab93-48b8-bc1c-536d3343e560",
                "indicator--9f7d85af-b57c-49f8-a594-2a40f5d972f2",
                "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://www.cognyte.com/blog/lazarus-targets-the-financial-sector-with-memory-only-malware-toolset/"
                }
            ]
        }
    ]
}