lazarusholic

2023-04-12, Kaspersky
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/
#DeathNote #DreamJob

The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. We have previously published information about the connections of each cluster of this group. In this blog, we’ll focus on an active cluster that we dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is also known as Operation DreamJob or NukeSped. Over the past few years, we have closely monitored the DeathNote cluster, observing a shift in their targets as well as the development and refinement of their tools, techniques, and procedures.
Timeline of DeathNote cluster
In this blog, we will provide an overview of the significant modifications that have taken place within this cluster, both in terms of its technical and strategic aspects.
Beginning of tracking DeathNote
The notorious threat actor Lazarus has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, we noticed that in one particular …

0071b20d27a24ae1e474145b8efc9718
0493f40628995ae1b7e3ffacd675ba5f
075fba0c098d86d9f22b8ea8c3033207
0ac90c7ad1be57f705e3c42380cbcccd
0d4bdfec1e657d6c6260c42ffdbb8cab
11fdc0be9d85b4ff1faf5ca33cc272ed
14d79cd918b4f610c1a6d43cadeeff7b
183ad96b931733ad37bb627a958837db
1bd0ca304cdecfa3bd4342b261285a72
1f254dd0b85edd7e11339681979e3ad6
2449f61195e39f6264d4244dfa1d1613
25b37c971fd7e9e50e45691aa86e5f0a
265f407a157ab0ed017dd18cae0352ae
26c0f0ce33f5088754d88a1db1e6c4a9
2b02465b65024336a9e15d7f34c1f5d9
2bcf464a333d67afeb80360da4dfd5bb
2efbe6901fc3f479bc32aaf13ce8cf12
4088946632e75498d9c478da782aa880
4c239a926676087e31d82e79e838ced1
50b2154de64724a2a930904354b5d77d
56470e113479eacda081c2eeead153bf
59cb8474930ae7ea45b626443e01b66d
5da86adeec6ce4556f477d9795e73e90
64e5acf43613cd10e96174f36cb1d680
65df11dea0c1d0f0304b376787e65ccb
706e55af384e1d8483d2748107cbd57c
735afcd0f6821cbd3a2db510ea8feb22
77194024294f4fd7a4011737861cce3c
78d42cedb0c012c62ef5be620c200d43
7a307c57ec33a23ce9b5c84659f133cc
7a73a2261e20bdb8d24a4fb252801db7
7af59d16cfd0802144795ca496e8111c
7b8960e2a22c8321789f107a7b83aa59
7d204793e75bb49d857bf4dbc60792d3
83dd9b600ed33682aa21f038380a6eab
84cd4d896748e2d52e2e22d1a4b9ee46
880b263b4fd5de0ae6224189ea611023
8840f6d2175683c7ed8ac2333c78451a
8a05f6b3f1eb25bcbceb717aa49999cd
8fc7b0764541225e5505fa93a7376df4
9121f1c13955506e33894ffd780940cd
92657b98c2b4ee4e8fa1b83921003c74
97336f5ce811d76b28e23280fa7320b5
97524091ac21c327bc783fa5ffe9cd66
9b09ebf52660a9d6deca21965ce52ca1
9ea365c1714eb500e5f4a749a3ed0fe7
9fd35bad075c2c70678c65c788b91bc3
a43bdc197d6a273102e90cdc0983b0b9
adf0d4bbefccf342493e02538155e611
b23b0de308e55cbf14179d59adee5fcb
b3a8c88297daecdb9b0ac54a3c107797
b974bc9e6f375f301ae2f75d1e8b6783
c0a8483b836efdbae190cc069129d5c3
c278d6468896af3699e058786a8c3d62
ca6658852480c70118feba12eb1be880
cbc559ea38d940bf0b8307761ee4d67b
cd5357d1045948ba62710ad8128ae282
ced38b728470c63abcf4db013b09cff7
d1c652b4192857cb08907f0ba1790976
d4d654c1b27ab90d2af8585052c77f33
da1dc5d41de5f241cabd7f79fbc407f5
dc9244206e72a04d30eeadef23713778
dd185e2bb02b21e59fb958a4e12689a7
e7aa0237fc3db67a96ebd877806a2c88
e9d89d1364bd73327e266d673d6c8acf
eb061dfacb3667cf65d250911179235d
eb2dc282ad3ab29c1853d4f6d09bec4f
ee73a772b72a5f3393d4bf577fc48efe
f4b55da7870e9ecd5f3f565f40490996
f6d6f3580160cd29b285edf7d0c647ce
f821ca4672851f02bead3c4bd23bed84
fe549a0185813e4e624104d857f9277b