lazarusholic

Everyday is lazarus.dayβ

Labyrinth Chollima APT Adversary Simulation

2025-02-16, S3N4T0R
https://medium.com/@S3N4T0R/labyrinth-chollima-apt-adversary-simulation-b4f6a79bb68f
#LabyrinthChollima

Contents

Labyrinth Chollima APT Adversary Simulation
This is a simulation of attack by (Labyrinth Chollima) APT group targeting victims working on energy company and the aerospace industry, the attack campaign was active before June 2024, The attack chain starts with relies on legitimate job description content to target victims employed in U.S. critical infrastructure verticals. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application, I relied on Mandiant to figure out the details to make this simulation: https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/?linkId=10998021
Based on the surrounding context, the user was instructed to open the PDF file with the enclosed trojanized PDF viewer program based on the open-source project SumatraPDF.
SumatraPDF is an open-source document viewing application that is capable of viewing multiple document file formats such as PDF, XPS, and CHM, along with many more. Its source code is …