Lazarus Group targets Aerospace and Defense with new Comebacker variant
Contents
Executive Summary
ENKI identified a new variant of Comebacker, initially identified following public reporting of a malicious domain.
The malware is delivered via lure documents themed around prominent aerospace and defense organizations, indicating a targeted espionage campaign against this sector.
Pivoting from the initial C&C infrastructure, we uncovered an additional C&C domain and a related Comebacker sample, suggesting the campaign has been active since at least March 2025.
1. Overview
In 2025-06, ENKI initiated an investigation based on ThreatBookLabs' reporting of a malicious domain, office-theme[.]com
, attributed to Lazarus Group. Analysis of .docx files hosted on this domain revealed a multi-stage malware infection chain deploying a new variant of the Comebacker backdoor.
By pivoting on the malware's C&C infrastructure, we identified an additional C&C domain and a related Comebacker sample that suggests the campaign has been active since at least March 2025.
This report provides an analysis of this new Comebacker variant, details the associated infrastructure, and tracks …
ENKI identified a new variant of Comebacker, initially identified following public reporting of a malicious domain.
The malware is delivered via lure documents themed around prominent aerospace and defense organizations, indicating a targeted espionage campaign against this sector.
Pivoting from the initial C&C infrastructure, we uncovered an additional C&C domain and a related Comebacker sample, suggesting the campaign has been active since at least March 2025.
1. Overview
In 2025-06, ENKI initiated an investigation based on ThreatBookLabs' reporting of a malicious domain, office-theme[.]com
, attributed to Lazarus Group. Analysis of .docx files hosted on this domain revealed a multi-stage malware infection chain deploying a new variant of the Comebacker backdoor.
By pivoting on the malware's C&C infrastructure, we identified an additional C&C domain and a related Comebacker sample that suggests the campaign has been active since at least March 2025.
This report provides an analysis of this new Comebacker variant, details the associated infrastructure, and tracks …
IoC
http://hiremployee.com
https://hiremployee.com
https://birancearea.com/adminv2
http://office-theme.com
http://birancearea.com
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
7e61c884ce5207839e0df7a22f08f0ab7d483bfa1828090aa260a2f14a0c942c
c4a5179a42d9ff2774f7f1f937086c88c4bc7c098963b82cc28a2d41c4449f9e
f2b3867aa06fb38d1505b3c2b9e523d83f906995dcdd1bb384a1087b385bfc50
b7d625679fbcc86510119920ffdd6d21005427bf49c015697c69ae1ee27e6bab
b357b3882cf8107b1cb59015c4be3e0b8b4de80fd7b80ce3cd05081cd3f6a8ff
96b973e577458e5b912715171070c0a0171a3e02154eff487a2dcea4da9fb149
14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382
046caa2db6cd14509741890e971ddc8c64ef4cc0e369bd5ba039c40c907d1a1f
ad9c5aca9977d04c73be579199a827049b6dd9840091ffe8e23acc05e1d4a657
https://hiremployee.com
https://birancearea.com/adminv2
http://office-theme.com
http://birancearea.com
a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
7e61c884ce5207839e0df7a22f08f0ab7d483bfa1828090aa260a2f14a0c942c
c4a5179a42d9ff2774f7f1f937086c88c4bc7c098963b82cc28a2d41c4449f9e
f2b3867aa06fb38d1505b3c2b9e523d83f906995dcdd1bb384a1087b385bfc50
b7d625679fbcc86510119920ffdd6d21005427bf49c015697c69ae1ee27e6bab
b357b3882cf8107b1cb59015c4be3e0b8b4de80fd7b80ce3cd05081cd3f6a8ff
96b973e577458e5b912715171070c0a0171a3e02154eff487a2dcea4da9fb149
14213c013d79ea4bc8309f730e26d52ff23c10654197b8d2d10c82bbbcd88382
046caa2db6cd14509741890e971ddc8c64ef4cc0e369bd5ba039c40c907d1a1f
ad9c5aca9977d04c73be579199a827049b6dd9840091ffe8e23acc05e1d4a657