Wednesday, April 30, 2025
HomeCyber AttackLazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

Published on

SIEM as a Service

Follow Us on Google News

The Lazarus Group has recently employed a sophisticated attack, dubbed “Operation DreamJob,” to target employees in critical sectors like nuclear energy, which involves distributing malicious archive files disguised as legitimate job offers. 

Once executed, these files unleash a multi-stage infection chain, comprising a downloader, loader, and backdoor, allowing the threat actor to establish persistent access to compromised systems, potentially enabling data theft, espionage, or disruptive attacks.

Lazarus, known for supply chain attacks, has evolved its tactics, as in a recent campaign, they sent trojanized VNC utilities disguised as skills assessment archives. 

- Advertisement - Google News
Malicious files created on the victims’ hosts
Malicious files created on the victims’ hosts

After initial compromise, they intensified attacks on specific targets, which highlights the group’s adaptability and underscores the need for vigilant security practices, especially against evolving threat actors.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The group used ISO files (instead of easily detectable ZIP) to deliver a trojanized TightVNC (AmazonVNC.exe) disguised as a legitimate VNC viewer, which generated an XOR key based on a provided IP address to decrypt downloader Ranid stored within the VNC executable. 

In another case, Lazarus used a ZIP archive containing a legitimate vncviewer.exe alongside a malicious vnclang.dll (MISTPEN loader). vnclang.dll downloaded additional payloads, including the recently discovered RollMid and a new LPEClient variant.  

Malicious AmazonVNC.exe 
Malicious AmazonVNC.exe 

The Lazarus group utilized CookieTime malware as a versatile tool for lateral movement and payload delivery. Initially, CookieTime directly received commands from a C2 server. 

However, it evolved to download and execute various malware strains, including LPEClient, Charamel Loader, ServiceChanger, and an updated version of CookiePlus. 

CookieTime leverages diverse loading techniques, such as DLL side-loading and service execution, to maintain persistence and evade detection.

By exploiting legitimate services like ssh-agent and leveraging DLL side-loading with malicious DLLs, the attackers ensured stealthy and persistent operations.

Overall malware-to-malware flowchart
Overall malware-to-malware flowchart

CookiePlus, a new plugin-based malware, was discovered, which can be loaded by either ServiceChanger or Charamel Loader and downloads additional payloads from the C2 server after initial communication. 

The payloads are encrypted with ChaCha20 and can be either DLLs or shellcodes. CookiePlus uses a 32-byte data array as a key to decrypt the payloads, where the type of payload is determined by a flag, and if it’s a DLL, CookiePlus will load it into memory. 

If it’s a shellcode, CookiePlus will grant it execute permission before execution, and the execution result is then encrypted and sent back to the C2 server. CookiePlus is likely the successor to MISTPEN based on similar functionalities and plugin usage. 

CookiePlus C2 communication process
CookiePlus C2 communication process

According to Secure List, the Lazarus group has recently employed a new tactic, utilizing compromised WordPress servers as C2s for their malicious activities. 

This shift, coupled with the introduction of modular malware like CookiePlus, indicates the group’s ongoing efforts to enhance their arsenal and bypass security measures. 

CookiePlus’s ability to function as a downloader further complicates threat detection and response, as it can potentially deliver various payloads, including additional malware. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

WhatsApp Unveils New AI Features While Ensuring Full Message Secrecy

WhatsApp, the world’s most popular messaging platform, has announced a major expansion of artificial...

Wormable AirPlay Zero-Click RCE Flaw Allows Remote Device Hijack via Wi-Fi

A major set of vulnerabilities-collectively named “AirBorne”-in Apple’s AirPlay protocol and SDK have been...

Chrome 136 Fixes 20-Year-Old Privacy Bug in Latest Update

Google has begun rolling out Chrome 136 to the stable channel for Windows, Mac,...

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

WhatsApp Unveils New AI Features While Ensuring Full Message Secrecy

WhatsApp, the world’s most popular messaging platform, has announced a major expansion of artificial...

Wormable AirPlay Zero-Click RCE Flaw Allows Remote Device Hijack via Wi-Fi

A major set of vulnerabilities-collectively named “AirBorne”-in Apple’s AirPlay protocol and SDK have been...

Chrome 136 Fixes 20-Year-Old Privacy Bug in Latest Update

Google has begun rolling out Chrome 136 to the stable channel for Windows, Mac,...