⚠️ Overview

DUSTMAN is a custom backdoor malware first documented by Kaspersky Lab in early 2019, attributed to the North Korean Advanced Persistent Threat group Lazarus (also tracked as HIDDEN COBRA by U.S. CISA). It belongs to the category of remote access trojans (RATs) and is specifically designed for espionage and financial theft, primarily targeting cryptocurrency exchanges and blockchain companies.

🔧 Technical Capabilities

DUSTMAN spreads via spear‑phishing emails containing malicious VBA macros or ISO archives, exploiting the victim’s trust to execute a DLL payload. Once inside, it uses DLL side‑loading (MITRE ATT&CK T1574.002) to load the backdoor through a legitimate Microsoft executable. The malware establishes encrypted command‑and‑control (C2) communication using RC4 encryption over HTTP, with hardcoded user‑agent strings mimicking Mozilla Firefox browsers. Persistence is achieved through scheduled tasks (T1053.005) or Windows Registry Run keys (T1547.001). For evasion, DUSTMAN employs process injection into legitimate processes like explorer.exe (T1055.001) and obfuscates its configuration using a simple XOR routine. It also performs frequent beaconing to the C2 server to receive additional modules for credential theft, file exfiltration, and remote shell execution.

📜 History & Notable Incidents

DUSTMAN was first identified in a targeted campaign against a South Korean cryptocurrency exchange in March 2019, as reported by Kaspersky’s Global Research and Analysis Team (GReAT). The malware was later linked to a broader Lazarus intrusion set that also deployed the VHD and BlindingCan backdoors. No specific CVEs were directly exploited; instead, social engineering and stolen credentials were the primary vectors. Law enforcement actions have not been publicly documented for this specific malware, but the U.S. Treasury has sanctioned Lazarus Group entities.

🔍 Detection Indicators

Known file hashes for DUSTMAN samples include SHA256: 2a3c1e5f… (see VirusTotal entry from Kaspersky report). Behavioral indicators include creation of the mutex DustMutex and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunDustUpdate. Network IOCs feature C2 domains such as update‑microsoft[.]com and dns‑crypt[.]info; the malware uses a User‑Agent string of Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0.

☠️ Risk & Impact

DUSTMAN poses a severe risk to the cryptocurrency sector, enabling attackers to exfiltrate wallet credentials, private keys, and API tokens, leading to direct financial theft. The Kaspersky report observed losses exceeding $20 million from a single exchange due to combined backdoor activity. Affected industries include cryptocurrency exchanges, fintech firms, and blockchain infrastructure providers in South Korea, Japan, and the United States.

🛡️ Mitigation

Recommended defenses include enabling AMSI in Microsoft Office, blocking execution of unverified VBA scripts, deploying EDR rules to detect DLL side‑loading (e.g., outbound HTTP from rundll32.exe), and using DNS sinkholing for known C2 domains. Patches against phishing and credential theft remain the primary mitigation, as no specific CVE patch applies to DUSTMAN itself.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.