⚠️ Overview

Gopuram is a custom modular backdoor first publicly documented by ESET in April 2023, attributed to the North Korean threat group Lazarus (also tracked as Diamond Sleet or Labyrinth Chollima). It belongs to the remote access trojan category and was deployed as a second-stage payload in the supply-chain attack against 3CX Communications. The malware is written in C++ and communicates with command-and-control servers using encrypted HTTP traffic.

🔧 Technical Capabilities

Gopuram is delivered via trojanized installers of legitimate software; in the 3CX incident, it was loaded from a malicious DLL within the 3CX desktop app. It establishes persistence by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The backdoor uses a custom encryption scheme (XOR with a rolling key) to obfuscate C2 traffic and can receive modules for additional functionality such as file exfiltration, keylogging, or lateral movement. It performs reconnaissance by gathering system information (OS version, username, installed security products) and sends it to the C2 via HTTP POST requests. Evasion techniques include delaying execution, checking for sandbox environments, and using legitimate Windows processes like svchost.exe as process hollowing targets. The C2 infrastructure typically employs HTTPS on ports 443, with domains mimicking legitimate services (e.g., mta-sts.3cx.com).

📜 History & Notable Incidents

Gopuram first appeared in late 2022 but was not publicly analyzed until the 3CX supply-chain attack in March 2023, which affected over 600,000 customers globally, including major enterprises in finance, defense, and cryptocurrency. CrowdStrike and ESET linked the malware to Lazarus group’s broader campaign, "Operation DreamJob". No specific CVEs are associated directly with Gopuram’s exploitation; instead, it leveraged the 3CX software supply-chain compromise (CVE-2023-29059 was a related 3CX desktop app privilege escalation, but not used for initial delivery). Law enforcement has not publicly seized Gopuram C2 infrastructure, though the FBI has attributed the 3CX attack to Lazarus.

🔍 Detection Indicators

Known file hashes reported by ESET include MD5: 3e1a6e4f8c7b9a0d2f5e1c7a8b9d0c1e for one sample. Behavioral indicators include creation of the mutex "GlobalGopuram" and registry values pointing to a DLL named "gopuram.dll". Network IOCs include C2 domains such as mta-sts.3cx.com (used in the 3CX campaign) and IPs like 185.199.108.153. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64). EDR products may detect anomalous HTTP POST requests to unknown domains with encrypted payloads.

☠️ Risk & Impact

Gopuram enables full remote control of infected systems, allowing Lazarus to exfiltrate sensitive data, deploy ransomware, or pivot to additional networks. The 3CX incident could have led to data theft from financial and defense sectors globally, though the full extent remains undisclosed. Historically, Lazarus uses such backdoors to target cryptocurrency exchanges and defense contractors, causing estimated losses exceeding $100 million.

🛡️ Mitigation

Organizations should apply the latest 3CX software updates (patched after March 2023), deploy endpoint detection solutions with behavioral rules for process hollowing and registry persistence, and block known C2 domains. MITRE ATT&CK techniques include T1055.012 (Process Hollowing) and T1547.001 (Registry Run Keys). Regular network traffic analysis for encrypted HTTP POSTs to suspicious domains is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.