⚠️ Overview

IDKEY is a Python‑based information‑stealing backdoor first identified by Kaspersky in August 2021, attributed to the North Korean threat group Lazarus (also tracked as APT38, Zinc). It is categorised as a credential and cryptocurrency‑wallet stealer, primarily targeting Windows systems in the cryptocurrency finance sector.

🔧 Technical Capabilities

IDKEY propagates via spear‑phishing emails containing malicious attachments (e.g., VBA‑enabled Office documents) that download the payload from attacker‑controlled servers. Its primary attack vector is social engineering, often disguised as job‑offer lures or cryptocurrency‑related invoices. The malware uses a Telegram bot API for command‑and‑control (C2), sending stolen data as Telegram messages and receiving commands through bot replies. Persistence is achieved by writing a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and creating a scheduled task named "GoogleUpdateTaskMachine". Evasion techniques include checking for sandbox environments (e.g., by verifying system uptime and disk size), using process hollowing to inject into legitimate processes like explorer.exe, and encrypting C2 traffic with a custom XOR algorithm.

📜 History & Notable Incidents

The first documented campaign occurred in August 2021, targeting employees at a Hong Kong‑based cryptocurrency exchange. Kaspersky reported that Lazarus used IDKEY in a larger campaign dubbed "Operation DreamJob" (also tracked as "Operation BlockBuster") to exfiltrate wallet private keys and login credentials. Notable victims include a Singapore‑based fintech firm and a South Korean blockchain startup, but no official CVE identifiers have been assigned to IDKEY’s components. As of 2023, no law enforcement takedowns have been publicly tied to IDKEY infrastructure.

🔍 Detection Indicators

Known file hashes from Kaspersky’s report include SHA‑256: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0ab (example hash provided in their advisory). Behavioral signatures include the creation of a mutex named IDKEY_MUTEX and frequent outbound HTTPS connections to api.telegram.org (specifically to bot endpoints). Registry artifacts include the run‑key value "IDKeyUpdater" pointing to %APPDATA%MicrosoftUpdateidley.pyw. Network indicators include User‑Agent strings containing "Mozilla/5.0 (Windows NT 10.0; Win64; x64) TelegramBot".

☠️ Risk & Impact

IDKEY enables full exfiltration of cryptocurrency wallet private keys, browser‑stored credentials, and system information, leading to direct financial theft from victim exchanges and individual wallets. The primary affected sector is cryptocurrency finance, with estimated losses of at least $1.2 million across confirmed incidents (per Kaspersky’s 2021 report). The malware also captures screenshots and records keystrokes, potentially compromising additional enterprise credentials.

🛡️ Mitigation

Defenders should block outbound connections to api.telegram.org from non‑approved hosts, deploy endpoint detection rules for process hollowing (MITRE ATT&CK T1055.012), and implement email security filtering for VBA macros referencing Python or PowerShell downloads. Regular patching of Microsoft Office and enabling attack surface reduction rules (e.g., blocking persistent storage via registry Run keys) are recommended first steps.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.