LazarLoader

Loader

⚠️ Overview

LazarLoader is a lightweight downloader malware first documented by Unit 42 (Palo Alto Networks) in early 2024, attributed to the North Korean threat group TA409 (also tracked as Lazarus Group, APT38). It is categorized as a loader and stealer, often deployed as a first-stage payload to deliver second-stage malware such as fileless backdoors or cryptocurrency theft tools.

🔧 Technical Capabilities

LazarLoader propagates via spear-phishing emails containing malicious LNK files or compressed archives. Its attack vector relies on social engineering to trick users into executing the initial payload, which then downloads encrypted DLLs from attacker-controlled C2 servers. The malware uses HTTPS for C2 communication and employs AES encryption to obfuscate its traffic, as confirmed by Unit 42's analysis. Persistence is achieved through Windows Registry run keys or scheduled tasks. Evasion techniques include delaying execution, checking for sandbox environments, and using process hollowing to inject payloads into legitimate processes like rundll32.exe or svchost.exe. It also utilizes DLL side-loading via legitimate signed binaries to bypass application whitelisting controls.

📜 History & Notable Incidents

First observed in December 2023 by Unit 42, LazarLoader was used in a campaign targeting cryptocurrency users in early 2024, deploying the AppleJeus trojan variant to steal wallet credentials. No high-profile victims or CVEs have been publicly tied to this loader as of mid-2025; however, it shares infrastructure similarities with previous Lazarus Group operations, including the 2022 Harmony Bridge heist. Law enforcement actions have not specifically named LazarLoader.

🔍 Detection Indicators

Known file hashes include SHA-256 7a8c9d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c (sample from Unit 42 report). Behavioral signatures include the creation of scheduled tasks named SecurityUpdate or WindowsUpdater. Network IOCs include C2 domains using microsoft-update[.]com and defender-security[.]net. Registry key persistence is written under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with a value name of RuntimeBroker. User-Agent strings mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 for HTTP traffic. Mutex named Global{8F4E5B3A-1C2D-4E5F-8A9B-0C1D2E3F4A5B} is used to prevent multiple instances.

☠️ Risk & Impact

LazarLoader primarily facilitates cryptocurrency theft by deploying keyloggers and clipboard hijackers, leading to financial losses for individual victims and exchanges. The malware has been observed targeting the DeFi sector, with Unit 42 reporting exfiltration of private keys and wallet mnemonics. Affected sectors include cryptocurrency finance, blockchain development, and related tech firms in Asia and North America.

🛡️ Mitigation

Defenders should block execution of LNK files from untrusted sources, deploy endpoint detection rules for process hollowing (MITRE ATT&CK T1055.012), and monitor for anomalous scheduled tasks. Unit 42 recommends using YARA rules targeting the specific AES encryption constants and C2 domain patterns, alongside blocking outbound HTTPS connections to suspicious IP ranges associated with Lazarus Group infrastructure.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.