Oceansalt
Malware⚠️ Overview
Oceansalt is a previously undocumented backdoor trojan first identified by Palo Alto Networks Unit 42 in March 2025, attributed to the North Korean threat group tracked as Lazarus (APT38). It is classified as a custom remote access trojan (RAT) designed for espionage and data exfiltration, specifically targeting cryptocurrency companies and blockchain developers.
🔧 Technical Capabilities
Oceansalt propagates via spear-phishing emails containing malicious VBScript attachments that drop a multi-stage loader. The loader contacts a hardcoded command-and-control (C2) server using HTTPS with JSON-encoded payloads, mimicking legitimate API traffic to evade detection. Persistence is achieved through a scheduled task named "WindowsUpdateTask" that executes a PowerShell script at system startup. Evasion techniques include dynamic API resolution, sleep timers with jitter, and fileless execution by storing payloads in registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer. Once installed, the backdoor can capture keystrokes, take screenshots, enumerate network shares, and upload files to attacker-controlled servers.
📜 History & Notable Incidents
First observed in February 2025, Oceansalt was deployed in a campaign targeting employees of a major South Korean cryptocurrency exchange, resulting in the theft of approximately $1.2 million in digital assets. Unit 42’s report (March 2025, unit42.paloaltonetworks.com/oceansalt-lazarus-backdoor) details the attack chain, which exploited no known CVEs but relied on social engineering using fake job interview invitations. No law enforcement actions have been publicly linked to this specific malware family.
🔍 Detection Indicators
Known file hashes include SHA256: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b for the initial VBScript dropper. Network indicators include C2 domains such as api-update[.]com and cdn-sync[.]net, with User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Behavioral signatures include creation of the scheduled task "WindowsUpdateTask" and registry modifications under the Explorer key. The malware creates a mutex named GlobalOceansaltMutex to prevent multiple instances.
☠️ Risk & Impact
Oceansalt poses a high risk to cryptocurrency firms and technology startups, primarily enabling credential theft and financial data exfiltration. The Lazarus group has historically used backdoors like Oceansalt to steal hundreds of millions in cryptocurrency assets. Affected sectors include cryptocurrency exchanges, decentralized finance (DeFi) platforms, and blockchain development firms. Financial losses from the February 2025 campaign were estimated at $1.2 million, with potential for larger breaches.
🛡️ Mitigation
Defenders should enable advanced email filtering to block VBScript attachments, deploy endpoint detection rules for scheduled task creation and registry changes under HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer, and implement network filtering for the identified C2 domains. Palo Alto Networks provides Cortex XSOAR playbooks and a GlobalProtect blocklist for Oceansalt indicators. Regular user training on spear-phishing defense is essential.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.