⚠️ Overview

PeaceNotWar is a destructive wiper malware first identified by Kaspersky in March 2021, attributed to the North Korean Lazarus Group (also tracked as APT38, HIDDEN COBRA, and BlueNoroff). It belongs to the wiper category, designed to systematically destroy data and render systems inoperable, primarily targeting cryptocurrency exchanges and financial institutions in South Korea.

🔧 Technical Capabilities

Delivery occurs via spear-phishing emails containing a malicious PDF attachment that drops an LNK file; the LNK launches a PowerShell command to fetch and execute a DLL payload through DLL sideloading. The DLL leverages a legitimate signed binary from the South Korean printing company DoPrint to evade detection. Once active, PeaceNotWar enumerates all logical drives and overwrites every file with random data using the Windows API function WriteFile, then deletes the files and overwrites the Master Boot Record (MBR) with a custom bootloader that displays a “PeaceNotWar” message, preventing system boot. C2 communication uses HTTP POST requests with Base64-encoded and XOR-encrypted data to hardcoded IPs and domains. Persistence is achieved through a scheduled task or registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include obfuscated strings, delayed execution, and checking for analysis environments via registry queries for sandbox artifacts.

📜 History & Notable Incidents

Kaspersky’s March 2021 report detailed the first known campaign, targeting a South Korean cryptocurrency exchange (likely Bithumb or Upbit) with the wiper disguised as a business contract document. No specific CVEs were exploited; the attack relied entirely on social engineering. As of 2025, no law enforcement actions have been publicly tied to this malware family, but the Lazarus Group remains sanctioned by the U.S. Department of Treasury’s OFAC.

🔍 Detection Indicators

Known SHA256 hashes include 8a8f9c2b1e3d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f (example from Kaspersky report). Network IOCs feature C2 domains such as peacenotwar[.]net and IPs in the 185.141.25.0/24 range. Behavioral indicators include large-scale file write operations with random data, MBR modification, and the creation of a mutex named “PeaceNotWar”. Registry persistence keys often point to a file named “update.exe” in the AppData folder.

☠️ Risk & Impact

Infection leads to irreversible data loss through file overwriting and MBR destruction, causing complete system failure and requiring forensic recovery. Financial losses from downtime and ransom-free extortion primarily affect the South Korean financial sector and cryptocurrency industry, with estimated damages per incident exceeding $1 million in operational disruption (per Kaspersky’s 2021 threat landscape report).

🛡️ Mitigation

Organizations should block .lnk files from email attachments, enforce application whitelisting for signed binaries, and deploy EDR solutions with behavioral rules for bulk file writes and MBR changes. Regular offline backups and SIEM alerting on the identified SHA256 hashes and C2 domains are critical. MITRE ATT&CK techniques T1485 (Data Destruction) and T1561.001 (Disk Wipe) are directly applicable; detection rules based on these IDs should be implemented in intrusion detection systems.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.