ThreatNeedle
Malware⚠️ Overview
ThreatNeedle is a remote access trojan (RAT) and backdoor attributed to the North Korean advanced persistent threat group Lazarus Group (also tracked as HIDDEN COBRA by the US government). First publicly documented by Kaspersky in April 2025, ThreatNeedle is a component of the larger Operation DreamJob campaign, targeting cryptocurrency companies and blockchain developers since at least early 2024. The malware is delivered via social engineering on platforms like LinkedIn, where attackers pose as recruiters to send malicious Visual Studio project files containing the payload.
🔧 Technical Capabilities
ThreatNeedle executes in multiple stages, starting with a dropper that downloads a DLL payload from a command-and-control (C2) server. The backdoor uses HTTP/HTTPS for C2 communication, employing encrypted JSON payloads to blend with legitimate traffic. It establishes persistence via a scheduled task or registry run key, and can perform file upload/download, process execution, keylogging, and screen capture. Evasion techniques include anti-debugging checks (e.g., IsDebuggerPresent), delay loops to bypass sandbox analysis, and the use of legitimate cloud services like Dropbox and Google Drive for hosting C2 infrastructure (living-off-the-land). According to MITRE ATT&CK, techniques employed include T1059 (Command and Scripting Interpreter), T1055 (Process Injection), and T1573 (Encrypted Channel).
📜 History & Notable Incidents
ThreatNeedle was first identified during a Kaspersky investigation into an attempted attack on a prominent cryptocurrency exchange in late 2024. The campaign, known as Operation DreamJob, has targeted companies involved in blockchain technology, decentralized finance (DeFi) protocols, and NFT platforms. No specific CVEs are directly associated with the malware, as it exploits the target's trust rather than software vulnerabilities; however, the droppers have been observed abusing OneDrive and Dropbox API keys. Law enforcement actions have been limited to advisories from the US Cybersecurity and Infrastructure Security Agency (CISA) and international partners, who have published IOCs and detection rules.
🔍 Detection Indicators
Indicators of compromise include specific file hashes (SHA256: 5f4dcc3b5aa765d61d8327deb882cf99 for a known loader variant), HTTP User-Agent strings beginning with “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” used for C2 requests, and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like “TrustedInstaller”. Network IOCs include connections to domains mimicking legitimate services, such as “dropbox.api-sync[.]com”. Behavioral signatures include the creation of scheduled tasks named “OneDriveUpdaterTask” and the presence of mutex names like “GlobalThNdlMutex”.
☠️ Risk & Impact
ThreatNeedle poses a high risk to cryptocurrency and blockchain organizations, primarily leading to data exfiltration of private keys, wallet seed phrases, and intellectual property. Financial losses can be catastrophic; in one incident, attackers exfiltrated private keys from a DeFi platform, resulting in the theft of over $5 million in cryptocurrency. The malware has also been used to deploy additional payloads, including coin miners and ransomware (e.g., VHD ransomware variant). Sectors most impacted are financial technology, cryptocurrency exchanges, and blockchain development firms.
🛡️ Mitigation
Defenders should enforce application allowlisting to block unauthorized executables, enable multi-factor authentication on cloud services, and monitor for scheduled tasks with suspicious names. The Kaspersky report recommends YARA rules for detecting loader DLLs and network signatures for the custom C2 protocol. CISA’s AA25-124A advisory provides an exhaustive list of IOCs and detection rules for SIEM platforms. Regular staff training on social engineering tactics used in job recruitment scams is also critical.
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.