Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus. 

The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus. 

The malware is being shared with the infosec community as part of a project run by USCYBERCOM’s Cyber National Mission Force (CNMF), which kicked off in November 2018 with the sharing of two files linked to a Russian-state actor. 

The effort is aimed at sharing unclassified malware samples that CNMF believes have great impact on improving global cybersecurity and has already included the release of files linked to Iranian actors

All of the 11 samples USCYBERCOM has now shared on the popular malware scanning engine target Windows systems, and the majority of them target 32-bit systems. 

The samples are not new – 10 of them feature creation dates of 2017, while the 11th was created in February 2018 – and most have high detection rates on VirusTotal. 

They seem linked to the “Hidden Cobra” cluster of activity, which is better known in the infosec community as the Lazarus Group

Only one file, named netbtugc.exe, is detected by fewer than 20 anti-malware engines in VirusTotal. It too, however, contains resources in Korean and contacts an IP address already linked to other Lazarus malware samples. 

Data from the THOR APT Scanner suggests the remaining samples are variants of the HOPLIGHT Trojan that the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) attributed to Hidden Cobra in April this year. 

The malware is focused on collecting information from the infected systems, but can also perform various operations on the system, based on instructions received from its command and control (C&C) server. 

Most of the files also seem related to Operation GhostSecret, an information-stealing campaign that McAfee attributed to Lazarus in April 2018. 

Related: U.S. Attributes New Trojan to North Korean Hackers

Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.