The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus.
The malware is being shared with the infosec community as part of a project run by USCYBERCOM’s Cyber National Mission Force (CNMF), which kicked off in November 2018 with the sharing of two files linked to a Russian-state actor.
The effort is aimed at sharing unclassified malware samples that CNMF believes have great impact on improving global cybersecurity and has already included the release of files linked to Iranian actors.
All of the 11 samples USCYBERCOM has now shared on the popular malware scanning engine target Windows systems, and the majority of them target 32-bit systems.
The samples are not new – 10 of them feature creation dates of 2017, while the 11th was created in February 2018 – and most have high detection rates on VirusTotal.
They seem linked to the “Hidden Cobra” cluster of activity, which is better known in the infosec community as the Lazarus Group.
Only one file, named netbtugc.exe, is detected by fewer than 20 anti-malware engines in VirusTotal. It too, however, contains resources in Korean and contacts an IP address already linked to other Lazarus malware samples.
Data from the THOR APT Scanner suggests the remaining samples are variants of the HOPLIGHT Trojan that the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) attributed to Hidden Cobra in April this year.
The malware is focused on collecting information from the infected systems, but can also perform various operations on the system, based on instructions received from its command and control (C&C) server.
Most of the files also seem related to Operation GhostSecret, an information-stealing campaign that McAfee attributed to Lazarus in April 2018.
Related: U.S. Attributes New Trojan to North Korean Hackers
Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

More from Ionut Arghire
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
- Boxx Insurance Raises $14.4 Million in Series B Funding
- Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
