Connect with us

Hi, what are you looking for?


Malware & Threats

U.S. Cyber Command Adds North Korean Malware Samples to VirusTotal

The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus. 

The U.S. Cyber Command (USCYBERCOM) this week released 11 malware samples to VirusTotal, all of which appear related to the notorious North Korean-linked threat group Lazarus. 

The malware is being shared with the infosec community as part of a project run by USCYBERCOM’s Cyber National Mission Force (CNMF), which kicked off in November 2018 with the sharing of two files linked to a Russian-state actor. 

The effort is aimed at sharing unclassified malware samples that CNMF believes have great impact on improving global cybersecurity and has already included the release of files linked to Iranian actors

All of the 11 samples USCYBERCOM has now shared on the popular malware scanning engine target Windows systems, and the majority of them target 32-bit systems. 

The samples are not new – 10 of them feature creation dates of 2017, while the 11th was created in February 2018 – and most have high detection rates on VirusTotal. 

They seem linked to the “Hidden Cobra” cluster of activity, which is better known in the infosec community as the Lazarus Group

Only one file, named netbtugc.exe, is detected by fewer than 20 anti-malware engines in VirusTotal. It too, however, contains resources in Korean and contacts an IP address already linked to other Lazarus malware samples. 

Data from the THOR APT Scanner suggests the remaining samples are variants of the HOPLIGHT Trojan that the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) attributed to Hidden Cobra in April this year. 

Advertisement. Scroll to continue reading.

The malware is focused on collecting information from the infected systems, but can also perform various operations on the system, based on instructions received from its command and control (C&C) server. 

Most of the files also seem related to Operation GhostSecret, an information-stealing campaign that McAfee attributed to Lazarus in April 2018. 

Related: U.S. Attributes New Trojan to North Korean Hackers

Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.