top of page
  • Clipeus

Lazarus Group New TTPs

SentinelOne reports that DPRK-linked Lazarus Group has been integrating components from the RustBucket and KandyKorn campaigns. The loader historically observed in the RustBucket campaign has been employed in conjunction with the KandyKorn Remote Access Trojan (RAT).

The RustBucket campaign utilized a second-stage malware, named "SwiftLoader," which disguised itself as a PDF Viewer, enticing victims to view a document. The latter was weaponized with SwiftLoader, which, in turn, retrieved and executed a Rust-written stager.

The KandyKorn campaign used malicious Python scripts that dropped malware, subsequently hijacking the Discord app installed on the compromised host and delivering malware—dubbed KandyKorn—written in C++. SwiftLoader now appears to be used to load the KandyKorn RAT, potentially as an evasion technique.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page