top of page
  • Clipeus

Operation "Blacksmith:" Lazarus Actively Exploiting Log4j

Cisco Talos reports an active campaign, dubbed "Blacksmith," which has been attributed to the DPRK-nexus Lazarus. The actor has been exploiting the infamous CVE-2021-44228, more commonly referred to as "Log4j" or "Log4Shell," to deploy various strains of remote access trojans (RATs).

Available intelligence indicates that reconnaissance efforts have reportedly been carried out by a sub-unit of Lazarus known as "Andariel" or "Silent Chollima." This unit has historically been tasked with identifying targets that may be exploited in long-term espionage campaigns.

The exploitation involves the installation of the following RATs:

  • NineRAT, which leverages Telegram for command-and-control (C2).

  • DLRAT, a sophisticated backdoor with the capability to operate as a downloader, communicate with the C2, and perform expanded post-exploitation reconnaissance.

  • BottomLoader, a downloader that serves the purpose of downloading a post-exploitation tool - HazyLoad. The latter was observed in the DPRK-attributed exploitation of CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server.

Mitigation strategies include patching CVE-2021-44228, which impacts Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1).

A cursory search for "log4j2" via open-source scanners reveals numerous instances matching these search parameters but provides no conclusive data regarding exploitability against such instances or the accuracy of such data.


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page