"Possible New Lazarus Group Backdoor Found"

Researchers discovered a new payload delivered by the Wslink malware downloader and believe it is part of the toolset maintained and deployed by the Lazarus Group, which is associated with North Korea. ESET researchers found the Wslink loader in 2021, which has a few unique features, the most notable of which is its ability to run as a server rather than a client. Wslink, like other loaders, allows the actors who deploy it to download and install additional malware or tools onto a compromised machine. The researchers were unable to find the payload that Wslink delivered when ESET examined the loader, but they recently discovered one, which they dubbed WinorDLL64. The payload was discovered on a small number of victim machines in locations previously targeted by the Lazarus Group, including Europe and North America. There are also some code commonalities between WinorDLL and other samples used by the Lazarus Group, such as Bankshot and GhostSecret. The ESET researchers discovered several behavioral parallels with known Lazarus Group tools, but they were not certain that WinorDLL was used by the gang. This article continues to discuss the new payload delivered by the Wslink malware downloader, possibly part of the cache of tools maintained and deployed by the Lazarus Group. 

Decipher reports "Possible New Lazarus Group Backdoor Found"