Threat Intel researcher! Technical tweets only; not reflective of employer's views. No endorsement of political groups/entities.
Aug 25, 2021 • 4 tweets • 3 min read
Some updates on this suspected #Lazarus#APT:(thread, 1/4) 1) The remote template is VBA stomped or at least it was able to hide itself from olevba and oledump 2) The remote template drops an obfuscated vbs file and registers it as a scheduled service