
Chollima Synthetic Interview Operation
Indicators of Compromise
No domains found for this campaign
APT Groups1
Summary of Actor: Lazarus Group, also known as APT38, is a highly sophisticated, state-sponsored threat actor attributed to North Korea. The group is known for its cyber espionage, financially motivated attacks, and disruptive cyber operations targeting various industries worldwide. Active since at least 2009, Lazarus has been responsible for major financial heists, intellectual property theft, and destructive malware campaigns. General Features: Nation-State Backing: Strongly linked to the North Korean government, likely operating under the Reconnaissance General Bureau (RGB). Advanced Tactics: Utilizes custom malware, zero-day exploits, supply chain attacks, and sophisticated social engineering techniques. Diverse Targeting: Initially focused on government and military espionage, but now predominantly targeting financial institutions, cryptocurrency exchanges, blockchain-related firms, and high-value enterprises. Evasion Capabilities: Employs multi-stage attacks, obfuscation techniques, and legitimate tools to evade detection and persistence. Related Other Groups: Reaper,imsuky (APT37),Andariel,BlueNoroff (APT38) Indicators of Attack (IoA): Spear-Phishing & Social Engineering Custom Malware & Exploits Compromise of Supply Chains & Software Updates Command-and-Control (C2) Infrastructure Cryptocurrency Theft & Laundering Recent Activities and Trends: Latest Campaigns : ByBit Cryptocurrency Exchange Attack Ransomware & Supply Chain Attacks Advanced Blockchain Attacks Emerging Trends : Increased Focus on Financial Cybercrime Use of AI for Social Engineering & Phishing Use of AI for Social Engineering & Phishing Targeting of Cybersecurity & Threat Intelligence Firms
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1589-Gather Victim Identity Information
ID | Name | Analytic ID | Analytic Description |
Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. |
T1656-Impersonation
ID | Name | Analytic ID | Analytic Description |
Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., 'payment', 'wire transfer') or anomalous login locations for accounts associated with email sending activity. | |||
Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users. | |||
Monitor Mail.app activity or unified logs for anomalous SMTP usage, including mismatches between display name and authenticated AppleID or Exchange credentials. Detect use of third-party mail utilities that attempt to send on behalf of corporate identities. | |||
Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content. | |||
Monitor Office Suite applications (Outlook, Word mail merge, Excel macros) for abnormal automated message sending, especially when macros or scripts trigger email delivery. Detect patterns of impersonation language (urgent, payment, executive request) combined with anomalous execution of Office macros. |
T1078-Valid Accounts
ID | Name | Analytic ID | Analytic Description |
Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints. | |||
Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns. | |||
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity. | |||
Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures. | |||
Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs. |
T1090.001-Internal Proxy
ID | Name | Analytic ID | Analytic Description |
Anomalous process (e.g., rundll32, svchost, cmd) initiates connections to internal peer hosts not seen in typical communication baselines, used to proxy or forward traffic internally, often using SMB, RPC, or high ports. | |||
socat, ssh, iptables, or ncat invoked from user space or cron jobs to create port forwarding, reverse shells, or inter-host tunnels between compromised Linux systems. Behavior is typically paired with socket activity and high entropy traffic. | |||
Execution of AppleScript or Automator services launching ssh -L, socat, or launchctl items that dynamically reroute traffic from one Mac endpoint to another. LaunchAgents used to establish permanent internal tunnels. | |||
ESXi shell execution of tools/scripts (nc, socat, perl) relaying network traffic to other internal hosts, especially when initiated by unauthorized users or VMs. | |||
Configuration of internal NAT or proxy rules that redirect traffic between client segments internally (e.g., site-to-site port forwarding). Often used to relay internal beaconing or move traffic laterally through trust zones. |
T1036-Masquerading
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy | Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage. | ||
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop. | |||
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup. | |||
Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs. | |||
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds. |