BLINDINGCAN

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
BlindingCan, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts. The threat actor gained initial access to systems via spear-phishing attacks masquerading as recruiters for high-profile companies and deployed new malware dubbed "LightlessCan." This malicious software was used in several notable cyber-attacks, including the Amazon Dream Job campaign. BlindingCan can infect systems through suspicious downloads, emails, or websites and has the ability to disrupt operations, steal personal information, or even hold data hostage. The most significant payload used in these campaigns was LightlessCan, a successor to the Lazarus group's flagship HTTP(S) Remote Access Trojan (RAT) named BlindingCan. ESET analysts believe that LightlessCan is based on the BlindingCan source code, preserving the order of shared commands significantly, albeit with differences in their indexing. This characteristic is also found in other types of malware used by Lazarus. Compared to BlindingCan, Lazarus increased the code sophistication in LightlessCan, making it much more malicious than its predecessor. A simplified version of BlindingCan, named miniBlindingCan by ESET, is designed to collect system information such as computer name, Windows version, and configuration data. It also receives and executes commands from the command-and-control (C2) server. One of the most notable aspects of this RAT is that it mimics the functionalities of a wide range of native Windows commands, which makes detecting and analyzing the attacker's activities more challenging. This indicates that threat actors continually advance their attack tactics and tools, highlighting the growing sophistication and potential risks associated with these malwares.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Backdoor
Downloader
Trojan
Payload
Eset
Phishing
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LightlesscanUnspecified
4
LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciou
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the BLINDINGCAN Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN | CISA
MITRE
a year ago
BLINDINGCAN Remote Access Trojan - NHS Digital
CERT-EU
8 months ago
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU
8 months ago
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU
8 months ago
Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
Securityaffairs
8 months ago
North Korean Lazarus targeted a Spanish aerospace company
CERT-EU
a year ago
FBI, GCHQ Unite To Foil Russian Malware Hacking Tool
Securelist
a year ago
Following the Lazarus group by tracking DeathNote campaign
BankInfoSecurity
8 months ago
Hackers Impersonate Meta Recruiter to Target Aerospace Firm
DARKReading
8 months ago
North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org
CERT-EU
8 months ago
Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
CERT-EU
3 months ago
New Malicious PyPI Packages used by Lazarus - JPCERT/CC Eyes
CERT-EU
7 months ago
Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company
CERT-EU
7 months ago
North Korea's Lazarus Group upgrades its main malware
CERT-EU
9 months ago
IT threat evolution Q2 2023
CERT-EU
8 months ago
Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU
9 months ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
7 months ago
Cyber Security Week in Review: October 6, 2023
CERT-EU
8 months ago
LinkedIn Messaging used by APT to phish aerospace target and plant novel malware
CERT-EU
a year ago
Il malware Qbot continua la scalata in Italia, mentre una nuova versione di Guloader arriva nella Top 10 | Il corriere della sicurezza