BLINDINGCAN

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

BlindingCan, also known as AIRDRY or ZetaNile, is a multifaceted malware capable of extracting sensitive data from compromised hosts. The threat actor gained initial access to systems via spear-phishing attacks masquerading as recruiters for high-profile companies and deployed new malware dubbed "LightlessCan." This malicious software was used in several notable cyber-attacks, including the Amazon Dream Job campaign. BlindingCan can infect systems through suspicious downloads, emails, or websites and has the ability to disrupt operations, steal personal information, or even hold data hostage. The most significant payload used in these campaigns was LightlessCan, a successor to the Lazarus group's flagship HTTP(S) Remote Access Trojan (RAT) named BlindingCan. ESET analysts believe that LightlessCan is based on the BlindingCan source code, preserving the order of shared commands significantly, albeit with differences in their indexing. This characteristic is also found in other types of malware used by Lazarus. Compared to BlindingCan, Lazarus increased the code sophistication in LightlessCan, making it much more malicious than its predecessor. A simplified version of BlindingCan, named miniBlindingCan by ESET, is designed to collect system information such as computer name, Windows version, and configuration data. It also receives and executes commands from the command-and-control (C2) server. One of the most notable aspects of this RAT is that it mimics the functionalities of a wide range of native Windows commands, which makes detecting and analyzing the attacker's activities more challenging. This indicates that threat actors continually advance their attack tactics and tools, highlighting the growing sophistication and potential risks associated with these malwares.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Zetanile	1	None
Airdry	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Rat

Trojan

Payload

Eset

Windows

Phishing

Downloader

Implant

Apt

Facebook

Malware Loader

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lightlesscan	Unspecified	4	LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciou

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
HIDDEN COBRA	Unspecified	1	Hidden Cobra, also known as the Lazarus Group and Sapphire Sleet, is a North Korean cyberespionage group that has been active since at least 2009. The U.S. Government uses the term Hidden Cobra to refer to malicious cyber activities by the North Korean government, with the BeagleBoyz representing a
Lazarus Group	Unspecified	1	The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the BLINDINGCAN Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	5 months ago	New Malicious PyPI Packages used by Lazarus - JPCERT/CC Eyes
CERT-EU	10 months ago	Security Breach: Hacker Poses as Meta Recruiter, Targets Aerospace Company
CERT-EU	10 months ago	Cyber Security Week in Review: October 6, 2023
CERT-EU	10 months ago	North Korea's Lazarus Group upgrades its main malware
DARKReading	10 months ago	North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org
CERT-EU	10 months ago	LinkedIn Messaging used by APT to phish aerospace target and plant novel malware
Securityaffairs	10 months ago	North Korean Lazarus targeted a Spanish aerospace company
BankInfoSecurity	10 months ago	Hackers Impersonate Meta Recruiter to Target Aerospace Firm
CERT-EU	10 months ago	Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm
CERT-EU	10 months ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	10 months ago	Lazarus hackers breach aerospace firm with new LightlessCan malware
CERT-EU	10 months ago	Lazarus Group Impersonates Recruiter from Meta to Target Spanish Aerospace Firm
CERT-EU	10 months ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Il malware Qbot continua la scalata in Italia, mentre una nuova versione di Guloader arriva nella Top 10 \| Il corriere della sicurezza
MITRE	a year ago	MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN \| CISA
MITRE	a year ago	BLINDINGCAN Remote Access Trojan - NHS Digital
Securelist	a year ago	Following the Lazarus group by tracking DeathNote campaign
CERT-EU	a year ago	FBI, GCHQ Unite To Foil Russian Malware Hacking Tool