Hazyload

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
HazyLoad is a software vulnerability exploited by the threat actor Andariel to establish a direct connection with infected systems, bypassing the need for continued exploitation of the Log4j flaw. This custom-made implant acts as a proxy tool, allowing attackers to maintain persistence in the system once intrusion has been achieved. The use of HazyLoad signifies a shift in Andariel's attack methodology, demonstrating their ability to adapt and leverage new vulnerabilities to enhance their cyber-espionage capabilities. This vulnerability was detailed by Microsoft in October and subsequently used to target a European firm and a U.S. subsidiary of a South Korean physical security and surveillance company in May. In addition to HazyLoad, the attackers deployed two other malwares - DLRAT, a non-Telegram RAT, and BottomLoader, a downloader used to fetch additional payloads like the HazyLoad proxy tool onto infected systems. These multi-pronged attacks underscore the sophistication of the threat actors and the complexity of their operations. The unfolding of these events underscores the importance of robust cybersecurity measures and rapid response to newly discovered vulnerabilities. Companies must remain vigilant to such threats, ensuring their systems are patched promptly and that they maintain up-to-date threat intelligence. It also highlights the need for international cooperation in cybersecurity, as these attacks often transcend national borders and can impact firms worldwide.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2023-42793
1
CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Proxy
Vulnerability
Malware
Teamcity
Payload
Antivirus
Implant
Downloader
Rat
Telegram
Log4j
Operation Bl...
State Sponso...
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NineratUnspecified
1
NineRAT is a malware strain developed by the Lazarus group, and it was first used in Operation Blacksmith in March 2022 against a South American agricultural organization. The malware was initially built around May 2022 and was later observed being utilized in September against a European manufactur
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Onyx SleetUnspecified
1
Onyx Sleet, a North Korean nation-state threat actor, has been identified as a significant cybersecurity risk by Microsoft. Operating under the Lazarus Group umbrella, Onyx Sleet primarily targets defense and IT services organizations in South Korea, the United States, and India. In October 2023, Mi
AndarielUnspecified
1
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Hazyload Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
North Korean hackers are targeting software developers and impersonating IT workers - Help Net Security
BankInfoSecurity
9 months ago
North Korean Hackers Exploiting Critical Flaw in DevOps Tool
InfoSecurity-magazine
9 months ago
North Korean Attackers Exploiting Critical CI/CD Vulnerability
Securityaffairs
9 months ago
North Korea-linked APT groups actively exploit JetBrains TeamCity flaw - Security Affairs
Securityaffairs
7 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU
7 months ago
Lazarus Group bang on trend with memory-safe Dlang malware
CERT-EU
7 months ago
Lazarus Group Exploits Log4j Flaw in New Malware Campaign
DARKReading
7 months ago
Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'
InfoSecurity-magazine
7 months ago
Lazarus Group Targets Log4Shell Flaw Via Telegram Bots