Lilacsquid

Threat Actor Profile Updated 21 hours ago
Download STIX
Preview STIX
LilacSquid is a threat actor that has been actively targeting organizations in the U.S., Europe, and Asia since at least 2021. This group utilizes various tactics, techniques, and procedures (TTPs) to execute their malicious activities, including the use of Secure Socket Funneling (SSF) to establish tunnels to remote servers. Additionally, LilacSquid employs InkLoader, a .NET-based loader, to read from a hardcoded file path on disk and decrypt contents, further compromising the security of targeted systems. A significant observation about LilacSquid's activities is the overlap of its tactics with those used by Andariel, a North Korean threat actor that operates as a sub-cluster within the Lazarus Group. This similarity suggests possible connections or shared methodologies between these groups, raising concerns about the potential scale and coordination of their operations. The resemblance of LilacSquid's TTPs to those of North Korean Advanced Persistent Threat (APT) groups further corroborates this theory. Once a system is compromised, LilacSquid launches multiple open-source tools for its operations. One such tool is MeshAgent, an open-source remote management tool, which the group uses to connect to an attacker-controlled command-and-control server and conduct reconnaissance activities. This multifaceted approach to cyber attacks demonstrates LilacSquid's sophisticated capabilities and poses a significant threat to organizations across multiple continents.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Andariel
1
Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res
Lazarus Group
1
The Lazarus Group, a threat actor attributed to North Korea, is renowned for its notorious cyber-exploitation activities. The group has been linked to various high-profile cyber-attacks, including the largest decentralized finance exploit in history, the Ronin exploit of March 2022. This attack led
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Loader
Reconnaissance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Lilacsquid Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a day ago
Security Affairs Malware Newsletter - Round 2
Securityaffairs
8 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
15 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
a month ago
LilacSquid APT Employs Open Source Tools, QuasarRAT