CyberSecurityBoard
Sponsor Register Login

Lazarus Hackers Exploiting IIS Servers to Deploy ASP-based Web Shells

Unlike previous iterations that used the password “1234qwer,” the latest variant employs “2345rdx” as its authentication mechanism, indicating an evolution in their operational security measures. The continued evolution of Lazarus techniques underscores the importance of proactive security measures against this persistent advanced threat actor targeting critical infrastructure worldwide. These web shells utilize sophisticated obfuscation techniques, remaining encoded in VBE format even after initial decoding, making detection and analysis challenging for security teams. Commands include “MidRequest” for redirecting data, “ProxyCheck” for saving Mid Info, “ReadFile” and “WriteFile” for file operations, “ClientHello” for responding with Mid Info, and others that facilitate the attackers’ control over the compromised system. Further security is implemented through random strings such as “xdmCz1eQ:?EkQ0d%c%r%jgY!fjabTTA0” and “#N@BGjn8g5!yCJAfiEFzq04Cqr%dFvcX” for the respective web shells. The threat actors have been breaching IIS servers to deploy ASP-based web shells, which are subsequently used as first-stage Command and Control (C2) servers that proxy communications to second-stage C2 infrastructure. Security researchers advise administrators to thoroughly inspect their web servers for vulnerabilities that could enable file uploads, particularly focusing on ASP-based web shells. These attacks, identified in January 2025, represent an evolution of similar techniques observed in May 2024, signaling persistent and adaptive tactics from this state-sponsored threat group. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware uses commands like “rundll32.exe C:\ProgramData\USOShared\sup.etl,SerializeMarketTable_32 x9nsB3iYUWiDT6BZKO5pgtMW -v 62 -m D:/www/[path]/ac_lst.exe” to execute privilege escalation. Regular updates to security solutions like V3 are recommended to ensure the detection of known Lazarus group indicators of compromise. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 14 Mar 2025 11:20:06 +0000


Cyber News related to Lazarus Hackers Exploiting IIS Servers to Deploy ASP-based Web Shells

CVE-2022-32988 - Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files ...
2 years ago
Web Shells Gain Sophistication for Stealth, Persistence - Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say. A Web shell known as ...
1 year ago Darkreading.com
Lazarus Hackers Exploiting IIS Servers to Deploy ASP-based Web Shells - Unlike previous iterations that used the password “1234qwer,” the latest variant employs “2345rdx” as its authentication mechanism, indicating an evolution in their operational security measures. The continued evolution of ...
1 month ago Cybersecuritynews.com Lazarus Group
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
1 year ago Bleepingcomputer.com CVE-2023-42793 Andariel
Lazarus hackers drop new RAT malware using 2-year-old Log4j bug - The new malware are two remote access trojans named NineRAT and DLRAT and a malware downloader named BottomLoader. The D programming language is rarely seen in cybercrime operations, so Lazarus probably chose it for new malware development to evade ...
1 year ago Bleepingcomputer.com
Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
1 year ago Darkreading.com Lazarus Group
It's not cricket! Sri Lanka and Bangladesh co-host phishing attack - Sri Lanka and Bangladesh have a successful history of co-hosting the Cricket World Cup, but today the two countries' governments have found themselves on a sticky wicket by co-hosting a phishing attack that targets UK banking customers. Victims lured ...
1 year ago Netcraft.com
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
1 year ago Packetstormsecurity.com Andariel
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
1 year ago Securityweek.com Andariel
ClickFake Interview - Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign - The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter). The Lazarus Group, a North Korean ...
3 weeks ago Cybersecuritynews.com Lazarus Group
Hackers from North Korea Aimed at Medical and Energy Industries - The North Korean Lazarus hacking group has been identified as the perpetrator of a recent cyber espionage operation known as No Pineapple!. This designation highlights the group's malicious activities and its ability to carry out sophisticated ...
2 years ago Cybersecuritynews.com
OKX suspends DEX aggregator after Lazarus hackers try to launder funds - OKX Web3 has decided to suspend its DEX aggregator services to implement security upgrades following reports of abuse by the notorious North Korean Lazarus hackers, who recently conducted a $1.5 billion crypto heist. OKX is a leading global ...
1 month ago Bleepingcomputer.com Lazarus Group
North Korean hackers linked to $1.5 billion ByBit crypto heist - Since the attack, crypto fraud investigator ZachXBT has discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent stolen Bybit funds to an Ethereum address previously ...
1 month ago Bleepingcomputer.com Lazarus Group
North Korean hackers adopt ClickFix attacks to target crypto firms - Sekoia says that Lazarus impersonates numerous well-known companies in the latest campaign, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, from which the North Korean threat actors recently stole a ...
3 weeks ago Bleepingcomputer.com
New C++ Based IIS Malware With Numerous Functionalities Mimics cmd.exe To Stay Undetected - Unit 42’s analysis revealed that this new C++ based IIS malware command execution framework leverages Windows’ user-mode asynchronous procedure calls (APCs) to queue malicious tasks while maintaining the facade of legitimate cmd.exe activity. ...
1 month ago Cybersecuritynews.com
FBI confirms Lazarus hackers were behind $1.5B Bybit crypto heist - Since the incident, crypto fraud investigator ZachXBT discovered multiple links to the infamous North Korean threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address used in the Phemex, BingX, and Poloniex hacks ...
1 month ago Bleepingcomputer.com APT3 APT38 Lazarus Group
Microsoft: Lazarus hackers breach CyberLink in supply chain attack - Microsoft says a North Korean hacking group has breached Taiwanese multimedia software company CyberLink and trojanized one of its installers to push malware in a supply chain attack targeting potential victims worldwide. According to Microsoft ...
1 year ago Bleepingcomputer.com Lazarus Group
CVE-2011-3684 - Multiple cross-site scripting (XSS) vulnerabilities in Tembria Server Monitor before 6.0.5 Build 2252 allow remote attackers to inject arbitrary web script or HTML via (1) the siteid parameter to logbook.asp, (2) the siteid parameter to ...
12 years ago
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group
Chinese Web Shell Whisperer Using Web Shells & Tunnels To Establish Persistence - Their analysis revealed the attackers’ unusual methodology of maintaining multiple persistence mechanisms simultaneously, allowing them to regain access even if one pathway is discovered and removed. Initial access typically occurs through ...
4 weeks ago Cybersecuritynews.com
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers - The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, ...
1 year ago Bleepingcomputer.com Lazarus Group
Lazarus Hackers Exploit 2-Year-Old Log4j Vulnerability to Deploy New RAT Malware - Researchers warn Lazarus threat actors still exploit known Log4j vulnerability to infect devices with new DLang malware strains. The new campaign, dubbed Operation Blacksmith, became active on March 23. Hackers target manufacturing, agricultural, and ...
1 year ago Heimdalsecurity.com CVE-2021-44228
North Korean Hackers' $12M Ethereum Laundering Via Tornado Cash Unveiled - It has been reported that North Korean hackers associated with the Lazarus Group have exploited Tornado Cash in a recent development to launder approximately $12 million worth of stolen Ethereum in the last 24 hours, using the coin mix-up service ...
1 year ago Cysecurity.news Lazarus Group
Lazarus Group is No Longer Consider a Single APT Group, But Collection of Many Sub Groups - The cybersecurity landscape is witnessing a growing complexity in the attribution of Advanced Persistent Threat (APT) actors, particularly the North Korean-linked Lazarus group. For instance, Bureau325 and APT43 have been identified as entities that ...
3 weeks ago Cybersecuritynews.com Kimsuky Lazarus Group
North Korean Hackers Cash Out $300 Million From $1.46 Billion ByBit Crypto Heist - Lazarus Group hackers believed to be affiliated with North Korea’s regime have successfully laundered at least $300 million from their unprecedented $1.5 billion cryptocurrency heist targeting the ByBit exchange. Elliptic’s analysis ...
1 month ago Cybersecuritynews.com Lazarus Group

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)