CyberSecurityBoard
Sponsor Register Login

Lazarus Hackers Exploiting IIS Servers to Deploy ASP-based Web Shells

Unlike previous iterations that used the password “1234qwer,” the latest variant employs “2345rdx” as its authentication mechanism, indicating an evolution in their operational security measures. The continued evolution of Lazarus techniques underscores the importance of proactive security measures against this persistent advanced threat actor targeting critical infrastructure worldwide. These web shells utilize sophisticated obfuscation techniques, remaining encoded in VBE format even after initial decoding, making detection and analysis challenging for security teams. Commands include “MidRequest” for redirecting data, “ProxyCheck” for saving Mid Info, “ReadFile” and “WriteFile” for file operations, “ClientHello” for responding with Mid Info, and others that facilitate the attackers’ control over the compromised system. Further security is implemented through random strings such as “xdmCz1eQ:?EkQ0d%c%r%jgY!fjabTTA0” and “#N@BGjn8g5!yCJAfiEFzq04Cqr%dFvcX” for the respective web shells. The threat actors have been breaching IIS servers to deploy ASP-based web shells, which are subsequently used as first-stage Command and Control (C2) servers that proxy communications to second-stage C2 infrastructure. Security researchers advise administrators to thoroughly inspect their web servers for vulnerabilities that could enable file uploads, particularly focusing on ASP-based web shells. These attacks, identified in January 2025, represent an evolution of similar techniques observed in May 2024, signaling persistent and adaptive tactics from this state-sponsored threat group. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware uses commands like “rundll32.exe C:\ProgramData\USOShared\sup.etl,SerializeMarketTable_32 x9nsB3iYUWiDT6BZKO5pgtMW -v 62 -m D:/www/[path]/ac_lst.exe” to execute privilege escalation. Regular updates to security solutions like V3 are recommended to ensure the detection of known Lazarus group indicators of compromise. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 14 Mar 2025 11:20:06 +0000


Cyber News related to Lazarus Hackers Exploiting IIS Servers to Deploy ASP-based Web Shells

CVE-2022-32988 - Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files ...
2 years ago
Web Shells Gain Sophistication for Stealth, Persistence - Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say. A Web shell known as ...
1 year ago Darkreading.com
Lazarus Hackers Exploiting IIS Servers to Deploy ASP-based Web Shells - Unlike previous iterations that used the password “1234qwer,” the latest variant employs “2345rdx” as its authentication mechanism, indicating an evolution in their operational security measures. The continued evolution of ...
4 hours ago Cybersecuritynews.com Lazarus Group
North Korean hackers exploit critical TeamCity flaw to breach networks - Microsoft says that the North Korean Lazarus and Andariel hacking groups are exploiting the CVE-2023-42793 flaw in TeamCity servers to deploy backdoor malware, likely to conduct software supply chain attacks. In September, TeamCity fixed a critical ...
1 year ago Bleepingcomputer.com CVE-2023-42793 Andariel
Lazarus hackers drop new RAT malware using 2-year-old Log4j bug - The new malware are two remote access trojans named NineRAT and DLRAT and a malware downloader named BottomLoader. The D programming language is rarely seen in cybercrime operations, so Lazarus probably chose it for new malware development to evade ...
1 year ago Bleepingcomputer.com
Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus - In its continued efforts to crack down on North Korea's most formidable state-sponsored threat group, the US government has seized a virtual currency mixer that has been serving as the principal way the group launders money stolen from its ...
1 year ago Darkreading.com Lazarus Group
It's not cricket! Sri Lanka and Bangladesh co-host phishing attack - Sri Lanka and Bangladesh have a successful history of co-hosting the Cricket World Cup, but today the two countries' governments have found themselves on a sticky wicket by co-hosting a phishing attack that targets UK banking customers. Victims lured ...
1 year ago Netcraft.com
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
1 year ago Packetstormsecurity.com Andariel
North Korean Hackers Developing Malware in Dlang Programming Language - The North Korea-linked hacking group Lazarus has been observed deploying Dlang malware in attacks against organizations in the manufacturing, agriculture, and physical security sectors, Cisco's Talos security researchers report. Released in 2001, ...
1 year ago Securityweek.com Andariel
Hackers from North Korea Aimed at Medical and Energy Industries - The North Korean Lazarus hacking group has been identified as the perpetrator of a recent cyber espionage operation known as No Pineapple!. This designation highlights the group's malicious activities and its ability to carry out sophisticated ...
2 years ago Cybersecuritynews.com
North Korean hackers linked to $1.5 billion ByBit crypto heist - Since the attack, crypto fraud investigator ZachXBT has discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent stolen Bybit funds to an Ethereum address previously ...
2 weeks ago Bleepingcomputer.com Lazarus Group
FBI confirms Lazarus hackers were behind $1.5B Bybit crypto heist - Since the incident, crypto fraud investigator ZachXBT discovered multiple links to the infamous North Korean threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address used in the Phemex, BingX, and Poloniex hacks ...
2 weeks ago Bleepingcomputer.com APT3 APT38 Lazarus Group
Microsoft: Lazarus hackers breach CyberLink in supply chain attack - Microsoft says a North Korean hacking group has breached Taiwanese multimedia software company CyberLink and trojanized one of its installers to push malware in a supply chain attack targeting potential victims worldwide. According to Microsoft ...
1 year ago Bleepingcomputer.com Lazarus Group
UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group
US seizes Sinbad crypto mixer used by North Korean Lazarus hackers - The U.S. Department of the Treasury has sanctioned the Sinbad cryptocurrency mixing service for its use as a money-laundering tool by the North Korean Lazarus hacking group. A cryptocurrency mixer is a server that allows people to deposit crypto, ...
1 year ago Bleepingcomputer.com Lazarus Group
Lazarus Hackers Exploit 2-Year-Old Log4j Vulnerability to Deploy New RAT Malware - Researchers warn Lazarus threat actors still exploit known Log4j vulnerability to infect devices with new DLang malware strains. The new campaign, dubbed Operation Blacksmith, became active on March 23. Hackers target manufacturing, agricultural, and ...
1 year ago Heimdalsecurity.com CVE-2021-44228
CVE-2011-3684 - Multiple cross-site scripting (XSS) vulnerabilities in Tembria Server Monitor before 6.0.5 Build 2252 allow remote attackers to inject arbitrary web script or HTML via (1) the siteid parameter to logbook.asp, (2) the siteid parameter to ...
12 years ago
North Korean Hackers' $12M Ethereum Laundering Via Tornado Cash Unveiled - It has been reported that North Korean hackers associated with the Lazarus Group have exploited Tornado Cash in a recent development to launder approximately $12 million worth of stolen Ethereum in the last 24 hours, using the coin mix-up service ...
11 months ago Cysecurity.news Lazarus Group
North Korean Hackers Cash Out $300 Million From $1.46 Billion ByBit Crypto Heist - Lazarus Group hackers believed to be affiliated with North Korea’s regime have successfully laundered at least $300 million from their unprecedented $1.5 billion cryptocurrency heist targeting the ByBit exchange. Elliptic’s analysis ...
4 days ago Cybersecuritynews.com Lazarus Group
Microsoft: BlueNoroff hackers plan new crypto-theft attacks - Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. This financially motivated threat group also has a documented history of cryptocurrency ...
1 year ago Bleepingcomputer.com
Lazarus hacked Bybit via breached Safe{Wallet} developer machine - While investigating the attack, crypto fraud investigator ZachXBT discovered links between the Bybit hackers and the infamous North Korean Lazarus threat group after the attackers sent some of the stolen Bybit funds to an Ethereum address previously ...
2 weeks ago Bleepingcomputer.com Lazarus Group
Lazarus Group hackers appear to return to Tornado Cash for money laundering - North Korea's Lazarus hacking group allegedly has turned back to an old service in order to launder $23 million stolen during an attack in November. Investigators at blockchain research company Elliptic said on Friday that in the last day they had ...
11 months ago Therecord.media Lazarus Group
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
Chinese Hackers New Malware Dubbed 'Squidoor' Attacking Global Organizations - The malware, designed for exceptional stealth, offers attackers multiple methods to maintain persistent access to compromised networks while evading detection from advanced security systems. These methods include HTTP-based communication, reverse ...
2 days ago Cybersecuritynews.com
North Korean hackers linked to defense sector supply-chain attack - In an advisory today Germany's federal intelligence agency and South Korea's National Intelligence Service warn of an ongoing cyber-espionage operation targeting the global defense sector on behalf of the North Korean government. The attacks aim to ...
1 year ago Bleepingcomputer.com Lazarus Group

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)