Newly Discovered APT Group “LazyScripter” Was Actively Spreading Malware Since 2018

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Malwarebytes researchers discovered a targeted spam campaign that dates as far back as 2018 and continues to this day by simply updating its lures. Although the observed TTPs have common ground with other known malicious groups such as APT28 and “Muddy Water,” this actor dubbed “LazyScripter” is considered a separate and so far undiscovered actor.

The phishing campaigns launched by the particular actor target job seekers with Remote Access Trojans (RATs) like Octopus, Koadic, LuminosityLink, RMS, Quasar, njRat, and Remcos. The targets seem to be people looking to immigrate to Canada. However, there are also lures specifically designed to imitate IATA (International Air Transport Association) and exploit the introduction of the IATA ONE ID contactless passenger processing tool. Thus, airlines and their employees are also targeted by LazyScripter.

Source: Malwarebytes

According to what Malwarebytes was able to gather, the phishing lures have the following subjects:

To tap onto the relevant victim pool, LazyScripter targets government-supported job finding programs hosted on Canadavisa.com and other legitimate sites. Their main infection vector is emails that carry malicious ZIP and document files hosted on GitHub. In most cases, these ZIPs contain either KOCTOPUS or Koadic, posing as “Upgrade.exe” or “IATA ONE ID.exe.”

Source: Malwarebytes

KOCTOPUS has four different variants with different backdoor functionality, executables, VBScript, or registry keys. The group generally uses a galore of different RATs to maintain an unusually diverse set of information-exfiltration methods.

All of them use the same C2 infrastructure, which is pretty extensive too. Still, Malwarebytes was able to identify the following five subdomains relying on four different dynamic DNS domain generating providers:

Source: Malwarebytes

The main things that pushed Malwarebytes to consider that this actor is a new group include the facts that they rely almost solely on spam campaigns, uses a very wide range of RATs and commodity tools, uses direct embedding instead of macros, and doesn’t use custom toolsets that are linked to other similar groups.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: