Full Report
In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.
Analysis Summary
Based solely on the context provided, a complete, highly detailed summary is constrained, but the structure can be populated with the available information.
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Identification:** Lazarus Group.
* **Known Aliases and Associated Groups:** ThreatNeedle cluster (the specific malware cluster used in this campaign). Manuscrypt (also known as NukeSped) is mentioned as being associated with the ThreatNeedle cluster.
## Activity Summary
* **Recent Campaigns and Operations:** In mid-2020, Lazarus was observed launching attacks specifically targeting the **defense industry** using the advanced **ThreatNeedle** malware cluster. The investigation uncovered the complete life cycle of this attack, which also revealed links to the group’s other campaigns.
## Tactics, Techniques & Procedures
* **Specific TTPs Mentioned:** Observation of the **complete life cycle of an attack**.
* **MITRE ATT&CK IDs:** None specified in the provided context.
## Targeting
* **Sectors:** Defense Industry.
* **Geography:** Not specified in the provided context.
* **Victims:** None specifically named in the provided context, only the general sector.
## Tools & Infrastructure
* **Malware Families Used:** ThreatNeedle (advanced malware cluster), Manuscrypt (a.k.a. NukeSped).
* **Infrastructure (C2, domains, IPs):** None specified in the provided context.
## Implications
* The threat actor maintains ongoing, advanced operations targeting sensitive sectors like defense. Exposure of the full attack lifecycle suggests highly sophisticated tradecraft associated with the ThreatNeedle cluster.
## Mitigations
* Defense recommendations are not detailed in the provided context snippet.