FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]

ID: S0181
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1024Custom Cryptographic ProtocolFALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server, encoding data with RC4 encryption.[1]
EnterpriseT1083File and Directory DiscoveryFALLCHILL can search files on a victim.[1]
EnterpriseT1107File DeletionFALLCHILL can delete malware and associated artifacts from the victim.[1]
EnterpriseT1082System Information DiscoveryFALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[1]
EnterpriseT1016System Network Configuration DiscoveryFALLCHILL collects MAC address and local IP address information from the victim.[1]
EnterpriseT1099TimestompFALLCHILL can modify file or directory timestamps.[1]


Groups that use this software:

Lazarus Group