Register to stream ATT&CKcon 2.0 October 29-30


FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]

ID: S0181
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server, encoding data with RC4 encryption. [1]
Enterprise T1083 File and Directory Discovery FALLCHILL can search files on a victim. [1]
Enterprise T1107 File Deletion FALLCHILL can delete malware and associated artifacts from the victim. [1]
Enterprise T1082 System Information Discovery FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim. [1]
Enterprise T1016 System Network Configuration Discovery FALLCHILL collects MAC address and local IP address information from the victim. [1]
Enterprise T1099 Timestomp FALLCHILL can modify file or directory timestamps. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]