The sub-techniques beta is now live! Read the release blog post for more info.


FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]

ID: S0181
Platforms: Windows
Version: 1.0
Created: 16 January 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol

FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server, encoding data with RC4 encryption.[1]

Enterprise T1083 File and Directory Discovery

FALLCHILL can search files on a victim.[1]

Enterprise T1107 File Deletion

FALLCHILL can delete malware and associated artifacts from the victim.[1]

Enterprise T1082 System Information Discovery

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[1]

Enterprise T1016 System Network Configuration Discovery

FALLCHILL collects MAC address and local IP address information from the victim.[1]

Enterprise T1099 Timestomp

FALLCHILL can modify file or directory timestamps.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]