Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.[1]

ID: S0498
Platforms: macOS
Version: 1.0
Created: 10 August 2020
Last Modified: 18 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Cryptoistic can retrieve files from the local file system.[1]

Enterprise T1573 Encrypted Channel

Cryptoistic can engage in encrypted communications with C2.[1]

Enterprise T1083 File and Directory Discovery

Cryptoistic can scan a directory to identify files for deletion.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Cryptoistic has the ability delete files from a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

Cryptoistic has the ability to send and receive files.[1]

Enterprise T1095 Non-Application Layer Protocol

Cryptoistic can use TCP in communications with C2.[1]

Enterprise T1033 System Owner/User Discovery

Cryptoistic can gather data on the user of a compromised host.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group