ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[1]

ID: S0665
Platforms: Windows
Version: 1.0
Created: 30 November 2021
Last Modified: 13 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ThreatNeedle can be loaded into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk) as a Shortcut file for persistence.[1]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

ThreatNeedle can run in memory and register its payload as a Windows service.[1]

Enterprise T1005 Data from Local System

ThreatNeedle can collect data and files from a compromised host.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.[1]

Enterprise T1083 File and Directory Discovery

ThreatNeedle can obtain file and directory information.[1]

Enterprise T1105 Ingress Tool Transfer

ThreatNeedle can download additional tools to enable lateral movement.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.[1]

Enterprise T1112 Modify Registry

ThreatNeedle can save its configuration data as the following RC4-encrypted Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.[1]

Enterprise T1027 Obfuscated Files or Information

ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.[1]

Enterprise T1082 System Information Discovery

ThreatNeedle can collect system profile information from a compromised host.[1]

Enterprise T1204 .002 User Execution: Malicious File

ThreatNeedle relies on a victim to click on a malicious document for initial execution.[1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group