Fast Feed

Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

1 min read

Summary

  • Stately Taurus is a suspected Lazarus Group malware family that we recently described in a blog on the exploitation of a local Myanmar webhost and a broader look at the political interests of the threat actor.
  • The blog included a sample of the malware signed with a legitimate certificate issued to an automation company.
  • This signature allowed us to find other samples signed with the same certificate, some of which used the same infrastructure as the known Stately Taurus samples.
  • We linked these samples to two malware families, PubLoad and Bookworm, as well as a previously unlinked backdoor called ToneShell.
  • While these samples were not all part of the same campaign, the common signing certificate provides evidence that they are all products of the same threat actor.
  • This blog connects these samples and their infrastructure to reinforce our conclusion that Stately Taurus is part of the Lazarus Group.

By Robert Falcone

Original Article