Skip to content


TYPEFRAME is a remote access tool that has been used by Lazarus Group. 1

Item Value
ID S0263
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 23 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TYPEFRAME can uninstall malware components using a batch script.1 TYPEFRAME can execute commands using a shell.1
enterprise T1059.005 Visual Basic TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.1
enterprise T1140 Deobfuscate/Decode Files or Information One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value “0x35”.1
enterprise T1083 File and Directory Discovery TYPEFRAME can search directories for files on the victim’s machine.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion TYPEFRAME can delete files off the system.1
enterprise T1105 Ingress Tool Transfer TYPEFRAME can upload and download files to the victim’s machine.1
enterprise T1112 Modify Registry TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.1
enterprise T1571 Non-Standard Port TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.1
enterprise T1027 Obfuscated Files or Information APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.1
enterprise T1090 Proxy A TYPEFRAME variant can force the compromised system to function as a proxy server.1
enterprise T1082 System Information Discovery TYPEFRAME can gather the disk volume information.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File A Word document delivering TYPEFRAME prompts the user to enable macro execution.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1


Back to top