Skip to content


TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.1

Item Value
ID S0586
Associated Names
Version 1.0
Created 05 March 2021
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data TAINTEDSCRIBE has used FileReadZipSend to compress a file and send to C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder TAINTEDSCRIBE can copy itself into the current user’s Startup folder as “Narrator.exe” for persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell TAINTEDSCRIBE can enable Windows CLI access and execute files.1
enterprise T1001 Data Obfuscation -
enterprise T1001.003 Protocol Impersonation TAINTEDSCRIBE has used FakeTLS for session authentication.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.1
enterprise T1008 Fallback Channels TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.1
enterprise T1083 File and Directory Discovery TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion TAINTEDSCRIBE can delete files from a compromised host.1
enterprise T1070.006 Timestomp TAINTEDSCRIBE can change the timestamp of specified filenames.1
enterprise T1105 Ingress Tool Transfer TAINTEDSCRIBE can download additional modules from its C2 server.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding TAINTEDSCRIBE can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.1
enterprise T1057 Process Discovery TAINTEDSCRIBE can execute ProcessList for process discovery.1
enterprise T1018 Remote System Discovery The TAINTEDSCRIBE command and execution module can perform target system enumeration.1
enterprise T1082 System Information Discovery TAINTEDSCRIBE can use DriveList to retrieve drive information.1
enterprise T1124 System Time Discovery TAINTEDSCRIBE can execute GetLocalTime for time discovery.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1