Skip to content

S0665 ThreatNeedle

ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group‘s Manuscrypt (a.k.a. NukeSped) malware family.1

Item Value
ID S0665
Associated Names
Version 1.1
Created 30 November 2021
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ThreatNeedle can be loaded into the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk) as a Shortcut file for persistence.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service ThreatNeedle can run in memory and register its payload as a Windows service.1
enterprise T1005 Data from Local System ThreatNeedle can collect data and files from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.1
enterprise T1083 File and Directory Discovery ThreatNeedle can obtain file and directory information.1
enterprise T1105 Ingress Tool Transfer ThreatNeedle can download additional tools to enable lateral movement.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.1
enterprise T1112 Modify Registry ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.1
enterprise T1027 Obfuscated Files or Information ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.1
enterprise T1027.011 Fileless Storage ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.1
enterprise T1082 System Information Discovery ThreatNeedle can collect system profile information from a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File ThreatNeedle relies on a victim to click on a malicious document for initial execution.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1