Skip to content

Hide Navigation Hide TOC

ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092)

ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.(Citation: Kaspersky ThreatNeedle Feb 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern ThreatNeedle - S0665 (16040b1c-ed28-4850-9d8f-bb8b81c42092) Malware 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2