A payload of the Wslink downloader named WinorDLL64 has been linked to the North Korea-aligned highly developed persistent danger (APT) regarded as Lazarus Group.
The link was created by cybersecurity researchers at Eset, who posted an posting about it earlier nowadays.
“Wslink […] is a loader for Windows binaries that, contrary to other this sort of loaders, runs as a server and executes acquired modules in memory,” wrote Eset malware analyst Vladislav Hrčka.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
According to the advisory, the first Wslink compromise vector was not recognized, but the malware was uploaded to VirusTotal from South Korea next the publication of the corporation advisory.
“The WinorDLL64 payload serves as a backdoor that most notably acquires considerable system information and facts, supplies signifies for file manipulation, these kinds of as exfiltrating, overwriting, and eradicating files, and executes further commands,” wrote Hrčka.
Even more, the Wslink loader listens on a port specified in the file configuration. It can reportedly serve other connecting customers and load extra payloads.
Initially viewed by the Eset team in 2021, Wslink was not promptly associated by the security specialists with Lazarus. The relationship was built only not long ago owing to an overlap in the specific location, actions and code with recognized Lazarus samples. In certain, the overlaps have been observed with two Lazarus-attributed campaigns: procedure GhostSecret and the Bankshot implant.
“WinorDLL64 incorporates an overlap in the growth surroundings, habits, and code with many Lazarus samples, which indicates that it may well be a device from the huge arsenal of this North-Korea-aligned APT group,” Hrčka stated.
A lot more info about the samples analyzed by Eset, as nicely as associated indicators of compromise (IoT), are presented in the company’s advisory.
The technological publish-up arrives weeks after the US Federal Bureau of Investigation (FBI) linked Lazarus Team to the $100m theft from cryptocurrency organization Harmony. More lately, the APT was observed committing an “operational security oversight” while targeting investigate, clinical and power sector corporations.
Some parts of this report are sourced from:
www.infosecurity-magazine.com