Originally reported by BleepingComputer, security researchers at Malwarebytes have identified a threat group targeting prospective Canadian immigrants, airlines, and the International Air Transport Association, since 2018. Nicknamed LazyScripter (LS), this group has been found to use a variety of commonly used Remote Access Trojans (RATs) such as Quasar, njRat, Remcos, and LuminosityLink. However, LazyScripter has recently shifted to using a mix of the open source RATs Octopus and Koadic, with some use of the open source post-compromise tool Powershell Empire as well.
LazyScripter has been hosting their toolsets on GitHub, a tactic previously seen with an Iranian APT team. While two other previous repositories on GitHub, LIZySARA and Axella49, have since been deleted, a third repository called OB2021 that was created in February 2021 is still active. While LazyScripter shared many medium to low confidence similarities with MuddyWater (an Iranian APT), Malwarebytes researchers were unable to produce a high-confidence attribution to this group.