Threat Watch

LazyScripter Threat Group Targets Airlines with Open Source RATs

Originally reported by BleepingComputer, security researchers at Malwarebytes have identified a threat group targeting prospective Canadian immigrants, airlines, and the International Air Transport Association, since 2018. Nicknamed LazyScripter (LS), this group has been found to use a variety of commonly used Remote Access Trojans (RATs) such as Quasar, njRat, Remcos, and LuminosityLink. However, LazyScripter has recently shifted to using a mix of the open source RATs Octopus and Koadic, with some use of the open source post-compromise tool Powershell Empire as well. 

LazyScripter has been hosting their toolsets on GitHub, a tactic previously seen with an Iranian APT team.  While two other previous repositories on GitHub, LIZySARA and Axella49, have since been deleted, a third repository called OB2021 that was created in February 2021 is still active. While LazyScripter shared many medium to low confidence similarities with MuddyWater (an Iranian APT), Malwarebytes researchers were unable to produce a high-confidence attribution to this group.


The LazyScripter group takes advantage of mass spam campaigns using automatically generated emails sent from spoofed or compromised email accounts. The lures are typically fairly generic, but with a sense of urgency, like “WG: VERY IMPORTANT” or “CIRCULAR / URGENT”.

Inside these emails will be a fairly generic email template asking the user to “install this attached application” or “install this attached KIT”, or even just tells the user they have new files for downloading. Attached will be either a pdf with a link leading to an encrypted zip file (password is in the PDF), or just the encrypted zip file with the password in the email. Inside the zip will be malware leading to the KOCTOPUS stager (either in maldoc or batch file form).

Binary Defense recommends being very careful when opening any vague but urgent emails with passwords for encrypted zip files found in the email.

Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s Security Operations Task Force to better defend against threats like LazyScripter if they manage to trick an employee into opening one of the malicious payloads. Detecting unusual behavior on employee workstations and servers, with quick response from a trained security analyst is the best and last line of defense to prevent attackers from using an initial foothold to expand access and take over a domain.

Source article: