SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: AIRDRY, ZetaNile

Actor(s): Lazarus Group

VTCollection    

BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).
It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic.
It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.
It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped.
It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.
It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@".
BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-08-30Kaspersky LabsDavid Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2022-09-30ESET ResearchPeter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Matt Williams, Nino Isakovic, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
2022-08-15BrandefenseBrandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
2020-09-29JPCERT/CCShusei Tomonaga
BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-08-19CISACISA
MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN
BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20260504 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { dc1d???????? dfe0 f6c405 7bd5 }
            // n = 4, score = 300
            //   dc1d????????         |                     
            //   dfe0                 | test                ecx, ecx
            //   f6c405               | inc                 esp
            //   7bd5                 | xor                 ebx, dword ptr [ebp + ecx*4 + 0x1c710]

        $sequence_1 = { a1???????? 33c5 8945f8 8b4508 db00 }
            // n = 5, score = 300
            //   a1????????           |                     
            //   33c5                 | shr                 edx, 0x10
            //   8945f8               | inc                 ebp
            //   8b4508               | xor                 ebx, dword ptr [ebp + 0x44]
            //   db00                 | shr                 eax, 0x18

        $sequence_2 = { 750a 8b10 8994bdfcfdffff 47 }
            // n = 4, score = 300
            //   750a                 | lea                 ebx, [0x10e9f]
            //   8b10                 | dec                 eax
            //   8994bdfcfdffff       | mov                 ecx, dword ptr [ebx - 8]
            //   47                   | dec                 eax

        $sequence_3 = { c785f8fcffffe25fcedf c785fcfcfffff15112b2 c78500fdffffc2840aa6 c78504fdfffff79d6681 }
            // n = 4, score = 300
            //   c785f8fcffffe25fcedf     | movzx    edx, al
            //   c785fcfcfffff15112b2     | cmp    eax, 2
            //   c78500fdffffc2840aa6     | jl    0x2a5
            //   c78504fdfffff79d6681     | dec    eax

        $sequence_4 = { c7858cfeffffafe2e55a c78590feffff74c31dff c78594feffff657f9183 c78598feffffa78b5b05 c7859cfeffff87f53e0c c785a0feffff074f9b22 c785a4feffff7c7277e4 }
            // n = 7, score = 300
            //   c7858cfeffffafe2e55a     | shr    eax, 0x18
            //   c78590feffff74c31dff     | movzx    ecx, al
            //   c78594feffff657f9183     | movzx    eax, bl
            //   c78598feffffa78b5b05     | inc    esp
            //   c7859cfeffff87f53e0c     | xor    ebx, dword ptr [ebp + ecx*4 + 0x1bf10]
            //   c785a0feffff074f9b22     | inc    esp
            //   c785a4feffff7c7277e4     | xor    ebx, dword ptr [ebp + eax*4 + 0x1cb10]

        $sequence_5 = { c745a453e8ba52 c745a8b67dbc8f c745ac3a39b69d c745b08c5fbadf c745b4e13300b2 }
            // n = 5, score = 300
            //   c745a453e8ba52       | mov                 ecx, edi
            //   c745a8b67dbc8f       | cmp                 eax, 4
            //   c745ac3a39b69d       | jl                  0x29f
            //   c745b08c5fbadf       | dec                 eax
            //   c745b4e13300b2       | and                 dword ptr [ebx], 0

        $sequence_6 = { c785c0feffff10d43c68 c785c4feffff7c9f1888 c785c8feffff1ce6ae9e c785ccfeffff64ceb0a1 c785d0feffff2d58cb71 c785d4feffff62c2f218 }
            // n = 6, score = 300
            //   c785c0feffff10d43c68     | dec    eax
            //   c785c4feffff7c9f1888     | add    ebx, 0x10
            //   c785c8feffff1ce6ae9e     | dec    eax
            //   c785ccfeffff64ceb0a1     | dec    esi
            //   c785d0feffff2d58cb71     | jne    0xffffffdd
            //   c785d4feffff62c2f218     | dec    eax

        $sequence_7 = { c78508ffffffdcb29bd9 c7850cffffff5e41f6d0 c78510ffffff75bb0656 c78514ffffff47cdfbc7 c78518ffffff79ecb859 }
            // n = 5, score = 300
            //   c78508ffffffdcb29bd9     | mov    dword ptr [ebp - 0x308], 0xdfce5fe2
            //   c7850cffffff5e41f6d0     | mov    dword ptr [ebp - 0x304], 0xb21251f1
            //   c78510ffffff75bb0656     | mov    dword ptr [ebp - 0x300], 0xa60a84c2
            //   c78514ffffff47cdfbc7     | mov    dword ptr [ebp - 0x2fc], 0x81669df7
            //   c78518ffffff79ecb859     | mov    dword ptr [ebp - 0x5c], 0x52bae853

        $sequence_8 = { f7fe 8bca e8???????? 85c0 7409 e8???????? 85c0 }
            // n = 7, score = 200
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_9 = { 48832300 4883c310 48ffce 75d4 488d1d9f0e0100 488b4bf8 4885c9 }
            // n = 7, score = 100
            //   48832300             | inc                 ebp
            //   4883c310             | xor                 ecx, ecx
            //   48ffce               | inc                 ebp
            //   75d4                 | mov                 eax, esp
            //   488d1d9f0e0100       | xor                 ebx, ebx
            //   488b4bf8             | test                eax, eax
            //   4885c9               | je                  0xcd

        $sequence_10 = { 45339c8c10c30100 45339c8410cb0100 418bc2 41c1ea10 45335d44 c1e818 0fb6d0 }
            // n = 7, score = 100
            //   45339c8c10c30100     | xor                 eax, dword ptr [esp + eax*4 + 0x1cb10]
            //   45339c8410cb0100     | inc                 ebp
            //   418bc2               | xor                 eax, dword ptr [ebp + 0x6c]
            //   41c1ea10             | inc                 ecx
            //   45335d44             | mov                 eax, eax
            //   c1e818               | shr                 eax, 0x10
            //   0fb6d0               | movzx               edx, al

        $sequence_11 = { 4533848410cb0100 4533456c 418bc0 c1e810 0fb6d0 418bc1 418bb49410c30100 }
            // n = 7, score = 100
            //   4533848410cb0100     | dec                 eax
            //   4533456c             | mov                 edi, ecx
            //   418bc0               | inc                 esp
            //   c1e810               | mov                 eax, ebx
            //   0fb6d0               | dec                 eax
            //   418bc1               | lea                 edx, [ebp + 0x3f0]
            //   418bb49410c30100     | inc                 ebp

        $sequence_12 = { e8???????? 488d0dcfdb0100 448bc6 33d2 e8???????? 488bcb 33f6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d0dcfdb0100       | xor                 ebx, ebx
            //   448bc6               | test                eax, eax
            //   33d2                 | dec                 eax
            //   e8????????           |                     
            //   488bcb               | lea                 ecx, [0x1dbcf]
            //   33f6                 | inc                 esp

        $sequence_13 = { 488b15???????? b918200000 4533c9 458bc4 e8???????? 33db 85c0 }
            // n = 7, score = 100
            //   488b15????????       |                     
            //   b918200000           | mov                 ecx, 0x2018
            //   4533c9               | inc                 ebp
            //   458bc4               | xor                 ecx, ecx
            //   e8????????           |                     
            //   33db                 | inc                 ebp
            //   85c0                 | mov                 eax, esp

        $sequence_14 = { 4533e4 488bf9 448bc3 488d95f0030000 458d6c2401 498d80fefdff7f 4885c0 }
            // n = 7, score = 100
            //   4533e4               | mov                 eax, esi
            //   488bf9               | xor                 edx, edx
            //   448bc3               | dec                 eax
            //   488d95f0030000       | mov                 ecx, ebx
            //   458d6c2401           | xor                 esi, esi
            //   498d80fefdff7f       | inc                 ebp
            //   4885c0               | xor                 esp, esp

        $sequence_15 = { ff15???????? 83f802 0f8c9f020000 488bcf ff15???????? 83f804 0f8c8d020000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83f802               | inc                 ecx
            //   0f8c9f020000         | mov                 eax, ecx
            //   488bcf               | inc                 ecx
            //   ff15????????         |                     
            //   83f804               | mov                 esi, dword ptr [esp + edx*4 + 0x1c310]
            //   0f8c8d020000         | mov                 ecx, 0x2018

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules