SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blindingcan (Back to overview)

BLINDINGCAN

aka: AIRDRY, ZetaNile

Actor(s): Lazarus Group

VTCollection    

BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).
It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic.
It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.
It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped.
It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.
It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@".
BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-08-30Kaspersky LabsDavid Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2022-09-30ESET ResearchPeter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Matt Williams, Nino Isakovic, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
2022-08-15BrandefenseBrandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus: Anatomy of a cyber espionage campaign
BLINDINGCAN MimiKatz Lazarus Group
2020-12-15HvS-Consulting AGHvS-Consulting AG
Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz
2020-09-29JPCERT/CCShusei Tomonaga
BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-08-31SentinelOneJim Walter
The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-19US-CERTUS-CERT
Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-08-19CISACISA
MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN
BLINDINGCAN
Yara Rules
[TLP:WHITE] win_blindingcan_auto (20251219 | Detects win.blindingcan.)
rule win_blindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.blindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745cc2932779f 66c745d0e35b c745d45df0da89 c745d87b772e76 c745dc62a9f6c4 c745e0d29c1f7b }
            // n = 6, score = 300
            //   c745cc2932779f       | mov                 dword ptr [ebp - 0x34], 0x9f773229
            //   66c745d0e35b         | mov                 word ptr [ebp - 0x30], 0x5be3
            //   c745d45df0da89       | mov                 dword ptr [ebp - 0x2c], 0x89daf05d
            //   c745d87b772e76       | mov                 dword ptr [ebp - 0x28], 0x762e777b
            //   c745dc62a9f6c4       | mov                 dword ptr [ebp - 0x24], 0xc4f6a962
            //   c745e0d29c1f7b       | mov                 dword ptr [ebp - 0x20], 0x7b1f9cd2

        $sequence_1 = { a1???????? 33c5 8945fc 56 57 8d85f8f7ffff }
            // n = 6, score = 300
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   57                   | push                edi
            //   8d85f8f7ffff         | lea                 eax, [ebp - 0x808]

        $sequence_2 = { 750a 8b30 89b495fcfeffff 42 83c00c 49 }
            // n = 6, score = 300
            //   750a                 | jne                 0xc
            //   8b30                 | mov                 esi, dword ptr [eax]
            //   89b495fcfeffff       | mov                 dword ptr [ebp + edx*4 - 0x104], esi
            //   42                   | inc                 edx
            //   83c00c               | add                 eax, 0xc
            //   49                   | dec                 ecx

        $sequence_3 = { c7857cfeffff36a54e6b c78580feffff5c01611e c78584feffffb5dcfc68 c78588feffff6ce7a33a c7858cfeffffafe2e55a c78590feffff74c31dff c78594feffff657f9183 }
            // n = 7, score = 300
            //   c7857cfeffff36a54e6b     | mov    dword ptr [ebp - 0x184], 0x6b4ea536
            //   c78580feffff5c01611e     | mov    dword ptr [ebp - 0x180], 0x1e61015c
            //   c78584feffffb5dcfc68     | mov    dword ptr [ebp - 0x17c], 0x68fcdcb5
            //   c78588feffff6ce7a33a     | mov    dword ptr [ebp - 0x178], 0x3aa3e76c
            //   c7858cfeffffafe2e55a     | mov    dword ptr [ebp - 0x174], 0x5ae5e2af
            //   c78590feffff74c31dff     | mov    dword ptr [ebp - 0x170], 0xff1dc374
            //   c78594feffff657f9183     | mov    dword ptr [ebp - 0x16c], 0x83917f65

        $sequence_4 = { c78514fdffff7532479f c78518fdffffe35bc9c0 c7851cfdfffffc9c461f c78520fdffff9821ddfa c78524fdffff589a8f7a }
            // n = 5, score = 300
            //   c78514fdffff7532479f     | mov    dword ptr [ebp - 0x2ec], 0x9f473275
            //   c78518fdffffe35bc9c0     | mov    dword ptr [ebp - 0x2e8], 0xc0c95be3
            //   c7851cfdfffffc9c461f     | mov    dword ptr [ebp - 0x2e4], 0x1f469cfc
            //   c78520fdffff9821ddfa     | mov    dword ptr [ebp - 0x2e0], 0xfadd2198
            //   c78524fdffff589a8f7a     | mov    dword ptr [ebp - 0x2dc], 0x7a8f9a58

        $sequence_5 = { c78554feffffa14b0c27 c78558feffff10c0aac6 c7855cfeffff489a8471 c78560feffff9cab4ad6 c78564feffff67cf2900 c78568feffff02dbaeb5 }
            // n = 6, score = 300
            //   c78554feffffa14b0c27     | mov    dword ptr [ebp - 0x1ac], 0x270c4ba1
            //   c78558feffff10c0aac6     | mov    dword ptr [ebp - 0x1a8], 0xc6aac010
            //   c7855cfeffff489a8471     | mov    dword ptr [ebp - 0x1a4], 0x71849a48
            //   c78560feffff9cab4ad6     | mov    dword ptr [ebp - 0x1a0], 0xd64aab9c
            //   c78564feffff67cf2900     | mov    dword ptr [ebp - 0x19c], 0x29cf67
            //   c78568feffff02dbaeb5     | mov    dword ptr [ebp - 0x198], 0xb5aedb02

        $sequence_6 = { 83c40c 85f6 741f 68???????? 68???????? 6a00 }
            // n = 6, score = 300
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   741f                 | je                  0x21
            //   68????????           |                     
            //   68????????           |                     
            //   6a00                 | push                0

        $sequence_7 = { c78504fdfffff79d6681 c78508fdffffbfa7f8a5 c7850cfdffffa0118db8 c78510fdffff4d3feb78 }
            // n = 4, score = 300
            //   c78504fdfffff79d6681     | mov    dword ptr [ebp - 0x2fc], 0x81669df7
            //   c78508fdffffbfa7f8a5     | mov    dword ptr [ebp - 0x2f8], 0xa5f8a7bf
            //   c7850cfdffffa0118db8     | mov    dword ptr [ebp - 0x2f4], 0xb88d11a0
            //   c78510fdffff4d3feb78     | mov    dword ptr [ebp - 0x2f0], 0x78eb3f4d

        $sequence_8 = { 8bca e8???????? 85c0 7409 e8???????? }
            // n = 5, score = 200
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb
            //   e8????????           |                     

        $sequence_9 = { 99 f7fe 8bca e8???????? }
            // n = 4, score = 200
            //   99                   | cdq                 
            //   f7fe                 | idiv                esi
            //   8bca                 | mov                 ecx, edx
            //   e8????????           |                     

        $sequence_10 = { b990190000 66394802 7574 488b35???????? 33d2 }
            // n = 5, score = 100
            //   b990190000           | xor                 eax, dword ptr [ebp + 0x1c]
            //   66394802             | inc                 ecx
            //   7574                 | mov                 eax, eax
            //   488b35????????       |                     
            //   33d2                 | shr                 eax, 0x10

        $sequence_11 = { 488bd3 ff15???????? 4c21642438 4c21642430 895c2428 83cbff }
            // n = 6, score = 100
            //   488bd3               | mov                 edx, 0x100
            //   ff15????????         |                     
            //   4c21642438           | dec                 eax
            //   4c21642430           | mov                 edx, ebx
            //   895c2428             | dec                 esp
            //   83cbff               | and                 dword ptr [esp + 0x38], esp

        $sequence_12 = { 4c8bc9 753b 0fb789a8040000 b8bb010000 ba00010000 }
            // n = 5, score = 100
            //   4c8bc9               | dec                 esp
            //   753b                 | mov                 ecx, ecx
            //   0fb789a8040000       | jne                 0x3d
            //   b8bb010000           | movzx               ecx, word ptr [ecx + 0x4a8]
            //   ba00010000           | mov                 eax, 0x1bb

        $sequence_13 = { 488d4dd0 ff15???????? 488d55b8 488d4dd0 ff15???????? f20f102d???????? }
            // n = 6, score = 100
            //   488d4dd0             | inc                 ebp
            //   ff15????????         |                     
            //   488d55b8             | xor                 eax, dword ptr [esp + eax*4 + 0x1cb10]
            //   488d4dd0             | inc                 ebp
            //   ff15????????         |                     
            //   f20f102d????????     |                     

        $sequence_14 = { 4533848410cb0100 4533451c 418bc0 c1e810 }
            // n = 4, score = 100
            //   4533848410cb0100     | dec                 esp
            //   4533451c             | and                 dword ptr [esp + 0x30], esp
            //   418bc0               | mov                 dword ptr [esp + 0x28], ebx
            //   c1e810               | or                  ebx, 0xffffffff

        $sequence_15 = { 488bf8 483bc3 7423 448d4e81 448d4684 488d542440 }
            // n = 6, score = 100
            //   488bf8               | dec                 eax
            //   483bc3               | lea                 ecx, [ebp - 0x30]
            //   7423                 | dec                 eax
            //   448d4e81             | lea                 edx, [ebp - 0x48]
            //   448d4684             | dec                 eax
            //   488d542440           | lea                 ecx, [ebp - 0x30]

    condition:
        7 of them and filesize < 363520
}
[TLP:WHITE] win_blindingcan_w0   (20200901 | Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT)
rule win_blindingcan_w0 {
   meta:
       author = "CISA Code & Media Analysis"
       incident = "10135536"
       date = "2018-05-04"
       actor = "Lazarus Group"
       actor_type = "APT"
       category = "malware"
       family = "BLINDINGCAN"
       description = "Detects 32bit HiddenCobra BLINDINGCAN Trojan RAT"
       hash = "1ee75106a9113b116c54e7a5954950065b809e0bb4dd0a91dc76f778508c7954"
       hash = "7dce6f30e974ed97a3ed024d4c62350f9396310603e185a753b63a1f9a2d5799"
       hash = "96721e13bae587c75618566111675dec2d61f9f5d16e173e69bb42ad7cb2dd8a"
       hash = "f71d67659baf0569143874d5d1c5a4d655c7d296b2e86be1b8f931c2335c0cd3"
       source = "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a"
       malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan"
       malpedia_version = "20200901"
       malpedia_sharing = "TLP:WHITE"
       malpedia_license = ""
   strings:
       $s0 = { C7 45 EC 0D 06 09 2A C7 45 F0 86 48 86 F7 C7 45 F4 0D 01 01 01 C7 45 F8 05 00 03 82 }
       $s1 = { 50 4D 53 2A 2E 74 6D 70 }
       $s2 = { 79 67 60 3C 77 F9 BA 77 7A 56 1B 68 51 26 11 96 B7 98 71 39 82 B0 81 78 }
   condition:
       any of them
}
Download all Yara Rules