SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudburst (Back to overview)

CLOUDBURST

aka: NickelLoader

Actor(s): Lazarus Group

VTCollection    

CLOUDBURST aka NickelLoader is an HTTP(S) downloader.

It recognizes a set of four basic commands, all five letters long, like abcde, avdrq, gabnc and dcrqv (alternatively: eknag, eacec, hjmwk, wohnp). The most important functionality is to load a received buffer, either as a DLL via the MemoryModule implementation, or as a shellcode.

It uses AES for encryption and decryption of network traffic. It usually sends the following information back to its C&C server: computer name, product name and the list of running processes. Typically, it uses two hardcoded parameter names for its initial HTTP POST requests: gametype and type (alternatively: type and code).

The CLOUDBURST payload is disguised as mscoree.dll and is side-loaded via a legitimate Windows binary PresentationHost.exe with the argument -embeddingObject. It comes either as a trojanized plugin project for Notepad++ (usually FingerText by erinata), or as a standalone DLL loaded by a dropper, which is a trojanized plugin project as well (usually NppyPlugin by Jari Pennanen).

The CLOUDBURST malware was used in Operation DreamJob attacks against an aerospace company and a network running Microsoft Intune software in Q2-Q3 2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
2023-03-09MandiantMandiant Intelligence
Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970
CLOUDBURST TOUCHMOVE TOUCHSHIFT UNC2970
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
Yara Rules
[TLP:WHITE] win_cloudburst_auto (20260504 | Detects win.cloudburst.)
rule win_cloudburst_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.cloudburst."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4433d0 418bc3 c1e818 41c1e208 0fb6c8 }
            // n = 5, score = 300
            //   4433d0               | mov                 dword ptr [ebp + 0x30], edi
            //   418bc3               | mov                 dword ptr [ebp + 0x34], 0x1030202
            //   c1e818               | dec                 eax
            //   41c1e208             | mov                 ecx, ebx
            //   0fb6c8               | mov                 dword ptr [ebp + 0x98], eax

        $sequence_1 = { 335ef4 4133d8 41895c24f0 448bdb }
            // n = 4, score = 300
            //   335ef4               | movzx               eax, word ptr [ebx + 0xc]
            //   4133d8               | lea                 ecx, [eax + ecx*2 - 2]
            //   41895c24f0           | dec                 eax
            //   448bdb               | arpl                cx, cx

        $sequence_2 = { 45894c2410 4133d1 4189542414 448bc2 }
            // n = 4, score = 300
            //   45894c2410           | movzx               eax, byte ptr [eax + ebp + 0x11e50]
            //   4133d1               | inc                 ecx
            //   4189542414           | shl                 eax, 8
            //   448bc2               | inc                 esp

        $sequence_3 = { 0bf8 0fb64202 4d8bf8 440fb6420c 41c1e108 4c8d35a3e5ffff }
            // n = 6, score = 300
            //   0bf8                 | arpl                ax, si
            //   0fb64202             | mov                 edx, esi
            //   4d8bf8               | dec                 ecx
            //   440fb6420c           | mov                 ecx, edi
            //   41c1e108             | and                 eax, 0x3fffffff
            //   4c8d35a3e5ffff       | inc                 eax

        $sequence_4 = { 4533c9 4533c0 4803d8 ff15???????? }
            // n = 4, score = 300
            //   4533c9               | add                 ecx, dword ptr [ebp - 0x30]
            //   4533c0               | jmp                 0x200
            //   4803d8               | mov                 eax, dword ptr [ecx + edx*4]
            //   ff15????????         |                     

        $sequence_5 = { 418942f8 418b4424fc 418942fc 4183bf0002000001 0f8e3d010000 90 458b4c24e0 }
            // n = 7, score = 300
            //   418942f8             | mov                 esi, dword ptr [esp + 0x58]
            //   418b4424fc           | dec                 eax
            //   418942fc             | mov                 edx, dword ptr [eax + 8]
            //   4183bf0002000001     | dec                 esp
            //   0f8e3d010000         | mov                 esp, dword ptr [esp + 0x30]
            //   90                   | dec                 eax
            //   458b4c24e0           | mov                 ebx, dword ptr [esp + 0x50]

        $sequence_6 = { 83e00f 3bc2 7407 83e1f0 }
            // n = 4, score = 300
            //   83e00f               | dec                 edi
            //   3bc2                 | jne                 0x6a3
            //   7407                 | mov                 ecx, dword ptr [esp + 0x40]
            //   83e1f0               | inc                 esp

        $sequence_7 = { 410fb640fb 420fb61411 c1e208 0bd0 410fb640fc c1e208 }
            // n = 6, score = 300
            //   410fb640fb           | dec                 ecx
            //   420fb61411           | mov                 dword ptr [ebx - 0x68], eax
            //   c1e208               | dec                 ecx
            //   0bd0                 | mov                 dword ptr [ebx - 0x58], eax
            //   410fb640fc           | dec                 ebp
            //   c1e208               | mov                 dword ptr [esp + 0x10], ebp

        $sequence_8 = { 4c8d4202 458bcd 8905???????? 4c2bda 90 428d048d00000000 41ffc1 }
            // n = 7, score = 300
            //   4c8d4202             | mov                 eax, 0x80c121b3
            //   458bcd               | inc                 ecx
            //   8905????????         |                     
            //   4c2bda               | mov                 ecx, 1
            //   90                   | btr                 ecx, 0x1f
            //   428d048d00000000     | inc                 ebp
            //   41ffc1               | xor                 eax, eax

        $sequence_9 = { 43880c18 ffc3 49ffc0 eb39 0fb6c1 43c6041825 8bc8 }
            // n = 7, score = 300
            //   43880c18             | test                eax, eax
            //   ffc3                 | je                  0x8d2
            //   49ffc0               | dec                 eax
            //   eb39                 | mov                 dword ptr [esp + 0x30], ebp
            //   0fb6c1               | dec                 eax
            //   43c6041825           | lea                 ebp, [0x9f8d9]
            //   8bc8                 | nop                 word ptr [eax + eax]

    condition:
        7 of them and filesize < 2363392
}
Download all Yara Rules