SYMBOLCOMMON_NAMEaka. SYNONYMS
win.comebacker (Back to overview)

ComeBacker

Actor(s): Lazarus Group

VTCollection    

ComeBacker was found in a backdoored Visual Studio project that was used to target security researchers in Q4 2020 and early 2021.

It is an HTTP(S) downloader.

It uses the AES CBC cipher implemented through the OpenSSL's EVP interface for decryption of its configuration, and also for encryption and decryption of the client-server communication.

The parameter names in HTTP POST requests of the client are generated randomly. As the initial connection, the client exchanges the keys with the server via the Diffie–Hellman key agreement protocol for the elliptic curve secp521r1. The client generates a random 32-bytes long private key, and the server responds with its public key in a buffer starting with the wide character "0".

Next, the clients sends the current local time, and the server responds with a buffer containing multiple values separated with the pipe symbol. The typical values are the encrypted payload, the export to execute, and the MD5 hash of the decrypted DLL to verify the authenticity of the payload.

There are variants of ComeBacker without statically linked OpenSSL. In that case, the key exchange is omitted and AES CBC is replaced with HC-256.

References
2026-02-24SymantecThreat Hunter Team
North Korean Lazarus Group Now Working With Medusa Ransomware
ComeBacker Medusa
2025-11-07ENKIENKI
Lazarus Group targets Aerospace and Defense with new Comebacker variant
ComeBacker
2025-10-30Gen DigitalAlexandru-Cristian Bardaș
DPRK’s Playbook: Kimsuky’s HttpTroy and Lazarus’s New BLINDINGCAN Variant
ComeBacker DRATzarus NikiTeaR
2024-12-26Weixin360 Threat Intelligence Center
Analysis of the attack activities of APT-C-26 (Lazarus) using weaponized IPMsg software
ComeBacker
2024-05-28MicrosoftMicrosoft Threat Intelligence
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks
ComeBacker splitloader
2023-11-10HAURIHAURI
Detailed analysis report: Malware disguised as Putty (Lazarus APT)
ComeBacker
2021-04-01AhnLabASEC Analysis Team
ASEC REPORT VOL.102 Q1 2021
ComeBacker JessieConTea LCPDot
2021-02-01One Night in NorfolkKevin Perlow
DPRK Targeting Researchers II: .Sys Payload and Registry Hunting
ComeBacker
2021-01-30Microstep Intelligence BureauMicrostep online research response team
Analysis of Lazarus attacks against security researchers
ComeBacker
2021-01-29NSFOCUSFuying Laboratory
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析
ComeBacker DRATzarus Torisma
2021-01-28MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
ZINC attacks against security researchers
ComeBacker Klackring
2021-01-26One Night in NorfolkKevin Perlow
DPRK Malware Targeting Security Researchers
ComeBacker
2021-01-26ComaeMatt Suiche
PANDORABOX - North Koreans target security researchers
ComeBacker
2021-01-25GoogleAdam Weidemann
New campaign targeting security researchers
ComeBacker DRATzarus
Yara Rules
[TLP:WHITE] win_comebacker_auto (20260504 | Detects win.comebacker.)
rule win_comebacker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.comebacker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7f04 0430 eb02 0437 }
            // n = 4, score = 500
            //   7f04                 | jg                  6
            //   0430                 | add                 al, 0x30
            //   eb02                 | jmp                 4
            //   0437                 | add                 al, 0x37

        $sequence_1 = { 4d85c0 7526 418d5072 4c8d0de4d40300 c7442420f2020000 448d42d0 }
            // n = 6, score = 400
            //   4d85c0               | dec                 eax
            //   7526                 | mov                 ecx, edx
            //   418d5072             | dec                 esp
            //   4c8d0de4d40300       | lea                 ebp, [0x3a6ef]
            //   c7442420f2020000     | nop                 dword ptr [eax]
            //   448d42d0             | dec                 ebp

        $sequence_2 = { 4c8bc3 66f2af 33ff 488d442440 }
            // n = 4, score = 400
            //   4c8bc3               | dec                 esp
            //   66f2af               | mov                 eax, ebx
            //   33ff                 | repne scasd         eax, dword ptr es:[edi]
            //   488d442440           | xor                 edi, edi

        $sequence_3 = { 442bc1 488bca 4c8d2defa60300 0f1f8000000000 }
            // n = 4, score = 400
            //   442bc1               | dec                 eax
            //   488bca               | lea                 eax, [esp + 0x40]
            //   4c8d2defa60300       | inc                 esp
            //   0f1f8000000000       | sub                 eax, ecx

        $sequence_4 = { 4885c0 7522 4c8d0d85f80300 8d5075 8d4804 448d4041 }
            // n = 6, score = 400
            //   4885c0               | test                eax, eax
            //   7522                 | jne                 0x28
            //   4c8d0d85f80300       | inc                 ecx
            //   8d5075               | lea                 edx, [eax + 0x72]
            //   8d4804               | dec                 esp
            //   448d4041             | lea                 ecx, [0x3d4e4]

        $sequence_5 = { 33d2 41b806020000 885dd0 488945d1 8945d9 }
            // n = 5, score = 400
            //   33d2                 | mov                 dword ptr [esp + 0x20], 0x2f2
            //   41b806020000         | inc                 esp
            //   885dd0               | lea                 eax, [edx - 0x30]
            //   488945d1             | dec                 eax
            //   8945d9               | test                eax, eax

        $sequence_6 = { ba67000000 4c8d0d0ac80200 c7442420ab030000 8d4aa9 448d42ff e8???????? }
            // n = 6, score = 400
            //   ba67000000           | lea                 ecx, [eax + 4]
            //   4c8d0d0ac80200       | inc                 esp
            //   c7442420ab030000     | lea                 eax, [eax + 0x41]
            //   8d4aa9               | xor                 edx, edx
            //   448d42ff             | inc                 ecx
            //   e8????????           |                     

        $sequence_7 = { 4c8be8 ff15???????? 488d156de10200 488bcb 488bf8 ff15???????? }
            // n = 6, score = 400
            //   4c8be8               | jne                 0x24
            //   ff15????????         |                     
            //   488d156de10200       | dec                 esp
            //   488bcb               | lea                 ecx, [0x3f885]
            //   488bf8               | lea                 edx, [eax + 0x75]
            //   ff15????????         |                     

        $sequence_8 = { 6aff 68???????? 6800020000 53 ff15???????? e8???????? 3bc3 }
            // n = 7, score = 100
            //   6aff                 | push                -1
            //   68????????           |                     
            //   6800020000           | push                0x200
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   e8????????           |                     
            //   3bc3                 | cmp                 eax, ebx

        $sequence_9 = { 8944242c 8b1c9538500410 8b542414 c1ea18 }
            // n = 4, score = 100
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   8b1c9538500410       | mov                 ebx, dword ptr [edx*4 + 0x10045038]
            //   8b542414             | mov                 edx, dword ptr [esp + 0x14]
            //   c1ea18               | shr                 edx, 0x18

        $sequence_10 = { e8???????? 83c40c 8d8d8cf6ffff 51 8d55e8 52 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d8d8cf6ffff         | lea                 ecx, [ebp - 0x974]
            //   51                   | push                ecx
            //   8d55e8               | lea                 edx, [ebp - 0x18]
            //   52                   | push                edx

        $sequence_11 = { 83c43c 8903 5f 8bc6 33cd 5e }
            // n = 6, score = 100
            //   83c43c               | add                 esp, 0x3c
            //   8903                 | mov                 dword ptr [ebx], eax
            //   5f                   | pop                 edi
            //   8bc6                 | mov                 eax, esi
            //   33cd                 | xor                 ecx, ebp
            //   5e                   | pop                 esi

        $sequence_12 = { 8b0485e01f0910 c644080401 57 e8???????? }
            // n = 4, score = 100
            //   8b0485e01f0910       | mov                 eax, dword ptr [eax*4 + 0x10091fe0]
            //   c644080401           | mov                 byte ptr [eax + ecx + 4], 1
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_13 = { 6a00 6a00 8bf0 8d8570ffffff 6a00 50 e8???????? }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8bf0                 | mov                 esi, eax
            //   8d8570ffffff         | lea                 eax, [ebp - 0x90]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_14 = { 03c0 8d9dc8f8ffff 8985c8f8ffff e8???????? 8bbdc8f8ffff 6802200300 }
            // n = 6, score = 100
            //   03c0                 | add                 eax, eax
            //   8d9dc8f8ffff         | lea                 ebx, [ebp - 0x738]
            //   8985c8f8ffff         | mov                 dword ptr [ebp - 0x738], eax
            //   e8????????           |                     
            //   8bbdc8f8ffff         | mov                 edi, dword ptr [ebp - 0x738]
            //   6802200300           | push                0x32002

    condition:
        7 of them and filesize < 1429504
}
Download all Yara Rules