DPAPILoader Propose Change

Actor(s): Lazarus Group

According to Fox-IT, DPAPILoader is a loader implemented as a DLL that decrypts an encrypted payload from disk using DPAPI and then loads it into memory, enabling persistence by starting at boot as a legitimate-appearing service. It uses environment-bound encryption and obfuscation (DPAPI keys tied to the user and a fixed XOR) to tie the payload to the victim and hinder static analysis. The loader then hands off to a second-stage loader, RemotePELoader, as part of a multi-stage chain designed to minimize on-disk artifacts and maximize stealth.

References

There is no Yara-Signature yet.