win.httpsuploader (Back to overview)

HTTP(S) uploader

Actor(s): Lazarus Group

The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.

It accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port

2022-09-30ESET ResearchPeter Kálnai
@online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {}, language = {English}, urldate = {2023-11-27} } Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
2021-02-25Kaspersky LabsVyacheslav Kopeytsev, Seongsu Park
@online{kopeytsev:20210225:lazarus:c887c21, author = {Vyacheslav Kopeytsev and Seongsu Park}, title = {{Lazarus targets defense industry with ThreatNeedle}}, date = {2021-02-25}, organization = {Kaspersky Labs}, url = {}, language = {English}, urldate = {2023-07-24} } Lazarus targets defense industry with ThreatNeedle
HTTP(S) uploader LPEClient Volgmer
2020-12-15HvS-Consulting AGHvS-Consulting AG
@techreport{ag:20201215:greetings:a5b59d9, author = {HvS-Consulting AG}, title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}}, date = {2020-12-15}, institution = {HvS-Consulting AG}, url = {}, language = {English}, urldate = {2023-07-10} } Greetings from Lazarus Anatomy of a cyber espionage campaign
BLINDINGCAN HTTP(S) uploader MimiKatz

There is no Yara-Signature yet.