SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lambload (Back to overview)

LambLoad

aka: OfficeCertTea

Actor(s): Lazarus Group

VTCollection    

According to Microsoft, this is a downloader used in a supply chain attack involving a malicious variant of an application developed by CyberLink. It is centered around a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file, which was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure owned by CyberLink and includes checks to limit the time window for execution and evade detection by security products.

References
2023-11-22MicrosoftMicrosoft Threat Intelligence
Diamond Sleet supply chain compromise distributes a modified CyberLink installer
LambLoad
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-04-12Kaspersky LabsSeongsu Park
Following the Lazarus group by tracking DeathNote campaign
Bankshot BLINDINGCAN ForestTiger LambLoad LPEClient MimiKatz NedDnLoader Racket Downloader Volgmer
2022-09-30ESET ResearchPeter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
Yara Rules
[TLP:WHITE] win_lambload_auto (20260504 | Detects win.lambload.)
rule win_lambload_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lambload."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03f7 8d4601 50 ff75f4 }
            // n = 4, score = 100
            //   03f7                 | add                 esi, edi
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_1 = { e8???????? 83c40c 85c0 7511 ffb5ecf5ffff e8???????? 59 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   7511                 | jne                 0x13
            //   ffb5ecf5ffff         | push                dword ptr [ebp - 0xa14]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_2 = { 72d0 7705 3b550c 76c9 8b450c }
            // n = 5, score = 100
            //   72d0                 | jb                  0xffffffd2
            //   7705                 | ja                  7
            //   3b550c               | cmp                 edx, dword ptr [ebp + 0xc]
            //   76c9                 | jbe                 0xffffffcb
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_3 = { c604063d 59 8945f4 8bf7 75e6 }
            // n = 5, score = 100
            //   c604063d             | mov                 byte ptr [esi + eax], 0x3d
            //   59                   | pop                 ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8bf7                 | mov                 esi, edi
            //   75e6                 | jne                 0xffffffe8

        $sequence_4 = { 8bf8 8bf1 a5 53 66a5 e8???????? 85c0 }
            // n = 7, score = 100
            //   8bf8                 | mov                 edi, eax
            //   8bf1                 | mov                 esi, ecx
            //   a5                   | movsd               dword ptr es:[edi], dword ptr [esi]
            //   53                   | push                ebx
            //   66a5                 | movsw               word ptr es:[edi], word ptr [esi]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { c785f8ebffff10000000 8d8d34ecffff 8b51cc 8b31 8bc2 }
            // n = 5, score = 100
            //   c785f8ebffff10000000     | mov    dword ptr [ebp - 0x1408], 0x10
            //   8d8d34ecffff         | lea                 ecx, [ebp - 0x13cc]
            //   8b51cc               | mov                 edx, dword ptr [ecx - 0x34]
            //   8b31                 | mov                 esi, dword ptr [ecx]
            //   8bc2                 | mov                 eax, edx

        $sequence_6 = { c1e006 03048d00490710 eb02 8bc2 f6402480 7418 e8???????? }
            // n = 7, score = 100
            //   c1e006               | shl                 eax, 6
            //   03048d00490710       | add                 eax, dword ptr [ecx*4 + 0x10074900]
            //   eb02                 | jmp                 4
            //   8bc2                 | mov                 eax, edx
            //   f6402480             | test                byte ptr [eax + 0x24], 0x80
            //   7418                 | je                  0x1a
            //   e8????????           |                     

        $sequence_7 = { 8945fc 8d4601 50 ff75f4 }
            // n = 4, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_8 = { 0f859b010000 8b3d???????? 8d85e8fbffff 50 8d85ecfbffff 50 56 }
            // n = 7, score = 100
            //   0f859b010000         | jne                 0x1a1
            //   8b3d????????         |                     
            //   8d85e8fbffff         | lea                 eax, [ebp - 0x418]
            //   50                   | push                eax
            //   8d85ecfbffff         | lea                 eax, [ebp - 0x414]
            //   50                   | push                eax
            //   56                   | push                esi

        $sequence_9 = { bf???????? 8b6c242c 8d45ff 83f81d 0f87ba030000 33c9 8a88287e0310 }
            // n = 7, score = 100
            //   bf????????           |                     
            //   8b6c242c             | mov                 ebp, dword ptr [esp + 0x2c]
            //   8d45ff               | lea                 eax, [ebp - 1]
            //   83f81d               | cmp                 eax, 0x1d
            //   0f87ba030000         | ja                  0x3c0
            //   33c9                 | xor                 ecx, ecx
            //   8a88287e0310         | mov                 cl, byte ptr [eax + 0x10037e28]

    condition:
        7 of them and filesize < 1039360
}
Download all Yara Rules