SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lightlesscan (Back to overview)

LightlessCan

aka: SIDESHOW

Actor(s): Lazarus Group

VTCollection    

LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan.

In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.

Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:
• ipconfig
• net
• netsh advfirewall firewall
• netstat
• reg
• sc
• ping (for both IPv4 and IPv6 protocols)
• wmic process call create
• nslookup
• schstasks
• systeminfo
• arp

These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.

LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
Yara Rules
[TLP:WHITE] win_lightlesscan_auto (20260504 | Detects win.lightlesscan.)
rule win_lightlesscan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lightlesscan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 48894c2428 488d8d10040000 488d15fcd80400 48894c2420 488b4c2450 4533c0 ffd0 }
            // n = 7, score = 100
            //   48894c2428           | call                eax
            //   488d8d10040000       | dec                 eax
            //   488d15fcd80400       | lea                 ecx, [0x1bfa0]
            //   48894c2420           | dec                 ecx
            //   488b4c2450           | or                  eax, 0xffffffff
            //   4533c0               | mov                 edx, 0x80
            //   ffd0                 | dec                 eax

        $sequence_1 = { 33d2 41b806020000 6689bd90010000 e8???????? 488d8da2030000 33d2 41b806020000 }
            // n = 7, score = 100
            //   33d2                 | inc                 ecx
            //   41b806020000         | push                esp
            //   6689bd90010000       | dec                 eax
            //   e8????????           |                     
            //   488d8da2030000       | sub                 esp, 0xd10
            //   33d2                 | dec                 eax
            //   41b806020000         | mov                 dword ptr [esp + 0x18], ebp

        $sequence_2 = { 488bcb ff15???????? 488d15d4670400 41b802000000 498bcc e8???????? 4c8d0517ce0400 }
            // n = 7, score = 100
            //   488bcb               | mov                 ecx, esp
            //   ff15????????         |                     
            //   488d15d4670400       | dec                 eax
            //   41b802000000         | lea                 edx, [esp + 0x50]
            //   498bcc               | call                dword ptr [eax + 0x38]
            //   e8????????           |                     
            //   4c8d0517ce0400       | cmp                 dword ptr [esp + 0x50], 0

        $sequence_3 = { 90 0f1045c0 0f298590000000 f20f104dd0 f20f118da0000000 b918000000 e8???????? }
            // n = 7, score = 100
            //   90                   | mov                 ecx, dword ptr [esi]
            //   0f1045c0             | mov                 dword ptr [esp + 0x78], 0x6c6c642e
            //   0f298590000000       | mov                 byte ptr [esp + 0x7c], 0
            //   f20f104dd0           | mov                 dword ptr [ebp + 0xa8], 0x756a6441
            //   f20f118da0000000     | mov                 dword ptr [ebp + 0xac], 0x6f547473
            //   b918000000           | mov                 dword ptr [ebp + 0xb0], 0x506e656b
            //   e8????????           |                     

        $sequence_4 = { 4983c002 48ffc9 75dd 4983e802 33c0 66418900 8d4101 }
            // n = 7, score = 100
            //   4983c002             | dec                 ecx
            //   48ffc9               | mov                 ecx, esp
            //   75dd                 | dec                 eax
            //   4983e802             | lea                 edx, [0x48e35]
            //   33c0                 | inc                 ecx
            //   66418900             | mov                 eax, 2
            //   8d4101               | dec                 ecx

        $sequence_5 = { 49ffc8 75e7 448bcf 4c8d1d79370600 85db 742b }
            // n = 6, score = 100
            //   49ffc8               | mov                 dword ptr [esp + 0x48], 0x656c64
            //   75e7                 | mov                 dword ptr [ebp - 0x50], 0x64616f4c
            //   448bcf               | mov                 dword ptr [ebp - 0x4c], 0x7262694c
            //   4c8d1d79370600       | mov                 dword ptr [ebp - 0x48], 0x41797261
            //   85db                 | mov                 dword ptr [esp + 0x44], 0x1f4
            //   742b                 | mov                 dword ptr [esp + 0x40], 0x190

        $sequence_6 = { 41b802000000 488bce 48c744242000000000 ffd0 488d0dcf800400 e8???????? 4533c9 }
            // n = 7, score = 100
            //   41b802000000         | mov                 dword ptr [eax], edi
            //   488bce               | inc                 ebx
            //   48c744242000000000     | lea    eax, [ebp + ebp]
            //   ffd0                 | mov                 dword ptr [edi], eax
            //   488d0dcf800400       | dec                 ecx
            //   e8????????           |                     
            //   4533c9               | mov                 eax, esi

        $sequence_7 = { c745f040000000 e8???????? 488d4df0 ffd0 488b4df8 488d95b0060000 48c1e914 }
            // n = 7, score = 100
            //   c745f040000000       | mov                 edx, 0x80
            //   e8????????           |                     
            //   488d4df0             | dec                 eax
            //   ffd0                 | lea                 ecx, [0x6a1dc]
            //   488b4df8             | call                eax
            //   488d95b0060000       | je                  0x885
            //   48c1e914             | nop                 word ptr [eax + eax]

        $sequence_8 = { 488d442478 4d8be8 488bf2 c744243000000000 4889442428 458d4101 33d2 }
            // n = 7, score = 100
            //   488d442478           | dec                 esp
            //   4d8be8               | mov                 dword ptr [esp + 0x58], ebx
            //   488bf2               | dec                 esp
            //   c744243000000000     | mov                 dword ptr [esp + 0x60], ebx
            //   4889442428           | dec                 esp
            //   458d4101             | mov                 dword ptr [esp + 0x48], ebx
            //   33d2                 | mov                 dword ptr [esp + 0x48], 1

        $sequence_9 = { 488bf0 b807452ec2 f7eb 448d2c13 41c1fd10 418bcd c1e91f }
            // n = 7, score = 100
            //   488bf0               | call                eax
            //   b807452ec2           | dec                 esp
            //   f7eb                 | lea                 eax, [ebp + 0x7a0]
            //   448d2c13             | dec                 eax
            //   41c1fd10             | lea                 edx, [0x5880e]
            //   418bcd               | dec                 eax
            //   c1e91f               | lea                 ecx, [esp + 0x60]

    condition:
        7 of them and filesize < 1399808
}
Download all Yara Rules