SYMBOLCOMMON_NAMEaka. SYNONYMS
win.miniblindingcan (Back to overview)

miniBlindingCan

aka: AIRDRY.V2, EventHorizon

Actor(s): Lazarus Group

VTCollection    

miniBlindingCan is an HTTP(S) orchestrator.

It is a variant of the BlindingCan RAT, having the same command parsing logic, but supporting only a small subset of commands available previously. The main operations are the update of the malware configuration, and the download and execution of additional payloads from the attackers' C&C.

The miniBlindingCan malware was used in Operation DreamJob attacks against aerospace and media companies in Q2-Q3 2022.

References
2023-10-04Virus BulletinPeter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader
2023-09-29ESET ResearchPeter Kálnai
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CLOUDBURST LightlessCan miniBlindingCan sRDI
2022-09-29MicrosoftLinkedIn Threat Prevention and Defense, Microsoft Security Threat Intelligence
ZINC weaponizing open-source software
BLINDINGCAN CLOUDBURST miniBlindingCan
2022-09-14MandiantJames Maclachlan, Mathew Potaczek, Matt Williams, Nino Isakovic, Yash Gupta
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp
BLINDINGCAN miniBlindingCan sRDI
Yara Rules
[TLP:WHITE] win_miniblindingcan_auto (20260504 | Detects win.miniblindingcan.)
rule win_miniblindingcan_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.miniblindingcan."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d1585730100 488905???????? ff15???????? 488b0d???????? 488d1582730100 488905???????? }
            // n = 6, score = 100
            //   488d1585730100       | movaps              xmmword ptr [eax - 0x18], xmm6
            //   488905????????       |                     
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   488d1582730100       | dec                 eax
            //   488905????????       |                     

        $sequence_1 = { ff15???????? 83cbff 85c0 7527 488d85f0050000 4c8d45e0 448bcb }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83cbff               | movzx               eax, byte ptr [ebx]
            //   85c0                 | dec                 esp
            //   7527                 | add                 ebx, ebp
            //   488d85f0050000       | inc                 ebp
            //   4c8d45e0             | xor                 eax, dword ptr [esp + eax*4 + 0x2f480]
            //   448bcb               | inc                 ebp

        $sequence_2 = { 488d052e4a0000 488905???????? e9???????? 81fbd73a0000 7513 488d05084a0000 }
            // n = 6, score = 100
            //   488d052e4a0000       | dec                 eax
            //   488905????????       |                     
            //   e9????????           |                     
            //   81fbd73a0000         | lea                 eax, [0x4b84]
            //   7513                 | cmp                 ebx, 0x4a64
            //   488d05084a0000       | jne                 0x1988

        $sequence_3 = { ff15???????? 488d0d4e790100 488bd0 488bf8 e8???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488d0d4e790100       | mov                 eax, 6
            //   488bd0               | dec                 eax
            //   488bf8               | lea                 edx, [0x109e0]
            //   e8????????           |                     

        $sequence_4 = { ff15???????? 85c0 7517 ff15???????? 3dea000000 7404 33c0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | xor                 eax, dword ptr [esp + eax*4 + 0x20a60]
            //   7517                 | inc                 ebp
            //   ff15????????         |                     
            //   3dea000000           | xor                 edx, dword ptr [esp + eax*4 + 0x21260]
            //   7404                 | inc                 ebp
            //   33c0                 | xor                 edx, dword ptr [ebp + 0x58]

        $sequence_5 = { 488d6c24b9 4881ecc0000000 488b05???????? 4833c4 48894537 33c0 488bd9 }
            // n = 7, score = 100
            //   488d6c24b9           | lea                 ebp, [eax + 0x18]
            //   4881ecc0000000       | lea                 eax, [ebx + 1]
            //   488b05????????       |                     
            //   4833c4               | inc                 esp
            //   48894537             | cmovne              ebp, eax
            //   33c0                 | jmp                 0x1355
            //   488bd9               | dec                 ebp

        $sequence_6 = { 89742440 e8???????? 488d4de1 33d2 41b8ff010000 }
            // n = 5, score = 100
            //   89742440             | dec                 eax
            //   e8????????           |                     
            //   488d4de1             | mov                 dword ptr [esp + 0x30], esi
            //   33d2                 | dec                 esp
            //   41b8ff010000         | lea                 eax, [edi + 0x436]

        $sequence_7 = { e9???????? 4c8d4daf 4c8d45bf 488d4dcf 8bd3 }
            // n = 5, score = 100
            //   e9????????           |                     
            //   4c8d4daf             | lea                 eax, [0x3fb9]
            //   4c8d45bf             | cmp                 ebx, 0x2800
            //   488d4dcf             | jne                 0x1a09
            //   8bd3                 | dec                 eax

        $sequence_8 = { 488bcb ff15???????? 488b4c2458 ff15???????? b801000000 488b8da0050000 4833cc }
            // n = 7, score = 100
            //   488bcb               | mov                 eax, esp
            //   ff15????????         |                     
            //   488b4c2458           | dec                 eax
            //   ff15????????         |                     
            //   b801000000           | mov                 dword ptr [eax + 0x10], ebx
            //   488b8da0050000       | dec                 eax
            //   4833cc               | mov                 dword ptr [eax + 0x18], esi

        $sequence_9 = { 488905???????? e9???????? 81fb634a0000 7513 488d05ef310000 488905???????? e9???????? }
            // n = 7, score = 100
            //   488905????????       |                     
            //   e9????????           |                     
            //   81fb634a0000         | jne                 0x866
            //   7513                 | jne                 0x868
            //   488d05ef310000       | dec                 eax
            //   488905????????       |                     
            //   e9????????           |                     

    condition:
        7 of them and filesize < 453632
}
Download all Yara Rules