DreamLoaders: Lazarus Group's Modular Malware Deployment in DreamJob Campaign

Free, Unbiased, and Open threat intelligence

DreamLoaders: Lazarus Group's Modular Malware Deployment in DreamJob Campaign

threat Profile

HIGH

Description

Lab52 identified sophisticated modular loaders used by the Lazarus group in DreamJob campaigns during August 2025. The campaign, dubbed 'DreamLoaders', involves multiple deployment methods using legitimate system executables for DLL sideloading. Attackers target administrators of organizations to execute malware for credential extraction and further system compromise. Three deployment variants were observed: a trojanized TightVNC client (tnsviewer.exe), DLL loaders (webservices.dll and radcui.dll) executed via legitimate Windows binaries, and TSVIPSrv.dll deployed via malicious service. The loaders decrypt and load modular payloads stored in .mui files, with HideFirstLetter.dll attempting authentication to Microsoft tenants and accessing SharePoint servers via Microsoft Graph API. The modular architecture allows deployment of different payloads based on operational needs, with identical payloads found across multiple compromised systems indicating coordinated targeting.

MITRE ATT&CK Techniques

T1574.002 T1055 T1027 T1036 T1098 T1528 T1199

Related Entities

Threat Actors

Lazarus Group

Malware

DreamLoaders TSVIPSrv.dll HideFirstLetter.dll radcui.dll webservices.dll

Indicators of Compromise (10)

coralsunmarine.com

C2 domain contacted by tnviewer.exe

26bd4aab63563e77ca426c23b11d18d894eef9a727e111be79336e099b22bdd1

webservices.dll - DLL loader executed via sideloading

473726dd9bc034564c4c7b951df12d102ff24f7b17b8356f55d36ed6d908882d

TSVIPSrv.dll - loader executed via malicious service

fa014db2936da21af5943cc8f3656adb9800173ad86af196f71c6052295fff97

radcui.dll - DLL loader executed via sideloading

b3d7a3c3dedaa873e81b1676b6c0027ae1fd164587299bf65c02bd067ae1a972

wordpad.dll.mui - encrypted payload file

0fdd97a597380498f6b2d491f8f50da8f903def4ea6e624b89757456c287f92d

tnviewer.exe - alternative hash

855baa2ff0c3e958a660ae84a048ce006e07cf51ce5192c0de364ee62873980c

wordpad.dll.mui decrypted - in-memory payload

alex2moe-my.sharepoint.com

C2 domain contacted by tnviewer.exe

cseabrahamlincoln-my.sharepoint.com

C2 domain contacted by HideFirstLetter.exe

aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2

tnviewer.exe - trojanized TightVNC client

Metadata

Published

7 months ago

Views