Cyberdudebivash

Is Your Network Compromised? The New Kimsuky & Lazarus Tools Your EDR/XDR Can’t See.

CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Nov 1, 2025 (IST)

Is Your Network Compromised? The New Kimsuky & Lazarus Tools Your EDR/XDR Can’t See

DPRK-linked actors Kimsuky (APT43) and Lazarus are escalating EDR/XDR evasion with three big moves: malwareless phishing & living-off-the-tenantcloud/GitHub C2 dead-drops, and driver-abuse (BYOVD) plus developer supply-chain backdoors. These campaigns keep payloads minimal or hide them in trusted workflows that many agents under-observe. We break down the TTPs and ship ready hunts and mitigations.CyberDudeBivash Ecosystem:Apps & Services · CyberBivash (Threat Intel) · CryptoBivash · News Portal · ThreatWire Newsletter

TL;DR — What’s New & Why You’re Missing It

  • Kimsuky’s “malwareless” pivot: credential-phish and account hijack to operate inside your M365/Google tenant with minimal on-host artifacts; older toolchains include AppleSeed/AlphaSeed and ReconShark used with evasion strings. 
  • DPRK cloud/GitHub C2: campaigns staging tasks/payloads on GitHub or public cloud to blend with allowed traffic, frustrating on-host sensors.
  • Lazarus supply-chain & dev targeting: trojanized tools/plugins and malicious open-source packages to backdoor developer rigs at scale. 
  • Driver-abuse (BYOVD) & EDR-killers: attackers (and crimeware copycats) use vulnerable/signed drivers and “EDR-killer” tools to blind sensors. Enforce blocklists & tamper protection. 

Contents

  1. Kimsuky Evasion Playbook
  2. Lazarus Evasion Playbook
  3. Detections & Hunts (SIEM/EDR/NDR)
  4. Mitigations & Hardening
  5. FAQ
  6. Sources

Kimsuky: “Malwareless” Access + Low-Noise Implants

  • Account-first ops: Phishing lures and MFA fatigue to take over mail/drive; operate via web sessions; minimal binaries, high OPSEC. 
  • Classic loaders when needed: AppleSeed/AlphaSeed droppers; ReconShark adds encrypted strings and shortcut-based staging to evade static detection. 
  • Tactic: Use tenant apps (mail rules, OAuth tokens, cloud storage) as de-facto C2 to sidestep host sensors.

Lazarus: Dev-Supply Chain + BYOVD + Tooling in Plain Sight

  • Dev compromise at scale: Malicious packages (NPM/PyPI), typosquatting & brandjacking to backdoor build/dev boxes; thousands potentially impacted. :contentReference[oaicite:6]{index=6}
  • Trojanized apps/plugins: Latest intel shows trojanized MuPDF / Notepad++ plugin lures targeting EU defense UAV sector. 
  • EDR bypass via drivers: BYOVD and toolchains that disable endpoint sensors; keep driver blocklists current and enforce kernel-mode protections.

Detections & Hunts (SIEM/EDR/NDR)

1) Cloud/GitHub C2 & “Living-off-Tenant”

  • Proxy/NDR: Alert on periodic pulls to api.github.com/raw.githubusercontent.com or paste/file hosts with regular jitter from non-dev workstations (threshold ≥6 hits/7 min). 
  • M365/GWS logs: New inbox rules forwarding to external, OAuth grants for atypical apps, sudden spikes in file-shares; correlate with suspicious IP ranges.

2) Developer Supply-Chain Abuse

  • Endpoint: Flag npm/pip installing from unscoped or newly created packages + immediate network egress to unknown domains; block unsigned post-install scripts.
  • CI/CD: Disallow internet in build jobs; mirror only pre-approved packages; diff post-install tree vs SBOM. 

3) BYOVD / EDR-Killer Telemetry

  • Windows Eventing: Alert on loading drivers not in your allowlist; look for process termination bursts of EDR agents; verify Microsoft blocklist applied. 
  • EDR: Tamper-protection disabled, service stop attempts, or sensor heartbeat gaps coinciding with suspicious kernel driver loads. 

4) Legacy Kimsuky Loaders (When Present)

  • Hunt for LNK/Office-template staging and PowerShell with encrypted strings / String.FromCharCode patterns used by ReconShark-style loaders. 
# Sigma — M365 OAuth grant to new multi-tenant app + inbox rule set
title: Suspect OAuth Grant + MailRule (Kimsuky-style)
logsource: { product: o365, service: azure }
detection:
  sel1: { Operation: 'Consent to application' }
  sel2: { AppId: '*', IsMultiTenant: true }
  sel3: { Operation: 'New-InboxRule' }
  condition: sel1 and sel2 and sel3
level: high

# Suricata — Periodic pulls to public code hosts from non-dev pools
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"Possible Cloud/GitHub C2 (non-dev host)";
  http.host; pcre:"/(api\\.github\\.com|raw\\.githubusercontent\\.com)/";
  threshold:type both, track by_src, count 6, seconds 420;
  classtype:trojan-activity; sid:9025001; rev:1;
)

Mitigations & Hardening (Do These Now)

  1. Tenant Guardrails: Enforce OAuth consent policies, block multi-tenant self-service, require admin approval for new enterprise apps; disable auto-forward to external.
  2. Driver Defense: Enable Microsoft kernel driver blocklist, Secure Boot, HVCI/Memory Integrity; turn on EDR tamper-protection; monitor for non-allowlisted drivers. 
  3. Dev Supply-Chain: Private package mirrors, quarantine new packages for review, disallow postinstall scripts in prod; SBOM + reproducible builds. 
  4. Proxy Controls: Require egress via authenticated proxy; rate-limit/inspect calls to GitHub/raw/paste hosts from non-dev VLANs.
  5. User & Admin Hygiene: FIDO2 keys for admins, strict role scoping, conditional access by device posture, session-risk continuous evaluation.

FAQ

Are these campaigns “new malware” or just better tradecraft?

Both. Kimsuky increasingly minimizes on-host implants and leans on tenant abuse; Lazarus adds trojanized tooling and dev-ecosystem backdoors while continuing driver-level evasion. 

Why did our EDR miss it?

Cloud/tenant actions live outside host agents; GitHub/paste C2 looks like sanctioned traffic; BYOVD blinds sensors at the kernel layer; developer package installs are “expected” unless governed. 

What’s the single highest-ROI change?

Lock down OAuth consent + enforce driver blocklists/tamper protection; then quarantine new open-source packages via a private registry before dev use.

Sources

  • SOCRadar — Kimsuky’s malwareless/EDR-evasion phishing evolution. 
  • SentinelOne — ReconShark campaign (encrypted strings, LNK/template staging) linked to Kimsuky ops. 
  • Trellix — DPRK GitHub-based C2 espionage operations (2025). 
  • Sonatype via ITPro — Lazarus attacking developer ecosystems (NPM/PyPI) with 200+ malicious packages. 
  • Rescana (5 days ago) — Lazarus trojanized MuPDF/Notepad++ plugin targeting EU UAV sector. 
  • TechRadar Pro (Check Point report) — BYOVD driver abuse to bypass AV/EDR; blocklist guidance. 
  • TechRadar Pro (Sophos) — New “EDR-killer” tool observed in the wild; enable tamper protection & driver controls. 

CyberDudeBivash — Services, Apps & Ecosystem

  • Advanced Threat Hunts (Cloud-C2, OAuth abuse, BYOVD telemetry, supply-chain)
  • Detection Engineering (Sigma → SIEM, Suricata/Zeek → NDR, EDR custom rules)
  • IR Retainers (containment runbooks, purple-team simulations, dev-pipeline hardening)

Apps & Products · Consulting & Services · ThreatWire Newsletter · CyberBivash (Threat Intel) · News Portal · CryptoBivash

Edureka: SOC & Threat HuntingKaspersky: EPP/EDR ProtectionAliExpress WWAlibaba WW

Ecosystem: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog | cyberdudebivash-news.blogspot.com | ThreatWire

Author: CyberDudeBivash • Powered by CyberDudeBivash • © 2025

 #CyberDudeBivash #CyberBivash #Kimsuky #Lazarus #EDREvasion #BYOVD #SupplyChain #GitHubC2 #ThreatWire

Leave a comment

Design a site like this with WordPress.com
Get started