Lazarus, the North Korean hacking group, is exploiting the Log4J remote code execution vulnerability. The attackers inject backdoors that spread stealer payloads on VMware Horizon servers.

Attack on VMware

According to a report, the Lazarus group has been abusing vulnerable VMware products using Log4Shell since April. 
  • The attackers exploit the Log4j vulnerability, CVE-2021-44228, via Vmware Horizon’s Apache Tomcat service to run a PowerShell command. This command eventually installs the NukeSped backdoor.
  • NukeSped performs espionage operations in the targeted environment, such as recording key presses, accessing files, and taking screenshots. Additionally, it supports command line commands for additional activities.
  • In some attacks, Lazarus deployed Jin Miner instead of NukeSped. Jin Miner is a cryptocurrency miner, which can be used on less critical systems for monetary gains instead of espionage.

Understanding NukeSped and its capabilities

NukeSped backdoor, first observed in 2018, is written in C++ language.
  • It is used to install an additional console-based stealer malware that collects information saved on web browsers, including Internet Explorer, Google Chrome, Opera, Mozilla Firefox, and Naver Whale.
  • Further, it steals account credentials, email account information, and recently used files from Hancom 2010 and MS Office.
  • Two new modules have been spotted in the recent NukeSped malware variant. One is for dumping USB contents and the other for accessing web camera devices.


The Log4Shell attack surface is still huge and researchers expect attackers to abuse it for a long time. The exploitation of this flaw by sophisticated threat actors such as Lazarus does indicate that even after so many months of disclosure, this flaw can still be used to create havoc. Therefore, organizations are suggested to implement robust patch management programs for better protection.
Cyware Publisher