Go to listing page

Lazarus's New Additions: Wslink Loader and WinorDLL64 Backdoor

Lazarus's New Additions: Wslink Loader and WinorDLL64 Backdoor
Researchers have found a new payload dubbed WinorDLL64 delivered by the Wslink malware downloader. These tools are possibly connected with the infamous North Korea-aligned APT group Lazarus.

A background on Wslink

Wslink has been active since late 2018 and it was first documented in October 2021. Experts could not find the initial Wslink compromise vector and payload delivered by it at that time.
  • Wslink, primarily a malicious loader, can be leveraged by the attacker for lateral movement as well.
  • It is capable of listening to a specific port, serving additional connecting clients, and executing received modules in memory.
  • In March 2022, Wslink featured an advanced multi-layered virtual machine obfuscator to significantly evade detection and resist reverse engineering.

What is WinorDLL64 capable of

WinorDLL64 is a fully-featured backdoor implant that can exfiltrate, overwrite, and delete files for file manipulation.
  • It can execute PowerShell commands, list active sessions, create and terminate processes, enumerate drives, compress directories, remove files securely, create and kill processes, and obtain extensive system information.
  • Moreover, it communicates over a connection that was already established by the Wslink loader. The payload has been found targeting victims in South Korea.

Victimology and connection to Lazarus

ESET researchers attribute Wslink and WinorDLL64 to Lazarus with low confidence due to the following commonalities:
  • WinorDLL64 was found on a handful of victim machines in Central Europe, North America, and the Middle East that Lazarus has targeted in its past operations.
  • Furthermore, there are some overlaps in the code and behavior of WinorDLL64 and Lazarus’ Bankshot and GhostSecret.


Wslink is a simple yet remarkable malware loader while WinorDLL64 is not exotic but is effective nonetheless, in terms of its functionality. The alleged additions to Lazarus’ arsenal indicate that the group is consistently launching prolific attacks with customized tools to infiltrate its targets.
Cyware Publisher