Go to listing page

LazyScripter Hackers Using Multiple RATs to Target Airlines

LazyScripter Hackers Using Multiple RATs to Target Airlines
Malwarebytes recently disclosed malicious activities belonging to a previously unidentified actor. This unidentified actor has been named as LazyScripter and is active since 2018.

What has been discovered?

In late December 2020, researchers observed a few malicious documents loaded with objects that were created to target job seekers. These loaded objects (VBScript or batch files) were used by the LazyScripter APT group.
  • This threat group has been targeting the International Air Transport Association (IATA) and airlines that are using the BSPLink software. Additionally, it has targeted victims looking to immigrate to Canada in search of jobs.
  • In all their recent phishing lures, the attackers have used KOCTOPUS loaders to deploy Octopus and Koadic. 
  • In addition, they were observed to be dropping other RATs, such as LuminosityLink, Quasar, RMS, njRat, and Remcos, which are used by multiple hacking groups.

A change in attack tools

  • In the past, this actor mostly used spam emails laden with archive or document files as an initial infection vector. Both zip and document files included a variant of either KOCTOPUS or Empoder.
  • Over time, the group has used multiple file types as its initial phishing lures and changed the main toolset from PowerShell Empire to double RAT (Octopus and Koadic).

Use of GitHub for hosting toolsets 

LazyScripter hosted its toolsets on GitHub - a tactic previously used by an APT group linked with Iran. 
  • In January, the group created two GitHub accounts LIZySARA and Axella49, and deleted them in the same month.
  • Later, the actor created another GitHub account (OB2021) on February 2 for hosting payloads in a spam campaign. This account has been deleted from GitHub.


The use of multiple RATs and involvement in the development efforts on GitHub indicates that this group is continuously making efforts to polish its tools and attack tactics. In addition, the use of freely available tools and malware shows how smartly this group is making use of commercially available tools, and the combination of all these strategies makes this group a lethal threat.

Cyware Publisher