Malwarebytes’ Threat Intelligence analysts  introduced a new APT group they have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group.

Although the observed TTPs have commonality with known actor groups, there are many notable differences setting LazyScripter apart from these groups; these similarities and differences are discussed in the Attribution section of the paper.

APT groups are traditionally tracked according to specific targets and tools or methodologies they employ, says Malwarebytes. Many actor groups use spam campaigns, attaching weaponized documents to phishing emails themed to target the industry or demographic of interest.

In this case, Malwarebytes initially discovered a number of malicious emails specifically targeting individuals seeking employment, which prompted a deeper investigation. Digging deeper, they uncovered a targeted spam campaign dating back as far as 2018 using phishing lures with themes aimed not only at those seeking immigration to Canada for employment, but also at airlines.

In the analysis, Malwarebytes walks through the timeline of observed TTPs from the initial phishing campaign to the state of the current and ongoing activities of the actor, takes a deep dive into each of the tools used, including the weaponized documents and the multiple variants of malware and exploitation techniques employed. Finally, they detail the infrastructure used and discuss the attribution comparisons with known actor groups such as APT28 and Muddy Water.

This in-depth and detailed analysis has revealed a developing campaign by what Malwarebytes believes to be a previously unidentified APT actor. Not only has this campaign been active for several years, but ongoing tracking shows this actor is still maintaining the infrastructure used and is actively updating toolsets. Malwarebytes continues to track this new group LazyScripter as the threat evolves.

For the analysis, please visit