Keypoints
- Positive Technologies ESC identified a campaign in Q1 2024 targeting government and public-sector organizations across Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia.
- The primary malware, named LazyStealer, was distributed as executables masquerading as documents and packed with PyInstaller, protected with Pyarmor, and in some parts compiled with Cython.
- Analysis recovered Cython-compiled modules (pdfbyte.cp39-win_amd64.pyd, hello.cp39-win_amd64.pyd) and described the reconstruction method by examining PyInit_pdfbyte, PyModuleDef, module slots, and the _pyx_mstate_global structures.
- Reconstructed scripts show the stealer enumerates and extracts Google Chrome stored logins/passwords and forwards them to a Telegram bot (exfiltration over web service).
- Researchers could not identify a persistence mechanism in the samples; victims were directly notified and total compromised accounts at discovery numbered 867 (321 unique).
- All discovered Telegram bots were linked to a single controlling user, leading researchers to attribute the operations to an actor they call Lazy Koala.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – LazyStealer was delivered as an executable presented as a document to induce user execution (‘Lazy Koala passes off an executable as a document’).
- [T1140] Deobfuscate/Decode Files or Information – The operators used PyInstaller, Pyarmor, and Cython to hide code and hinder analysis (‘Lazy Koala uses the PyInstaller packer, Pyarmor protector, and Cython compiler’).
- [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – The malware extracts saved credentials from Google Chrome (‘Lazy Koala steals accounts from Google Chrome’).
- [T1567] Exfiltration Over Web Service – Stolen credentials are forwarded to a Telegram bot for collection and exfiltration (‘Lazy Koala forwards accounts it steals to a Telegram bot’).
Indicators of Compromise
- [File names] examples of delivered binaries and modules – 33ms.exe, Recommendation.exe, and various .pyd modules (hello.cp39-win_amd64.pyd, pdfbyte.cp39-win_amd64.pyd) from the IOC table.
- [SHA-256] example hashes for detected samples – 9fd197b7402285ed2a75dac9a5ce3ef499a58342fd0dcefe1c40443a12bc6832 (33ms.exe), e419a8158c6fe326dc7ab16dbd5f3b2723dffe8c9561fe835bb16f62a8fa61f5 (Recommendation.exe), and other hashes listed in the IOC table.
- [MD5] example hashes – 4f060c5c6813e269f01e6cba1d3ac4cd (33ms.exe), 641932b66490630005dde2aef405e5e9 (Recommendation.exe), plus additional MD5 entries in the table.
Researchers unpacked LazyStealer samples that were PyInstaller executables with Pyarmor protection; some components were further compiled with Cython into native .pyd DLLs. Analysis focused on the Cython modules (notably pdfbyte.cp39-win_amd64.pyd and hello.cp39-win_amd64.pyd): investigators traced the exportable initializer (PyInit_), inspected the PyModuleDef and PyModuleDef_Slot arrays to locate the module execution function (_pyx_pymod_exec_), and examined initialization of the __pyx_mstate global structure and string tables to reconstruct module behavior and identifiers used at runtime.
By decoding the Cython native structures and the Pyarmor-wrapped Python code, analysts reconstructed the scripts responsible for two primary functions: (1) displaying a decoy document in a browser (document display logic), and (2) harvesting credentials. The credential-stealing logic enumerates Chrome credential stores, extracts saved logins/passwords, and forwards collected entries to a Telegram bot using web‑service exfiltration, with Telegram serving as the collection channel.
Samples showed differing implementations (Cython for document logic, pure Python for stealing logic in some variants), and investigators were unable to locate a definitive persistence mechanism—suggesting either a separate delivery stage handled persistence or an ephemeral “one‑off” execution design. The report includes detailed module reconstruction steps, function initialization patterns, and a list of file names and hashes to support detection and response.