analyst @ nohacky :~/threat-actors $
cat / threat-actors / lazyscripter
analyst@nohacky:~/lazyscripter.html
active threat profile
type APT
threat_level Medium
status Active
origin Unknown — suspected Middle East nexus
last_updated 2026-03-27
LS
lazyscripter

LazyScripter

tracked as: MITRE G0140 Discovered: Malwarebytes Feb 2021 Active since 2018

A low-attribution espionage group discovered by Malwarebytes in early 2021 after years of undetected activity — distinguished by a nearly exclusive reliance on commodity open-source RATs rather than custom malware, making attribution difficult by design. Targets two overlapping groups: airline industry personnel at IATA-member carriers using BSPLink financial settlement software, and individuals seeking immigration to Canada through government-supported job programs. Active since at least August 2018, the group continuously updates its phishing lures to match current IATA product launches and immigration events while cycling through a roster of widely-shared remote access tools that leave few forensic clues pointing to a specific operator.

attributed origin Unknown — Middle East assessed (not confirmed)
mitre id G0140
first observed August 2018 (retroactive; public disclosure Feb 2021)
primary motivation Espionage — Intelligence collection, data theft
primary targets Airlines / IATA members; Canadian immigration job seekers
attribution confidence Low — open-source toolset obscures origin
discovered by Malwarebytes Threat Intelligence (Feb 2021)
assessed nexus Middle East (MuddyWater / OilRig TTP overlap)
defining characteristic No custom RATs — 100% commodity open-source tooling

Overview

LazyScripter was publicly identified in February 2021 by Malwarebytes Threat Intelligence analyst Hossein Jazi, following the discovery of malicious documents in December 2020 targeting job seekers. Retroactive analysis traced the group's activity back to at least August 2018, meaning the operation ran for roughly two and a half years without being formally identified or attributed — a function of the group's defining strategic choice: using only widely available, commodity open-source tools rather than developing custom malware. This decision trades capability depth for operational security through obscurity. When an attacker uses tools shared by dozens of other threat actors, defenders cannot identify the group based on the malware alone, and analysts cannot draw the kind of code-level connections that enable attribution.

The name reflects another deliberate efficiency choice: rather than maintaining expensive custom implant infrastructure, LazyScripter relies on scripting languages (batch files, VBScript, PowerShell, JavaScript) delivered through document-embedded objects rather than the macros commonly used by other phishing-oriented APTs. Embedded objects disguised as PDF, Word, or Excel files within weaponized documents are a distinctive technical fingerprint — the icons pretend to be legitimate embedded documents while actually being batch, executable, or VBScript variants of the group's KOCTOPUS loader.

Attribution assessment points toward a Middle East nexus, though this is assessed with low confidence. Hossein Jazi stated that similarities with Middle Eastern APT groups gave "a high chance that the actor is based in the Middle East," but no solid indicators confirm this. The group's closest documented similarities are with MuddyWater (Iran): both groups used Koadic and PowerShell Empire, both rely on scripting languages, and both have hosted malicious toolsets on GitHub. Separately, similarities to OilRig are noted in the use of batch2exe to convert batch files to executables. However, LazyScripter differs from both in its reliance on spam campaigns rather than targeted spearphishing, and in its exclusive use of open-source tools where MuddyWater also employs custom implants. The group is tracked independently from all known APTs as of the latest research.

A July 2021 campaign documented by Lab52 targeting important European entities introduced additional complexity: researchers found that a free online obfuscation tool LazyScripter used to protect its scripts had been compromised by a third actor ("HackFree"), who injected their own njRAT downloader into LazyScripter's malware. This meant some LazyScripter victims were simultaneously compromised by two independent threat actors — with LazyScripter unwittingly serving as the delivery mechanism for a second group's payload.

Target Profile

LazyScripter's targeting is narrow and consistent across its operational history, converging on two overlapping victim categories linked by their connection to international travel and Canada-related immigration and employment pathways.

  • IATA Member Airlines and BSPLink Users: The International Air Transport Association (IATA) represents over 290 airlines covering 83% of global air traffic. LazyScripter specifically targets employees at airlines that use BSPLink — IATA's Billing and Settlement Plan software used by travel agents and airlines to manage payments, reconciliation, and sales incentives globally. Lures impersonate IATA security alerts, BSPLink updaters, and new IATA product announcements. The group updated its lures in early 2021 specifically to mimic IATA ONE ID, a contactless passenger processing tool introduced in response to COVID-19 travel changes, demonstrating ongoing monitoring of IATA product development to keep lures current.
  • Canadian Immigration Job Seekers: Beginning with the group's earliest documented activity in August 2018, LazyScripter targets individuals seeking immigration to Canada through government-supported employment programs. Lures reference Canada skill worker programs, Canada Visa applications, and specifically impersonate content from Canadavisa.com — a legitimate Canadian immigration website associated with an immigration law firm. These victims are selected because they have high motivation to open immigration-related communications, low security awareness, and access to sensitive personal and financial documents that are valuable for identity theft or downstream espionage use.
  • Secondary Lure Categories: Beyond the two primary targets, LazyScripter has used supplementary lures including COVID-19 pandemic themes (March 2020 World Health Organization spoofing), UNWTO tourism content, and Microsoft software update notifications. These broader lures appear to function as opportunistic volume campaigns when primary-target-specific lures are not deployed, suggesting the group maintains ongoing operations between more targeted airline and immigration campaigns.

Tactics, Techniques & Procedures

LazyScripter's TTPs reflect a deliberate design philosophy: maximize operational security through the exclusive use of shared tools, minimize custom code that could fingerprint the operator, and optimize lures for specific high-motivation victim categories. The group continuously updates tooling and lures in response to environmental changes.

mitre id technique description
T1566.001 / T1566.002 Spearphishing Attachment / Link Spam phishing emails carry either archive files (ZIP) or document files (DOC, DOCX) containing a variant of the KOCTOPUS or Empoder loader. Additional delivery methods include emails containing PDF files with links to download KOCTOPUS from GitHub, and emails with URL shortener links (bit.ly, cutt.ly) redirecting to attacker-controlled GitHub repositories or C2 IP addresses. Primary lure themes: IATA security, BSPLink updater or upgrade, IATA ONE ID, Canada visa and skilled worker programs, COVID-19 (WHO spoofing). Malwarebytes identified 14 malicious documents used between 2018 and 2021.
T1204.002 Malicious File — Embedded Objects (Not Macros) A defining LazyScripter characteristic: malicious documents contain embedded objects (batch files, executables, or VBScript files) disguised with PDF, Word, or Excel icons rather than using the macro-based weaponization common to other phishing APTs. The embedded objects appear to be legitimate nested documents but execute KOCTOPUS or Empoder payloads on double-click. This approach bypasses macro-focused detection rules and can succeed in environments where macro execution is disabled.
T1059.001 / T1059.003 / T1059.005 Scripting — PowerShell / Batch / VBScript All LazyScripter payloads rely on scripting languages rather than compiled executables for primary execution. Batch files are highly obfuscated using the BatchEncryption tool. VBScript variants of KOCTOPUS provide alternative execution paths. PowerShell is used for persistence, AV disablement, and second-stage payload download. The Empoder loader specifically uses PowerShell to deliver PowerShell Empire. This scripting reliance matches MuddyWater and OilRig TTP patterns — one factor supporting Middle East attribution assessment.
T1548.002 UAC Bypass KOCTOPUS bypasses Windows User Account Control (UAC) as part of its installation process, enabling execution at elevated privileges without generating a standard UAC prompt to the victim. This is paired with disabling Microsoft security products, ensuring the subsequent RAT payloads are not detected by Windows Defender after installation.
T1547.001 Registry Run Keys / Persistence KOCTOPUS installs loaded RATs into the Windows AutoRun registry key for persistence across system reboots. This ensures that Koadic, Octopus, and secondary RATs survive system restart without requiring re-exploitation. The registry-based persistence variant of KOCTOPUS is one of four documented loader variants.
T1102 / T1583.006 GitHub as Web Service C2 LazyScripter hosts malicious payloads on GitHub repositories — a tactic previously documented for Iranian APT groups — using free accounts to stage KOCTOPUS and other tools. Traffic to GitHub is typically allowed by enterprise firewalls and is HTTPS-encrypted, making malicious payload downloads indistinguishable from legitimate developer activity at the network layer. The group created and deleted multiple GitHub accounts across its operation: LIZySARA and Axella49 (deleted Jan 12 and 14, 2021) and OB2021 (created Feb 2, 2021).
T1568.001 / T1583.001 Dynamic DNS C2 Infrastructure LazyScripter uses free dynamic DNS providers (Duck DNS, FreeDNS) to create C2 subdomains that appear legitimate and rotate quickly if detected. Malwarebytes documented five subdomains across four different dynamic DNS providers in use simultaneously. Dynamic DNS enables rapid infrastructure rotation without purchasing domains — a low-cost approach consistent with a group that relies on free tools throughout its operation. Domains are not on static blocklists because they use shared provider infrastructure.
T1027.002 Obfuscation — BatchEncryption Batch file variants of KOCTOPUS are obfuscated using the BatchEncryption tool to prevent static analysis and signature detection. The obfuscation is applied consistently across all batch-variant payloads. This specific tool's use is one of the few technical fingerprints that enabled Malwarebytes to cluster LazyScripter's activity across campaigns spanning 2018–2021.
T1562.001 Disable Security Tools KOCTOPUS disables Microsoft security products as part of its post-UAC-bypass installation sequence, before downloading and installing the final RAT payload. This ensures the Koadic, Octopus, LuminosityLink, or other RAT payload is not detected by Windows Defender on installation. The disablement is performed programmatically through PowerShell and Windows Command Shell commands.

Known Campaigns

LazyScripter's campaigns are defined by their lure themes rather than discrete operational clusters. The group runs continuous spam operations with lures updated to match current IATA product releases and immigration events.

Initial Campaign — Canadian Immigration Job Seekers Aug 2018–Jan 2020

LazyScripter's earliest documented activity targets individuals seeking immigration to Canada through government-supported employment programs. The group used the legitimate Canadavisa.com website as a phishing lure reference, mimicking immigration communications to reach a high-motivation victim pool. During this period, the group was using the Empoder loader to deliver PowerShell Empire — the earliest documented tooling stage before the pivot to KOCTOPUS and the Koadic/Octopus RAT combination. Malwarebytes retroactively traced this activity through analysis of KOCTOPUS loader artifacts and campaign infrastructure overlap.

COVID-19 WHO Spoof / Pandemic-Themed Campaign Mar 2020

In March 2020, SANS ISC InfoSec Forums reported a multi-stage attack exploiting COVID-19 pandemic themes. The attack spoofed the World Health Organization and delivered a variant of KOCTOPUS — which Malwarebytes later identified as a LazyScripter payload through KOCTOPUS technical artifacts. This campaign represented a significant opportunistic expansion beyond IATA and immigration lures, targeting a broader audience using the universal concern generated by the pandemic's early weeks. LazyScripter continued using COVID-19 lures through 2020 alongside its primary target categories.

IATA / BSPLink / IATA ONE ID Airline Campaign 2020–2021

By late 2020, LazyScripter was actively targeting airlines and IATA members with lures themed around BSPLink (the global airline billing settlement platform), IATA security alerts, and user support kits for IATA software. The February 5, 2021 campaign — the last publicly documented campaign before Malwarebytes' public disclosure — delivered KOCTOPUS masquerading as "BSPLink Upgrade.exe," dropping both Octopus and Koadic plus a Quasar RAT variant. Shortly before the disclosure, the group pivoted to a new lure theme mimicking IATA ONE ID, a contactless passenger processing tool newly introduced in response to COVID-19. This demonstrated active monitoring of IATA product development to keep lures timely and credible for airline personnel.

European Entity Campaign — H-Worm Double Compromise Jul 2021

Lab52 documented a LazyScripter campaign in July 2021 targeting important European entities. During investigation, researchers discovered that the online script obfuscation tool LazyScripter used had itself been compromised by a separate threat actor identified as HackFree, who injected njRAT downloader code into the obfuscation tool's output. This created a "double compromise" scenario: victims who opened LazyScripter's malware were simultaneously infected by both LazyScripter's intended payload (H-Worm variant with date-triggered njRAT dropper) and HackFree's separate njRAT variant. The LazyScripter H-Worm variant included a date-trigger mechanism — hardcoded dates compared to the current system date that, when reached or passed, triggered a specific function dropping an additional payload. The infrastructure overlap with the ignorelist[.]com domain stub confirmed attribution to LazyScripter.

Tools & Malware

LazyScripter's toolset is entirely composed of open-source and commercially available tools. The group develops no custom RATs — a deliberate evasion strategy that sacrifices capability depth for attribution resistance.

  • KOCTOPUS (custom loader): The group's sole custom-developed component — a multi-stage loader used to deliver Octopus and Koadic to victim systems. Despite the name, KOCTOPUS itself is not a RAT but a delivery and persistence mechanism. It exists in four documented variants: batch file, executable, VBScript, and registry key-based. All variants perform UAC bypass, disable Microsoft security products, download the target RAT payload from GitHub or C2 infrastructure, and install it to the AutoRun registry key for persistence. Batch file variants are obfuscated with the BatchEncryption tool. Later versions also download secondary RATs (LuminosityLink, RMS, Quasar) alongside Koadic and Octopus.
  • Empoder (custom loader — early phase): The predecessor loader to KOCTOPUS, used in the 2018–2019 phase to deliver PowerShell Empire. Functionally analogous to KOCTOPUS but designed for the Empire post-exploitation framework rather than Koadic and Octopus. The transition from Empoder to KOCTOPUS marked the group's toolset evolution from PowerShell Empire to the double-RAT model.
  • Octopus: An open-source multi-stage RAT used as one of the two primary payloads in the double-RAT model. Octopus provides C2 communication and victim control capabilities. It is one of the publicly available tools in the LazyScripter arsenal that does not provide a unique attribution fingerprint — Octopus is used by multiple threat actors. KOCTOPUS and Octopus were named together by Malwarebytes to reflect the loader-payload relationship.
  • Koadic: An open-source JScript/VBScript-based post-exploitation framework with COM-based C2. Koadic provides hands-on-keyboard access to compromised systems. Notably, the only two threat actors previously documented using Koadic are MuddyWater (Iran) and APT28 (Russia) — LazyScripter's use of Koadic is one of the primary technical factors in the Middle East attribution assessment. Malwarebytes found no connection to APT28 but assessed similarities with MuddyWater's past Koadic use.
  • PowerShell Empire: A widely used open-source post-exploitation framework delivered via the Empoder loader in the group's early operational phase (2018–2019). PowerShell Empire provides extensive post-compromise capability for lateral movement, persistence, and data collection. LazyScripter's use of Empire alongside Koadic is shared with MuddyWater's documented TTP profile.
  • LuminosityLink / Remcos / Quasar / njRAT / RMS: A rotating roster of commercially available and open-source RATs dropped as secondary payloads by KOCTOPUS alongside the primary Koadic and Octopus implants. These tools provide remote access, keylogging, file theft, and surveillance capabilities. Their widespread availability means none can be attributed to a specific actor — a core feature of the LazyScripter model. All use the same C2 infrastructure as the primary payloads.
  • Invoke-Ngrok / Ngrok: The reverse proxy tool Ngrok (through Invoke-Ngrok) appears in LazyScripter's toolset per MITRE ATT&CK G0140 listing alongside the core RATs, providing an additional tunneling mechanism for C2 communication.
  • Nishang: An open-source PowerShell offensive framework also listed in the G0140 MITRE toolset, used alongside Empire and the scripting components for post-compromise execution and lateral movement.

Indicators of Compromise

Key technical indicators from the Malwarebytes February 2021 technical report and supplementary research. Infrastructure IOCs for this group rotate rapidly given the use of free dynamic DNS providers and disposable GitHub accounts. Behavioral and loader-based indicators are more durable.

attribution warning

LazyScripter's exclusive use of commodity open-source RATs means that individual tool hashes and behavioral signatures overlap substantially with other threat actors including MuddyWater, OilRig, and APT28. No individual IOC below is uniquely attributable to LazyScripter without corroborating indicators. Treat tool-based IOCs as necessary but not sufficient for attribution. Infrastructure IOCs (dynamic DNS, GitHub accounts) rotate frequently and should be treated as high-staleness by default.

indicators of compromise — technical identifiers
loader (custom) KOCTOPUS — 4 variants: batch (BatchEncryption obfuscated), executable, VBScript, registry key; delivers Octopus + Koadic + secondary RATs
loader (early phase) Empoder — PowerShell Empire loader; used 2018–2019 before transition to KOCTOPUS
masquerade filenames BSPLink Upgrade.exe; IATA ONE ID.exe; Upgrade.exe (KOCTOPUS variants posing as IATA software)
document lure icons PDF, Word, Excel icons on embedded batch/executable/VBScript objects within maldocs (not macros)
obfuscation tool BatchEncryption — used to obfuscate batch-variant KOCTOPUS payloads
github accounts (deleted) LIZySARA (deleted Jan 12, 2021); Axella49 (deleted Jan 14, 2021); OB2021 (created Feb 2, 2021)
c2 provider (dns) Duck DNS; FreeDNS — 5 subdomains across 4 dynamic DNS providers (documented in 2021 report)
url shorteners (delivery) bit.ly; cutt.ly — used to redirect victims to GitHub payloads or C2 IP addresses
phishing lure domain stub.]ignorelist.]com — attributed to LazyScripter C2 infrastructure (Lab52 July 2021)
tool roster (all oss) Koadic; Octopus; PowerShell Empire; LuminosityLink; Remcos; Quasar RAT; njRAT; RMS; Invoke-Ngrok; Nishang
lure themes (current) IATA security; IATA ONE ID; BSPLink Updater; Canada Visa; Canada Skilled Worker; COVID-19 (WHO); UNWTO tourism; Microsoft Updates
registry persistence HKCU\Software\Microsoft\Windows\CurrentVersion\Run — AutoRun key used for KOCTOPUS and RAT persistence

Mitigation & Defense

Defensive recommendations specifically for organizations in LazyScripter's target profile — airlines using IATA BSPLink, IATA member organizations, Canadian immigration service providers, and similar entities.

  • Embedded Object Execution Controls: LazyScripter's defining delivery method is embedded batch files, executables, and VBScript within Office documents — not macros. Standard macro-disablement policies do not address this vector. Configure Windows to prompt before executing embedded objects in Office documents and disable automatic execution of embedded OLE objects. Implement application allowlisting that prevents unexpected executable launches from Office process trees, specifically blocking batch files and VBScript execution originating from Word or Excel.
  • GitHub Download Monitoring: LazyScripter stages KOCTOPUS and RAT payloads on GitHub repositories delivered to victims via email links. Monitor for file downloads originating from github.com when initiated by Office applications, email clients, or browsers with IATA or immigration-themed referrers. GitHub downloads from non-developer endpoints to executable file types (EXE, BAT, VBS, ZIP) warrant immediate investigation, particularly when the downloaded filename matches IATA software naming conventions.
  • Dynamic DNS Alerting: The group exclusively uses free dynamic DNS providers (Duck DNS, FreeDNS) for C2. Block or aggressively alert on DNS resolutions and outbound connections to Duck DNS and FreeDNS subdomains (*.duckdns.org, *.freedns.afraid.org, *.mooo.com and similar) from enterprise endpoints. Legitimate enterprise applications do not typically communicate with free dynamic DNS services.
  • UAC Bypass Detection: KOCTOPUS bypasses UAC as a standard step. Monitor for UAC bypass techniques including fodhelper.exe, eventvwr.exe, and sdclt.exe hijacking — all known UAC bypass methods used by commodity loaders. Alert on processes launching with elevated privileges following unusual parent-process chains from Office applications or script interpreters.
  • Employee Training for IATA and Immigration Lures: LazyScripter's phishing is highly targeted by topic: BSPLink update notifications, IATA security alerts, and IATA ONE ID communications are the specific lure categories airline employees encounter. Train airline staff, particularly those in finance, operations, and IT who handle BSPLink and IATA interfaces, to verify software update notifications through official IATA channels before executing any downloaded files. Canadian immigration offices and service providers should similarly train staff on Canadian visa program phishing given the decade-long consistency of that lure category.
  • Registry AutoRun Monitoring: KOCTOPUS installs RAT payloads to the AutoRun registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Monitor for new entries in Run and RunOnce keys — particularly entries pointing to script files, batch files, or executables in non-standard paths like %TEMP% or %APPDATA%. This is a high-fidelity detection point because legitimate software rarely adds items to HKCU Run keys without explicit user installation consent.
  • PowerShell Logging and Constraint Mode: Empoder and KOCTOPUS variants rely heavily on PowerShell for payload download, AV disablement, and persistence. Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging to capture PowerShell execution details. Implement Constrained Language Mode for standard user accounts to limit PowerShell capabilities without a full execution block.
analyst note

LazyScripter's operational model is a practical demonstration of how low-sophistication actors can achieve persistent, multi-year undetected operations through strategic tool selection rather than technical depth. By relying entirely on shared open-source tools, the group traded away any capability advantage that custom malware provides in exchange for near-total attribution resistance — at the cost of being discovered when the same tools are identified in other threat actor campaigns. The deliberate choice to use embedded objects rather than macros reflects awareness of enterprise security controls and the ability to pivot around them. The Middle East attribution assessment rests primarily on the Koadic usage overlap with MuddyWater and general TTP similarities with Iranian-linked actors, but no solid technical evidence confirms this — the group may be a deliberate mimic of Iranian TTPs to confuse attribution, or an unrelated actor that happened to adopt the same open-source toolkit. The July 2021 "double compromise" incident — where LazyScripter was itself compromised through its tool supply chain — is a rare documented case of a threat actor being victimized through their own infrastructure, and illustrates the risks of relying on unvetted third-party obfuscation services for operational security.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile