{"id":2981,"date":"2025-10-24T13:35:31","date_gmt":"2025-10-24T11:35:31","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2981"},"modified":"2026-03-01T17:21:53","modified_gmt":"2026-03-01T16:21:53","slug":"dreamloaders","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/dreamloaders\/","title":{"rendered":"From Dream Job to Malware: DreamLoaders in Lazarus\u2019 Recent Campaign"},"content":{"rendered":"\n

During August 2025, Lab52 gained access to artifacts linked to Lazarus through DreamJob campaigns. Some of these artifacts and their operational details were recently highlighted by ESET (e.g., radcui.dll<\/em>, HideFirstLetter.dll<\/em>)<\/a>.
From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders \u2014 components capable of deploying different payloads depending on the actors\u2019 needs.
These loaders are used in the DreamJob campaign, but we believe they could also appear in other operations. For us, they truly are dream loaders<\/strong><\/em>.
The operational flow observed by our team is shown in the following diagram.<\/p>\n\n\n

\n
\"\"<\/figure><\/div>\n\n\n

In this article, we describe the relationship between these artifacts and also detail the characteristics of TSVIPSrv.dll<\/strong>, a loader used by the group in the analyzed case.<\/p>\n\n\n\n


During the investigation, two deployment methods were observed, one of them involving the use of legitimate system executables<\/strong> to load the various loaders through DLL sideloading<\/strong>.
Given the diversity of loading mechanisms and their connection to the DreamJobs<\/strong> campaigns, we internally coined the term \u201cDreamLoaders\u201d<\/strong> to refer to this type of loader.<\/p>\n\n\n\n

Findings summary<\/h1>\n\n\n\n

As in other DreamJob<\/strong> cases, the attackers\u2014in this case, the Lazarus<\/strong> group\u2014aim for administrators of the targeted organizations to execute malware in order to extract credentials or other types of information, which are later used to gain access and perform further actions on the compromised systems.<\/p>\n\n\n\n

The analyzed case is particularly interesting because three deployment variants of the same loader<\/strong> were observed, which is the focus of this report.<\/p>\n\n\n\n

\n\n\n\n

Tnsviewer.exe<\/strong><\/h2>\n\n\n\n

A trojanized version of the TightVNC client, distributed inside a password-protected ZIP file<\/strong> along with a README.txt file containing instructions about the IP address the victim (i.e., the administrator) should connect to.<\/p>\n\n\n\n

This binary was already available on VirusTotal<\/a> at the start of the analysis. Behavioral data, contacted domains, and a memory dump of the process (executed via sandbox) were collected. This allowed analysts to retrieve a payload whose structure and characteristics are very similar to another identified artifact: TSVIPSrv.dll<\/strong>.<\/p>\n\n\n\n

Executing this artifact creates registry keys used by TightVNC and triggers the malware\u2019s operation, which is equivalent to the functionality of the HideFirstLetter.dll<\/strong> artifact described below.<\/p>\n\n\n\n

It is designed as a decoy<\/strong>, intended to be executed by an administrator.<\/p>\n\n\n\n

\n\n\n\n

Webservices.dll and radcui.dll<\/strong><\/h2>\n\n\n\n

Webservices.dll and radcui.dll were identified on compromised user systems. They are equivalent DLL loaders<\/strong> that are executed through DLL sideloading<\/strong>, using the legitimate binaries wkspbroker.exe<\/strong> and wksprt.exe<\/strong> (copied beforehand from C:\\Windows\\System32) and a password following a SID-like pattern<\/strong>, likely to blend in.<\/p>\n\n\n\n

These DLLs differ only in that each contains an encrypted payload<\/strong>, encoded in Base64 and decrypted using a different key (the SID-pattern argument passed at execution). Once decrypted and injected into memory, the payload is a DLL named HideFirstLetter.dll<\/strong>.<\/p>\n\n\n\n

HideFirstLetter.dll<\/strong> performs the same malicious activity observed when executing tnsviewer.exe:<\/p>\n\n\n\n

    \n
  • It attempts to authenticate to the tenant using the legitimate Microsoft URL. https:\/\/login.microsoftonline.com\/common\/oauth2\/v2.0\/token, leveraging an access token embedded in the binary.<\/li>\n<\/ul>\n\n\n
    \n
    \"\"<\/figure><\/div>\n\n\n
      \n
    • Then, it sends a request to the Microsoft Graph API<\/strong> to retrieve the URL of the compromised SharePoint<\/strong> server.<\/li>\n\n\n\n
    • Two Microsoft API URLs were found, although only one was reachable at the time of analysis.<\/li>\n\n\n\n
    • The returned value could serve as a key to decompress another payload, presumably obtained from the second URL. This hypothesis is based on the behavior of the other artifacts and their relationships\u2014particularly between the payload extracted from tnsviewer.exe and TSVIPSrv.dll<\/strong>.<\/li>\n<\/ul>\n\n\n
      \n
      \"\"<\/figure><\/div>\n\n\n
      \n\n\n\n

      TSVIPSrv.dll<\/strong> <\/h2>\n\n\n\n

      TSVIPSrv.dll is a loader identified on compromised servers. It is a DLL that is executed via a malicious service created by the attackers<\/strong>, named sessionenv<\/strong>. It also relies on two additional files previously placed by the attackers\u2014wordpad.dll.mui<\/strong> and msinfo32.dll.mui<\/strong>\u2014which contain the payloads to be loaded. During the investigation, only wordpad.dll.mui <\/strong>was accessible.<\/p>\n\n\n\n

      It includes two Base64-encoded resources: the first contains a password, and the second contains a file path to the next payload.<\/p>\n\n\n

      \n
      \"\"<\/figure><\/div>\n\n
      \n
      \"\"<\/figure><\/div>\n\n\n

      It uses RC4<\/strong> to decrypt the file path (pointing to wordpad.dll.mui<\/strong>).<\/p>\n\n\n

      \n
      \"\"<\/figure><\/div>\n\n\n

      It then decrypts and loads the contents of wordpad.dll.mui<\/strong>, which is again a variant of TSVIPSrv.dll<\/strong> that performs the same actions: read its own resources (this time in a different order), decrypt them with RC4, access the file, and attempt to load it.<\/p>\n\n\n\n

      Similarly, when this resource is decrypted, a path will be obtained that will load the following file into memory: C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.dll.mui<\/strong>.<\/p>\n\n\n

      \n
      \"\"<\/figure><\/div>\n\n\n

      An important detail is that TSVIPSrv.dll, can be used to load different modular payloads, since the content is independent and stored in other files (the .mui files)<\/strong>. Therefore, it is significant that, for the two DLLs found on two different machines, the collected .mui files are identical. This implies that the same payload was deployed on both machines.<\/p>\n\n\n\n

      So, TSVIPSrv.dll decrypts the file wordpad.dll.mui, which in turn is another DLL very similar to TSVIPSrv.dll. A comparison between that DLL once decrypted and the payload of tnsviewer.exe shows an 85% code similarity, suggesting that the final DLL might be even more similar.<\/p>\n\n\n

      \n
      \"\"<\/figure><\/div>\n\n
      \n
      \"\"<\/figure><\/div>\n\n\n

      Conclusion<\/h1>\n\n\n\n

      The investigation into Lazarus group\u2019s DreamJobs campaign reveals a sophisticated and modular malware deployment strategy, leveraging legitimate system binaries and encrypted payloads to evade detection. Through the analysis of artifacts like TSVIPSrv.dll, HideFirstLetter.dll, and trojanized tools such as tnsviewer.exe, it is possible to see a high degree of code reuse and stealthy sideloading techniques. The presence of identical payloads across different systems is part of a coordinated and targeted effort.<\/p>\n\n\n\n

      This case underscores a critical lesson: attackers continuously refine their methods, often hiding in plain sight by mimicking legitimate processes. Therefore, vigilance, proactive threat hunting, and deep technical analysis remain essential in defending against advanced persistent threats.<\/p>\n\n\n\n

      IOC<\/h1>\n\n\n\n

      Files<\/h2>\n\n\n\n
      Name<\/strong><\/td>Hash sha256<\/strong><\/td><\/tr>
      tnviewer.exe<\/td>aefc12b500b58fbc09ebbf34fe64b34cb32a27513478f4769447280ad23af4d2 0fdd97a597380498f6b2d491f8f50da8f903def4ea6e624b89757456c287f92d<\/td><\/tr>
      radcui.dll<\/td>fa014db2936da21af5943cc8f3656adb9800173ad86af196f71c6052295fff97<\/td><\/tr>
      webservices.dll<\/td>26bd4aab63563e77ca426c23b11d18d894eef9a727e111be79336e099b22bdd1<\/td><\/tr>
      TSVIPSrv.dll<\/td>473726dd9bc034564c4c7b951df12d102ff24f7b17b8356f55d36ed6d908882d   <\/td><\/tr>
      wordpad.dll.mui<\/td>b3d7a3c3dedaa873e81b1676b6c0027ae1fd164587299bf65c02bd067ae1a972<\/td><\/tr>
      wordpad.dll.mui decyphered (only in memory)<\/td>855baa2ff0c3e958a660ae84a048ce006e07cf51ce5192c0de364ee62873980c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

      Comunications<\/h2>\n\n\n\n
      Artifact name<\/strong><\/td>Domain<\/strong><\/td><\/tr>
      tnviewer.exe<\/td>alex2moe-my.sharepoint[.com coralsunmarine[.com<\/td><\/tr>
      HideFirstLetter.exe<\/td>cseabrahamlincoln-my[.sharepoint.com               <\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

      During August 2025, Lab52 gained access to artifacts linked to Lazarus through DreamJob campaigns. Some of these artifacts and their operational details were recently highlighted by ESET (e.g., radcui.dll, HideFirstLetter.dll).From our perspective, one of the most notable aspects of this campaign is the use of various types of loaders \u2014 components capable of deploying different […]<\/p>\n","protected":false},"author":31,"featured_media":3020,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21],"tags":[86,85],"class_list":{"0":"post-2981","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"tag-dreamloader","9":"tag-lazarus","10":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/10\/lobo-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2025\/10\/lobo-600x600.jpg","author_info":{"display_name":"10ba","author_link":"https:\/\/lab52.io\/blog\/author\/10ba\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2981"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2981"}],"version-history":[{"count":18,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2981\/revisions"}],"predecessor-version":[{"id":3149,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2981\/revisions\/3149"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/3020"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}