Lazarus Group Attacks Aerospace/Defense with New ChaCha20-Encrypted Comebacker Backdoor

Cybersecurity researchers at ENKI have identified a new variant of the Comebacker backdoor, attributed to the North Korean Lazarus Group, in a targeted espionage campaign against the aerospace and defense sectors. The campaign uses malicious Word documents (.docx) containing VBA macros, which deploy a multi-stage infection chain ending in a memory-resident backdoor communicating via AES-encrypted HTTPS.

“The malware is delivered via lure documents themed around prominent aerospace and defense organizations, indicating a targeted espionage campaign against this sector,” ENKI researchers wrote. “Pivoting from the initial C&C infrastructure, we uncovered an additional C&C domain and a related Comebacker sample, suggesting the campaign has been active since at least March 2025.”

Comebacker was first identified by Google Threat Analysis Group (TAG) in 2021 during a campaign targeting security researchers, later analyzed by Microsoft under the same codename. Originally serving as a downloader and backdoor capable of executing DLL payloads from a C2 server, the malware resurfaced in 2024 within malicious PyPI packages, showing Lazarus’ continued experimentation with software supply chain tactics.

Now, ENKI’s findings suggest a major technical evolution. The new variant not only introduces ChaCha20 encryption for payload stages but also encrypts its C2 traffic with AES-128-CBC, representing a major security upgrade over prior plaintext communications.

“The newly identified variant deviates from this by introducing a custom XOR/bit-swap algorithm for the initial dropper stage and adopting ChaCha20 for subsequent loader stages,” the report stated. “Variants observed since March 2025 introduce encrypted C2 communications, using AES-128-CBC to encrypt C&C traffic.”

The infection begins when a victim opens a malicious Word document and enables macros. ENKI extracted the VBA code using the olevba tool and discovered it decrypts two embedded components: a loader DLL and a decoy document. These files are written to C:\ProgramData\WPSOffice\wpsoffice_aam.ocx and C:\ProgramData\Document\EDGE_Group_Interview_NDA.docx, respectively.

“We identified four distinct decoy documents leveraging themes related to the aerospace and defense sectors, including lures impersonating Edge Group, Indian Institute of Technology Kanpur (IIT Kanpur), and Airbus,” ENKI reported. “This specific targeting strongly indicates the campaign’s objective is espionage.”

These decoys, titled Airbus_C295_Integration_Document_for_TASL.docx and Guest_Lecture_Invitation_Format_IITK.docx, were designed to appear authentic and trustworthy, exploiting victims’ professional context to achieve execution of the malicious macros.

The infection chain is composed of three distinct loader stages, each encrypted and obfuscated to hinder detection and reverse-engineering.

Stage 1 – wpsoffice_aam.ocx: Decrypts and decompresses the next payload using the ChaCha20 stream cipher with a static key and IV, then drops it to C:\ProgramData\USOShared\USOPrivate.dll.

Stage 2 – USOPrivate.dll: Uses the same ChaCha20 key to decrypt and execute the final Comebacker payload directly in memory, calling its export function GetWindowSizedW.

Stage 3 – Comebacker Payload: Generates a unique victim ID, establishes persistence via a PowerShell-created shortcut, and begins encrypted communication with its C2 domain hiremployee[.]com.

All C2 communication occurs via HTTPS using a custom AES-128-CBC scheme where the same value is used as both the key and IV — an unusual but effective obfuscation method.

“All C&C communications occur over HTTPS. The outbound data is first encrypted with AES-128-CBC and then Base64-encoded,” ENKI explained. “Data received from the C&C server is similarly Base64-decoded and then decrypted using the same AES-128-CBC key and IV.”

Commands from the C2 control the malware’s sleep intervals, process termination, and payload retrieval. When instructed, the malware downloads an encrypted payload, verifies it via MD5 hash comparison, and decrypts it using the same ChaCha20 routine. This modular design allows the operators to deploy arbitrary payloads post-compromise, depending on mission objectives.

By pivoting through infrastructure indicators, ENKI identified a second C2 domain, birancearea[.]com, with activity dating back to March 2025. This domain was tied to a Comebacker loader that reused Lazarus’ HC256 cipher code from its 2024 PyPI campaign.

This continuity suggests that Lazarus developers maintain a shared cryptographic framework across their toolsets, iterating between stream ciphers like HC256 and ChaCha20 depending on campaign needs.

Comebacker’s evolution mirrors Lazarus Group’s broader operational shift—from cyberespionage targeting researchers and developers to industrial and defense intelligence gathering. Earlier versions distributed via Visual Studio projects and PyPI packages focused on software engineers, while the latest campaign directly targets aerospace engineers and defense partners.

“The documents impersonate specific organizations in the aerospace and defense sector (Edge Group, IIT Kanpur, Airbus) and contain tailored content,” the report concluded. “This deliberate crafting of decoys for specific targets is a hallmark of spear phishing campaigns aimed at a small set of victims.”

Related Posts:

• Lumma Stealer Malware Now Using ChaCha20 Cipher for Evasion
• Microsoft reveals some details of the Russian hacking group’s attack on Ukraine
• Temptation from Money: Lazarus APT extended to cryptocurrencies
• Beast Ransomware Emerges as New RaaS Threat, Using ChaCha20 and Stealthy VSS Deletion
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign