LazyScripter Threat Profile: Targeting Airlines and Global Workforce
- Suspected Origin
- Middle East
- Motivation
- Espionage
- Aliases
- None documented
- Target Sectors
- Airlines, Transportation, Immigration Services, Tourism
- Associated Malware
- OCTOPUS, Koadic, NjRat, LuminosityLink, Quasar, Remcos, RMS, NetWire, Adwind Rat, PowerShell Empire, KOCTOPUS, Empoder, BatchEncryption
Overview
LazyScripter, identified by MITRE ATT&CK as G0140, is a persistent threat group that has been actively conducting campaigns since at least 2018. This group distinguishes itself through a notable reliance on open-source and commercially available toolsets, rather than custom malware, which can make attribution challenging. Despite not developing bespoke sophisticated malware, LazyScripter has demonstrated an evolving set of tactics, techniques, and procedures (TTPs), allowing it to maintain an active operational posture and adapt its campaigns.
The group’s primary motivation appears to be cyber espionage, focusing on the theft of private information and business intelligence. This stolen data is likely intended for use in future targeted attacks or to fulfill intelligence-gathering objectives. While direct country attribution is difficult due to their chosen toolsets, TTP similarities to known Middle Eastern APT groups like MuddyWater and OilRig suggest a potential origin in the Middle East, though it operates as a distinct entity.
LazyScripter predominantly targets the airlines industry, with a particular focus on organizations and individuals associated with the International Air Transport Association (IATA), especially those using the BSPlink financial settlement software. Beyond the aviation sector, the group also targets individuals seeking immigration to Canada for work, as well as entities related to tourism, Microsoft updates, and bank transfer confirmations. This broader targeting indicates an opportunistic streak or a wider intelligence mandate that extends beyond just the airline industry, reaching a global victim pool, including European entities.
Tactics & Techniques
LazyScripter’s operational methodology often begins with initial access via carefully crafted phishing campaigns. These campaigns leverage spam emails containing malicious attachments or links designed to trick recipients into downloading payloads. The attachments typically consist of ZIP archives or document files that embed objects, frequently VBScript or batch files, rather than the more commonly observed malicious macros. These lures are highly themed to specific targets, mimicking legitimate communications from IATA security, BSPlink updates, IATA ONE ID, or immigration-related documents. During the COVID-19 pandemic, LazyScripter also adapted its lures, spoofing World Health Organization (WHO) emails with pandemic-related recommendations.
Upon successful execution, LazyScripter employs a variety of scripting interpreters for malicious code execution, including PowerShell, batch files, VBScript, and JavaScript. They leverage standard Windows utilities like mshta.exe and rundll32.exe to execute Koadic stagers. Persistence on compromised systems is achieved by writing PowerShell scripts to autorun registry keys.
For command and control (C2) infrastructure, LazyScripter has historically used dynamic DNS providers to create legitimate-looking subdomains. They have also utilized public platforms like GitHub to host their toolsets and payloads, though this practice has evolved, with accounts being deleted and activities shifting to platforms like Discord. To evade detection, the group has disguised executables with icons resembling legitimate security software and used the BatchEncryption tool for advanced batch script obfuscation and encoding.
Notable Campaigns
LazyScripter has been observed in consistent activity since 2018, with security researchers at Malwarebytes formally identifying and detailing the group’s operations in February 2021. Prior to this public disclosure, their activities had largely gone unnoticed for an estimated two years.
Early campaigns, dating back to 2018, targeted individuals seeking Canadian immigration. In subsequent campaigns, the focus shifted more intensely towards the airline sector, utilizing lures such as “BSPlink Upgrade.exe” and “IATA ONE ID.exe” in early 2021. In June 2021, the group launched another campaign using IATA security themes to target airlines. A campaign observed in July 2021 specifically targeted European entities, employing lures related to the United Nations World Tourism Organization (UNWTO). Analysis of some samples from 2021 even revealed instances where a third-party online obfuscating tool inadvertently injected its own malware, leading to a potential double compromise for victims.
Associated Malware & Tools
LazyScripter heavily relies on a mix of open-source and legitimate, commercially available tools for its operations. This approach allows the group to reduce development costs and complicate attribution.
Key malware and tools employed by LazyScripter include:
- Loaders: The group utilizes custom loaders named KOCTOPUS and Empoder. KOCTOPUS is designed to deliver a double payload of open-source Remote Access Trojans (RATs), while Empoder was used for the initial deployment of PowerShell Empire.
- Remote Access Trojans (RATs): LazyScripter frequently deploys open-source RATs such as OCTOPUS and Koadic. Additionally, they have been observed dropping a variety of commercially available or widely used RATs, including NjRat, LuminosityLink, Quasar, Remcos, RMS, NetWire, Adwind Rat, and ORCUS. The shift from a single RAT to a “double-RAT” tactic, delivering both OCTOPUS and Koadic, was noted in later campaigns.
- Post-Exploitation Frameworks: Initially, LazyScripter used the PowerShell Empire post-exploitation framework.
- Obfuscation Tools: The BatchEncryption tool is used for obfuscating batch scripts, aiding in defense evasion.
Current Status
LazyScripter remains an active threat group. Reports in early 2021 indicated that the infrastructure supporting their long-term campaigns was still operational, and the group continued to evolve its toolsets. Tracking of their activities extended through 2021, with reports in early 2022 detailing campaigns from July 2021. The MITRE ATT&CK entry for LazyScripter was last modified in May 2026, indicating ongoing relevance and analysis by the cybersecurity community. Their adaptability in switching C2 hosting from GitHub to Discord and consistently updating their lures and payloads demonstrates a persistent operational capability. Organizations, particularly within the aviation and related travel industries, as well as those providing immigration services, should remain vigilant against LazyScripter’s evolving phishing tactics.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call