S0238: Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]
Analyst context for executives and security teams
Proxysvc is a Windows malicious DLL associated in ATT&CK with Lazarus Group and Operation GhostSecret. Its business significance is not just the malware name: the described purpose is to deliver additional payloads and maintain attacker control, with related behaviors spanning command execution, discovery, collection, exfiltration over command-and-control, file deletion, service execution, and data destruction. That makes it relevant to incident containment, evidence preservation, egress monitoring, and resilience planning, especially where Windows systems hold sensitive research, operational, or regulated data.
Executive priority
Treat this as a validation case for whether the organization can detect and investigate a Windows DLL-based intrusion that may progress from discovery to collection, exfiltration, and potential destructive activity. Leaders should ask whether SOC and IR teams can correlate suspicious DLL/service execution, command shell use, host discovery, outbound web-based C2-like traffic, and file deletion into a single incident narrative. Because ATT&CK provides no official detection guidance for this object, priority should be on proving telemetry coverage and response readiness rather than assuming existing tools cover it.
Technical view
For SOC and IR teams, map coverage around the ATT&CK relationships: Windows Command Shell, Service Execution, Query Registry, Process Discovery, System Information Discovery, File and Directory Discovery, Local Storage Discovery, Automated Collection, Data from Local System, Web Protocols for command-and-control, Exfiltration Over C2 Channel, File Deletion, and Data Destruction. Validate that Windows endpoint logs, process lineage, service creation/execution records, registry query visibility, file-system activity, and outbound HTTP/S metadata can be correlated. Since Proxysvc is described as a DLL that can also execute as a standalone process, pay attention to unusual DLL load paths, unsigned or unexpected DLL execution patterns, abnormal parent-child process chains, and service-control activity tied to command shell execution.
Likely telemetry
- Windows process creation and command-line telemetry
- DLL load/module telemetry where available
- Windows service creation, modification, and execution events
- Registry access/query telemetry
- File and directory enumeration, collection, deletion, and destruction-related file activity
Detection direction
- Build behavior-based detections around chains of activity rather than the malware name alone: service execution or unusual DLL execution followed by command shell use, discovery commands, file enumeration, and outbound web traffic.
- Tune for false positives from legitimate administration tools, software deployment, backup agents, inventory scanners, and service management activity by requiring suspicious parent process, execution path, user context, destination, or timing context.
- Validate that web protocol monitoring can distinguish normal business HTTP/S traffic from unusual beaconing, rare destinations, or host-to-external communications following discovery or collection activity.
- Correlate file deletion with prior tool execution or collection activity to support evidence-preservation decisions during IR.
- Use the Lazarus Group relationship as threat-intelligence context for prioritization, but do not rely on attribution as a detection condition.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring for DLL execution, service abuse, command shell use, and registry/system discovery activity.
- Restrict unnecessary administrative privileges and service-control capabilities to reduce opportunities for service-based execution.
- Maintain outbound network controls and logging for HTTP/S egress so potential C2 and exfiltration paths are visible and reviewable.
- Ensure backups, recovery procedures, and destructive-activity response playbooks are tested because related behaviors include Data Destruction.
- Prepare IR procedures for rapid host isolation, volatile evidence capture, and preservation of service, process, registry, file, and network artifacts.
Analyst notes and limits
The supplied ATT&CK object identifies Proxysvc as a Windows malicious DLL used by Lazarus Group in Operation GhostSecret, mostly observed in higher education organizations, with a purpose of delivering additional payloads and maintaining attacker control. The relationship set gives useful behavioral coverage even though the malware object itself has no listed tactics and no official detection text.
No official ATT&CK detection guidance, aliases, labels, or malware-specific indicators were provided. The related ATT&CK techniques include broad platform lists, but the Proxysvc object platform is Windows, so environment-specific validation should focus on Windows unless separate evidence supports other platforms. This take does not assert current activity, customer exposure, guaranteed detection, or confirmed impact beyond the supplied fields.
Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Proxysvc searches the local system and gathers data.CitationMcAfee GhostSecret |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Proxysvc uses HTTP over SSL to communicate commands with the control server.CitationMcAfee GhostSecret |
| Enterprise | T1070.004 | File Deletion Sub-technique | Proxysvc can delete files indicated by the attacker and remove itself from disk using a batch file.CitationMcAfee GhostSecret |
| Enterprise | T1119 | Automated Collection | Proxysvc automatically collects data about the victim and sends it to the control server.CitationMcAfee GhostSecret |
| Enterprise | T1569.002 | Service Execution Sub-technique | Proxysvc registers itself as a service on the victim’s machine to run as a standalone process.CitationMcAfee GhostSecret |
| Enterprise | T1680 | Local Storage Discovery | Proxysvc collects volume information for all drives on the system.CitationMcAfee GhostSecret |
| Enterprise | T1083 | File and Directory Discovery | Proxysvc lists files in directories.CitationMcAfee GhostSecret |
| Enterprise | T1082 | System Information Discovery | Proxysvc collects the OS version, country name, MAC address, computer name, and physical memory statistics.CitationMcAfee GhostSecret |
| Enterprise | T1057 | Process Discovery | Proxysvc lists processes running on the system.CitationMcAfee GhostSecret |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Proxysvc performs data exfiltration over the control server channel using a custom protocol.CitationMcAfee GhostSecret |
| Enterprise | T1012 | Query Registry | Proxysvc gathers product names from the Registry key: |
| Enterprise | T1016 | System Network Configuration Discovery | Proxysvc collects the network adapter information and domain/username information based on current remote sessions.CitationMcAfee GhostSecret |
| Enterprise | T1124 | System Time Discovery | As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.CitationMcAfee GhostSecret |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Proxysvc executes a binary on the system and logs the results into a temp file by using: |
| Enterprise | T1485 | Data Destruction | Proxysvc can overwrite files indicated by the attacker before deleting them.CitationMcAfee GhostSecret |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | e5c6763fbfd9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee GhostSecret
Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
Open source URL -
[2]
Proxysvc
(Citation: McAfee GhostSecret)
-
[3]
mitre-attack S0238Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.