S0665: ThreatNeedle
ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[1]
Analyst context for executives and security teams
ThreatNeedle matters because ATT&CK describes it as a Windows backdoor associated with Lazarus Group and targeting cryptocurrency, defense, and mobile gaming organizations. For leaders, the practical concern is not only malware blocking; the related behaviors show a full intrusion pattern involving spearphishing attachments, user execution, persistence through services and registry run keys, registry modification, discovery, local data collection, tool transfer, and obfuscation.
Executive priority
Prioritize ThreatNeedle as a readiness test for targeted-intrusion controls: phishing resilience, Windows endpoint visibility, registry and service-change monitoring, and incident response ability to trace discovery and data collection after initial execution. Organizations in or adjacent to the cited sectors should ask whether SOC and IR teams can prove coverage with evidence, not assumptions, especially where compliance or customer assurance depends on demonstrating endpoint, email, and persistence monitoring.
Technical view
ATT&CK provides no official detection text for S0665, so validation should be built from the related techniques. On Windows, focus on suspicious attachment-driven execution, creation or modification of Windows services, registry run key or startup-folder persistence, registry changes used for defense evasion or persistence, file and directory enumeration, system information discovery, local data access, ingress tool transfer, and artifacts consistent with encoded, compressed, or fileless storage. Treat the Lazarus Group relationship as threat-intelligence context, not as proof of attribution in local incidents.
Likely telemetry
- Email security logs and attachment metadata for spearphishing attachment investigation
- Endpoint process creation and command-line telemetry on Windows hosts
- Windows Registry auditing, including run keys and unusual registry modifications
- Windows service creation, modification, and service binary path changes
- File system telemetry for discovery, staging, local data access, compression, and renamed or misplaced executables
Detection direction
- Map detections to the relationship techniques rather than to the malware name alone, because ATT&CK supplies no S0665 detection guidance.
- Correlate email attachment execution with follow-on registry or service persistence, discovery commands, local data access, and external file transfer.
- Tune service and registry alerts for legitimate software deployment noise, but require investigation when changes are followed by discovery or staging behavior.
- Review blind spots around Windows registry visibility, service-change logging, compressed or encoded payload inspection, and endpoint coverage for user workstations that receive attachments.
- Use Lazarus Group context to enrich triage, while avoiding attribution unless supported by additional local evidence.
Mitigation priorities
- Strengthen phishing attachment controls and user-execution safeguards first, since related techniques include spearphishing attachment and malicious file execution.
- Ensure Windows endpoint hardening and monitoring cover registry run keys, startup folders, Windows services, and unauthorized registry modification.
- Limit unnecessary administrative privileges so registry and service persistence opportunities are reduced.
- Validate egress and file-transfer controls to detect or restrict unexpected ingress tool transfer.
- Prepare IR playbooks to collect endpoint, registry, service, email, and network evidence quickly when a suspected backdoor infection is investigated.
Analyst notes and limits
The relationship set is useful for building a defensive hypothesis: initial access through attachment, execution by malicious file, persistence via registry or service, stealth through obfuscation/compression/fileless storage, discovery, local collection, and tool transfer. The official object identifies ThreatNeedle as a backdoor used by Lazarus Group since at least 2019 and cites targeting of cryptocurrency, defense, and mobile gaming organizations.
Official ATT&CK detection guidance is not provided, tactics are not specified on the malware object, and aliases are not listed. The take is therefore based on the official description, external references, and supplied technique relationships. Local telemetry, malware samples, incident artifacts, and environment-specific baselines are required to determine actual exposure or detection coverage.
ThreatNeedle
ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptocurrency, defense, and mobile gaming organizations. It is considered to be an advanced cluster of Lazarus Group's Manuscrypt (a.k.a. NukeSped) malware family.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ThreatNeedle can be loaded into the Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk`) as a Shortcut file for persistence.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | ThreatNeedle relies on a victim to click on a malicious document for initial execution.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | ThreatNeedle can run in memory and register its payload as a Windows service.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | ThreatNeedle can download additional tools to enable lateral movement.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1082 | System Information Discovery | ThreatNeedle can collect system profile information from a compromised host.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1083 | File and Directory Discovery | ThreatNeedle can obtain file and directory information.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1027.015 | Compression Sub-technique | ThreatNeedle has been compressed and obfuscated.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1005 | Data from Local System | ThreatNeedle can collect data and files from a compromised host.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | ThreatNeedle can save its configuration data as a RC4-encrypted Registry key under `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1112 | Modify Registry | ThreatNeedle can modify the Registry to save its configuration data as the following RC4-encrypted Registry key: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.CitationKaspersky ThreatNeedle Feb 2021 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 553bfaf7a826… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ThreatNeedle Feb 2021
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
Open source URL -
[2]
mitre-attack S0665Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.