Threat Actor Profile
High APT
Description

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

Confidence Score
90%
Known Aliases
LazyScripter
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (20)
T1071.004 - DNS
Command and Control
T1102 - Web Service
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1027.010 - Command Obfuscation
Defense Evasion
T1036 - Masquerading
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1059.007 - JavaScript
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1583.001 - Domains
Resource Development
T1583.006 - Web Services
Resource Development
T1588.001 - Malware
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['LazyScripter'],
 'created': '2021-11-24T19:26:27.305Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[LazyScripter](https://attack.mitre.org/groups/G0140) is '
                'threat group that has mainly targeted the airlines industry '
                'since at least 2018, primarily using open-source '
                'toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)',
 'external_references': [{'external_id': 'G0140',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0140'},
                         {'description': '(Citation: MalwareBytes LazyScripter '
                                         'Feb 2021)',
                          'source_name': 'LazyScripter'},
                         {'description': 'Jazi, H. (2021, February). '
                                         'LazyScripter: From Empire to double '
                                         'RAT. Retrieved November 17, 2024.',
                          'source_name': 'MalwareBytes LazyScripter Feb 2021',
                          'url': 'https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf'}],
 'id': 'intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03',
 'modified': '2024-11-17T14:12:07.294Z',
 'name': 'LazyScripter',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Manikantan Srinivasan, NEC Corporation India',
                          'Pooja Natarajan, NEC Corporation India',
                          'Hiroki Nagahama, NEC Corporation'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (20)
DNS
Command and Control
Web Service
Command and Control
Ingress Tool Transfer
Command and Control
Command Obfuscation
Defense Evasion
Masquerading
Defense Evasion
View All 20 TTPs
Back to Threat Actors
Dashboard Home