Back to Research

Threat Intelligence Report: Opulous Campaign - A Lazarus Group Analysis

Author: Husam Gameel (Oppenheim3r)

Executive Summary

This report analyzes the Opulous Setup.exe malware campaign, attributing it with moderate confidence to the Lazarus Group, specifically their AppleJeus/TraderTraitor operations. The campaign leverages a trojanized cryptocurrency application for multi-stage attacks, focusing on system reconnaissance, persistence, and financial theft. Observed Tactics, Techniques, and Procedures (TTPs) align significantly with Lazarus Group's known methods, emphasizing their continued targeting of the cryptocurrency sector.

Technical Analysis: Opulous Setup.exe

Opulous Setup.exe is a sophisticated malicious executable designed for covert system compromise. Its primary function is to establish persistence and gather intelligence on the victim's system.

Static Analysis Highlights

• Unsigned Executable: The binary is not digitally signed, reducing trustworthiness and allowing it to bypass standard OS verification. The absence of a valid signature is consistent with malware distribution practices.

Behavioral Analysis Overview

Observed on win11-20250619-en, the malware exhibited significant system and network activity. Key behaviors include:

• Execution Path: Initial execution from C:\Users\Admin\AppData\Local\Temp\Opulous Setup.exe. This temporary directory is frequently abused by malware.
• Multi-Stage Payload Delivery: Executes dropped files: C:\Users\Admin\AppData\Local\Temp\is-M1590.tmp\Opulous Setup.tmp, C:\Program Files (x86)\Opulous\Opulous Client 3.1.8.exe, and C:\Users\Admin\AppData\Local\Temp\3266oHTzW0LVS9bq2P9cLkj3Ja0\Opulous Client.exe. This indicates a staged infection process.
• DLL Loading: Loads Dynamic Link Libraries (DLLs) from Program Files (x86)\Opulous\ and temporary directories. This is a technique for code injection and functionality extension.
• PowerShell Usage: Extensive use of C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe for command execution. This leverages PowerShell's versatility for system interaction.
• Process Enumeration: Executes C:\Windows\system32\tasklist.exe to enumerate running processes. This aids in reconnaissance and identifying security software.
• File Dropping for Persistence: Drops Opulous Client 3.1.8.exe, unins000.dat, is-KDUC0.tmp, and is-EHFBG.tmp into C:\Program Files (x86)\Opulous\. This common legitimate application path helps achieve persistence.
• Registry Modification for Persistence: Modifies HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.myp and HKEY_LOCAL_MACHINE\Software\Classes\OpulousFile.myp. This hijacks .myp file associations, ensuring Opulous Client 3.1.8.exe launches when .myp files are accessed.
• Privilege Escalation Attempts: Attempts to adjust numerous privileges, including SeSecurityPrivilege, SeDebugPrivilege, SeShutdownPrivilege, SeCreatePagefilePrivilege, SeIncreaseQuotaPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfSingleProcessPrivilege, SeIncBasePriorityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, and SeManageVolumePrivilege. This indicates a clear intent to gain elevated system control.
• Process Injection: Attempts to write to memory of other processes (WriteProcessMemory) like C:\Program Files (x86)\Opulous\Opulous Client 3.1.8.exe, C:\Users\Admin\AppData\Local\Temp\3266oHTzW0LVS9bq2P9cLkj3Ja0\Opulous Client.exe, C:\Windows\system32\cmd.exe, C:\Windows\system32\reg.exe, C:\Windows\system32\tasklist.exe, and C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. This is a strong indicator of code injection for stealthy execution within legitimate processes.
• System Discovery: Accesses registry keys for system language (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language) and enumerates physical storage devices for environmental awareness.

Observed Processes

• C:\Users\Admin\AppData\Local\Temp\Opulous Setup.exe
• C:\Users\Admin\AppData\Local\Temp\is-M1590.tmp\Opulous Setup.tmp
• C:\Program Files (x86)\Opulous\Opulous Client 3.1.8.exe
• C:\Users\Admin\AppData\Local\Temp\3266oHTzW0LVS9bq2P9cLkj3Ja0\Opulous Client.exe
• C:\Windows\system32\cmd.exe (Used for executing various command-line instructions)
• C:\Windows\system32\reg.exe (Used for querying and modifying the Windows Registry)
• C:\Windows\system32\tasklist.exe (Used for enumerating running processes)
• C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Used for executing scripts and system commands)

Attribution: Linking to Lazarus Group (AppleJeus/TraderTraitor)

The Opulous campaign's TTPs show significant overlap with the Lazarus Group, a DPRK-sponsored APT known for financially motivated cyber operations, particularly the AppleJeus and TraderTraitor campaigns targeting cryptocurrency and fin-tech entities.

TTP Correlation Table

Tactic (MITRE ATT&CK)	Opulous Malware Behavior	Lazarus Group / AppleJeus TTPs	Significance
Initial Access (TA0001)	Trojanized Opulous Setup.exe masquerading as crypto platform	Consistent use of trojanized crypto trading apps as lures	Direct match to Lazarus's primary initial access vector for financial gain
Execution (TA0002)	Extensive PowerShell (T1059.001) usage	PowerShell is a common tool for payload execution and system interaction	Leverages built-in tools for stealth and versatility
Persistence (TA0003)	File dropping in Program Files; .myp file association hijacking	AppleJeus uses service installations and scheduled tasks; sophisticated persistence like file association hijacking is consistent	Advanced persistence mechanisms ensure continued access
Privilege Escalation (TA0004)	AdjustPrivilegeToken for SeDebugPrivilege	Common for Lazarus to disable security controls and inject code	Aggressive privilege seeking for comprehensive system control
Defense Evasion (TA0005)	Untrusted codesign; DLL side-loading; WriteProcessMemory	AppleJeus uses compromised certificates; process injection and DLL side-loading are hallmarks	Reflects Lazarus's continuous efforts to bypass security and operate stealthily
Discovery (TA0007)	tasklist.exe, registry queries, system language discovery	Extensive reconnaissance to understand victim environment and identify targets	Meticulous approach to target profiling before exfiltration
Collection (TA0009)	Gathering installed software and system configuration	Aims to identify valuable information like crypto wallets and credentials	Preparatory step for exfiltrating high-value assets, aligning with financial objectives

Key Indicators of Compromise (IOCs) and Overlap

• Malicious Executable (SHA256): 0ba592318e804f8204588de8677563b092f206e3fe654b08dac71600a2ee83c3 (Opulous Setup.tmp). This is the core payload, mirroring the trojanized installer model of AppleJeus/TraderTraitor.
• Lure Theme: The branding "Opulous" and opulousapp.com directly tie to cryptocurrency/music-fi. This aligns with Lazarus Group's strategy of targeting crypto platforms.
• Bundled Legitimate Software Components (Electron/Chromium Framework): Presence of .pak files, ffmpeg.dll, and Chromium-related components indicates an Electron-built application. Lazarus extensively uses Electron to package malicious code within functional, legitimate-looking apps for AppleJeus/TraderTraitor campaigns.

Corroborating Evidence from Public Reporting

Public reports from CISA, Cyber Security Agency of Singapore, and Infoblox consistently corroborate the Opulous campaign TTPs with Lazarus Group activities. These sources highlight the group's reliance on trojanized Electron based trading/wallet applications, social engineering, PowerShell-heavy staging, and process injection in attacks against cryptocurrency organizations. The Opulous campaign aligns seamlessly with these documented patterns, strengthening attribution.

Conclusion: Persistent Financial Cybercrime

The Opulous Setup.exe campaign is a continuation of the Lazarus Group's established playbook. The convergence of a trojanized cryptocurrency application, sophisticated persistence, defense evasion, and a focus on information gathering strongly attributes this operation to the DPRK-sponsored APT.

This campaign follows classic Lazarus steps:

1. Lure & Initial Access: Entice targets with a fake crypto application, leading to malicious installer execution.
2. Compromise & Payload Delivery: Deploy both a legitimate-looking app and a hidden malicious payload.
3. Persistence & Reconnaissance: Establish long-term foothold; gather crypto wallet data, credentials, and financial assets.
4. Monetization: Steal cryptocurrency to fund the DPRK regime, bypassing sanctions.

This Opulous campaign underscores the potent and adaptive threat posed by the Lazarus Group. Their continuous evolution of AppleJeus and TraderTraitor malware families demonstrates a dedicated effort to target the lucrative cryptocurrency sector, necessitating continued vigilance and robust measures.

References

• CISA Cybersecurity Advisory AA21-048A
• CSA Alert AL-2021-010
• Infoblox: Lazarus Group Targets Financial Services and Cryptocurrency Sector
• MITRE ATT&CK: Process Injection
• MITRE ATT&CK: Supply Chain Compromise
• MITRE ATT&CK: Boot or Logon Autostart Execution
• MITRE ATT&CK: PowerShell
• MITRE ATT&CK: Signed Binary Proxy Execution
• MITRE ATT&CK: System Owner/User Discovery
• MITRE ATT&CK: System Information Discovery
• MITRE ATT&CK: Windows Management Instrumentation
• MITRE ATT&CK: Use Alternate Authentication Material
• MITRE ATT&CK: Execution Guardrails