LaZagne

LaZagne is an open-source password recovery and credential-dumping tool used to retrieve passwords stored on a local computer. It is written in Python and supports Windows, Linux, and macOS, with standalone releases available via GitHub. The tool targets credentials stored by commonly used software and operating system credential stores using multiple mechanisms including plaintext recovery, APIs, custom algorithms, databases, DPAPI-related access, and hash extraction. Reported capabilities include extracting credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Brave, Chromium, Vivaldi, and Yandex; mail clients such as Outlook and Thunderbird; chat applications such as Pidgin, Psi, and Skype; databases and database tools; Wi-Fi profiles; sysadmin and file-transfer tools including FileZilla, WinSCP, OpenVPN, CyberDuck, OpenSSH, VNC, RDPManager, and mRemoteNG; KeePass-related material; AWS and Docker environment variables; SSH private keys; and internal credential stores such as Autologon, Credential Files, Credman, Vault files, LSA secrets, GNOME Keyring, and Kwallet. On Windows, administrator privileges are required for some sources such as Wi-Fi passwords and Windows Secrets. LaZagne supports output in text and JSON formats and can be run selectively against specific modules such as browser credential extraction.

The content shows LaZagne is widely used as a dual-use post-compromise credential theft utility by multiple threat actors and malware operations. Groups explicitly associated with its use in the provided material include Evilnum, APT33 (Elfin), APT15, MuddyWater, OilRig, Leafminer, Inception, RedCurl, Pupy, Akira ransomware operators, Beast Ransomware operators, and YoroTrooper-derived tooling. Evilnum was observed delivering a custom Python version of LaZagne through PyVil RAT to dump passwords and collect cookie information for exfiltration to C2 while targeting FinTech organizations in the UK and EU. APT33 used publicly available tools including LaZagne during intrusions against organizations in sectors including government, chemical, engineering, finance, telecoms, healthcare, manufacturing, and research, with activity observed especially in Saudi Arabia and the United States. Akira operators used LaZagne alongside Mimikatz after initial access via VPNs without MFA, exposed RDP, spearphishing, valid accounts, and exploitation of Cisco vulnerabilities, to support credential theft, privilege escalation, and lateral movement in attacks against sectors including education, finance, real estate, and other critical infrastructure. Beast Ransomware operators used LaZagne with Mimikatz and Automim to dump credentials from memory, browsers, databases, and email clients as part of a broader ransomware workflow.

The content also notes LaZagne has been integrated into the Pupy post-exploitation framework, where its Python code can be interpreted in memory without touching disk. Additional operational context in the material includes use of LaZagne in Windows Safe Mode to evade some AV/EDR products, and detection-focused reporting that observed LaZagne and similar browser credential dumpers reading fixed browser storage paths such as Chrome Login Data, Local State, Network Cookies, and Firefox files including logins.json, key3.db, key4.db, and cookies.sqlite. High-confidence indicators and artifacts mentioned in the content include command-line keywords associated with LaZagne-style usage such as "browsers," "Databases," "Mails," and "Sysadmin"; default execution artifacts in some detections involving AppData\Local\Temp and Python27.dll; and loading of a specific SQLite3 DLL bundled with LaZagne in some detection logic. Overall, LaZagne is best characterized as a widely recognized open-source credential theft tool frequently repurposed by espionage actors, ransomware affiliates, and commodity malware for harvesting stored passwords, cookies, and related secrets from compromised systems.