Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 2 actors

Brambul

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lazarus

In October 2015, Symantec found evidence that organizations in South Korea were being targeted by a number of malicious tools, including Backdoor.Duuzer, W32.Brambul, and Backdoor.Joanap.

via medium threat intelmedium.com
Lazarus

Brambul malware is a brute-force authentication worm that spreads through SMB shares.

via us cert gov legacyus-cert.gov
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1584.005BotnetEvidence1

The Justice Department today announced an extensive effort to map and further disrupt, through victim notifications, the Joanap botnet – a global network of numerous infected computers under the control of North Korean hackers... Computers infected with Joanap — known as “peers” or “bots” — became part of a network of compromised computers known as a botnet.

Credential Access

2 techniques
T1110Brute ForceEvidence2

Brambul malware typically spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

T1555Credentials from Password StoresEvidence1

This information includes the IP address and host name—as well as the username and password—of each victim’s system.

Discovery

2 techniques
T1046Network Service DiscoveryEvidence2

Brambul “worm” that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities.

T1082System Information DiscoveryEvidence1

HIDDEN COBRA actors use this file to capture and store victims’ information such as the host IP address, host name, and the current system time.

Lateral Movement

4 techniques
T1021Remote ServicesEvidence1

HIDDEN COBRA actors can use this information to remotely access a compromised system via the SMB protocol.

T1021.002SMB/Windows Admin SharesEvidence2

Brambul malware is a brute-force authentication worm that spreads through SMB shares.

T1210Exploitation of Remote ServicesEvidence1

Brambul “worm” that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities... That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers...

T1570Lateral Tool TransferEvidence2

If the malware can establish persistence, it could move laterally through a victim’s network and any connected networks to infect nodes beyond those identified in this alert.

Collection

1 technique
T1114Email CollectionEvidence2

Once the malware establishes unauthorized access on the victim’s systems, it communicates information about victim’s systems to HIDDEN COBRA actors using malicious email addresses.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

Joanap is a “second stage” malware, one that is often “dropped” by the automated Brambul “worm”... Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers... and load additional malware onto infected computers.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
splunk researchNews
Jan 22, 2020
Analytics Story: Hidden Cobra Malware | Splunk Security Content

A Windows 32-bit SMB worm that spreads laterally in victim networks over SMB, performs brute-force password attacks, and reports victim details to operators via email for follow-on remote operations.

Read more
us department of justiceNews
Jan 30, 2019
Office of Public Affairs | Justice Department Announces Court-Authorized Efforts to Map and Disrupt Botnet Used by North Korean Hackers | United States Department of Justice

A first-stage worm used to propagate Joanap and gain unauthorized access to computers by crawling from system to system and probing for access via certain vulnerabilities.

Read more
us cert gov legacyNews
May 29, 2018
HIDDEN COBRA - Joanap Backdoor Trojan and Brambul Server Message Block Worm | CISA

A malicious Windows 32-bit SMB worm that spreads via SMB shares by using embedded credentials to brute-force access over ports 139 and 445. It harvests system information, propagates laterally, and sends victim host details and credentials to operators via email.

Read more
medium threat intelNews
Nov 16, 2017
Lazarus: History of mysterious group behind infamous cyber attacks | by Threat Intel | Threat Intel | Medium

Malicious tool used in Lazarus-attributed espionage activity targeting South Korean manufacturing organizations.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.