Hermes
Hermes is a ransomware family. The provided content explicitly associates it with North Korea-linked activity, including use by APT38/BlueNorOff, a Lazarus subgroup focused on financial operations. APT38 is described as using Hermes ransomware to encrypt files with AES256. Hermes also appears in reporting on targeted ransomware tradecraft and in Spamhaus tracking, which identified 14 command-and-control servers associated with Hermes. The malware is additionally referenced as a secondary payload delivered by AZORult: in a July 2018 campaign attributed to TA516, victims received employment-themed phishing emails containing password-protected documents; after entering the password and enabling macros, AZORult was downloaded, which then exfiltrated credentials, cookies, system information, and cryptocurrency wallet data before downloading and executing Hermes 2.1 ransomware. The content also mentions a variant described as 'Hermes 14 eBanking Trojan,' but does not provide further high-confidence technical detail on that item. Overall, the high-confidence behavior in the supplied material is that Hermes is used for file encryption in financially motivated intrusions, has been linked to North Korean operators, and has been delivered through phishing-to-downloader infection chains involving AZORult.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The profile shows: Attributed to: North Korea Motivations: Financial gain, Espionage Targets: Finance, Cryptocurrency, Defense Malware used: WannaCry, Hermes, BLINDINGCAN (all auto-linked by MITRE connector)
Malware associated with BlueNorOff include: "DarkComet, Mimikatz, Nestegg, Macktruck, WannaCry, Whiteout, Quickcafe, Rawhide, Smoothride, TightVNC, Sorrybrute, Keylime, Snapshot, Mapmaker, net.exe, sysmon, Bootwreck, Cleantoad, Closeshave, Dyepack, Hermes, Twopence, Electricfish, Powerratankba, and Powerspritz"
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Command and Control
1 technique
Command and Control
The Spamhaus Botnet C&C (BGPCC) is designed to protect networks and their users from botnet traffic. It can be used to block traffic from/to servers on the internet that are operated by cybercriminals and used to control infected computers (bots) or exfiltrate data.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as malware used by Lazarus Group in the example APT profile.
Tags:Android apk GitHub GooglePlayStore Hermes malware NFCrelay RadzaRat React Smishing
Ransomware family listed as associated with BlueNorOff operations.
Referenced as a ransomware family associated with targeted ransomware attacks using RDP brute force.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.