COPPERHEDGE
COPPERHEDGE is a Lazarus-linked malware variant in the Manuscrypt family, publicly named by US-CERT/CISA in 2020 and assessed by U.S. government reporting as used by North Korean HIDDEN COBRA actors. It is described as a full-featured remote access trojan/backdoor used to maintain persistence on victim networks, conduct internal reconnaissance, execute arbitrary commands, collect system information, download additional payloads, and exfiltrate data. Reporting in the provided content links Manuscrypt/COPPERHEDGE activity to campaigns targeting cryptocurrency exchanges and related entities, including TraderTraitor operations using trojanized cryptocurrency applications built with Electron and cross-platform JavaScript to deliver Windows and macOS Manuscrypt payloads. The content also places COPPERHEDGE alongside other Lazarus tooling such as SIGNBT, ThreatNeedle, wAgent, Agamemnon downloader, LightlessCan, and FALLCHILL.
The malware has been observed as Windows DLL implants, with a U.S. government malware analysis report identifying six COPPERHEDGE variants (A-F) across 22 submitted Windows DLL samples. Across those variants, documented network behavior includes HTTP POST beaconing, RC4-based obfuscation/encryption, custom datagram encryption, Google-Analytics-like cookie usage, Base64-encoded POST parameters, and multipart POST fields named "_webident_f" and "_webident_s"; one variant used single-byte XOR 0xAA. Hard-coded strings and protocol markers mentioned in the content include "*dJU!*JE&!M@UNQ@" and "t34kjfdla45l." The report also notes retained class-name symbols such as "WinHTTP_Protocol" and later "WebPacket." Associated command-and-control infrastructure explicitly listed in the content includes domains such as 530hr.com, 028xmz.com, 168wangpi.com, marmarademo.com, 33cow.com, 97nb.net, anlway.com, apshenyihl.com, ap8898.com, aloe-china.com, 92myhw.com, aisou123.com, markcoprintandcopy.com, aedlifepower.com, 919xy.com, pakteb.com, nuokejs.com, qdbazaar.com, aurumgroup.co.id, 51shousheng.com, new.titanik.fr, duratransgroup.com, eygingenieros.com, eventum.cwsdev3.biz, theinspectionconsultant.com, danagloverinteriors.com, as-brant.ru, rxrenew.us, creativefishstudio.com, sensationalsecrets.com, rhythm86.com, cabba-cacao.com, 3x-tv.com, castorbyg.dk, matthias-dlugi.de, locphuland.com, streamf.ru, vinhsake.com, bogorcenter.com, stokeinvestor.com, growthincone.com, and inverstingpurpose.com.
The content also describes more recent Lazarus operations in South Korea in which an updated COPPERHEDGE was used as an additional backdoor with a complex infection chain during Operation SyncHole. In that campaign, COPPERHEDGE was used for internal reconnaissance and stored configuration in an NTFS alternate data stream at %appdata%\Microsoft\Internet Explorer\brndlog.txt:loginfo. The same reporting ties Lazarus attribution to malware lineage, overlapping tradecraft, and operational patterns, and notes that custom cryptography and DLL sideloading behavior seen with COPPERHEDGE are consistent with Lazarus preferences and related tools such as SIGNBT and LightlessCan. A 2026 social-media reference in the content additionally cites a Qihoo360 report title alleging Lazarus/APT-C-26 used CVE-2025-55182 together with a Copperhedge component, but the provided content does not include technical details of that claim.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"APT-C-26(Lazarus)组织利用CVE-2025-55182与Copperhedge组件的攻击行动分析" published by Qihoo360. | "APT-C-26(Lazarus)组织利用CVE-2025-55182与Copperhedge组件的攻击行动分析"
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
using the Electron framework and cross-platform JavaScript code to deliver the Manuscrypt RAT
Listed in the Wiz “TraderTraitor: Deep Dive” entry alongside GolangGhost and other tooling.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"...most of the C2 servers were legitimate but compromised websites in South Korea (T1584.001)..."
Initial Access
2 techniques"...utilizing a watering-hole attack to deliver it."
"...utilizes macro-embedded Office documents..."
Execution
4 techniquesThe response is written to disk and executed in a new shell using the child_process.exec() method in Node.js.
The decrypted data is written as a file to the system’s temporary directory... and executed using the child_process.exec() method of Node.js, which spawns a shell as a child process of the current Electron application.
"...create a malicious service (T1569.002, T1007)..."
Persistence
3 techniquesPrivilege Escalation
3 techniquesStealth
6 techniquesVariant A uses RC4 encryption to obfuscate import loading... Variant B datagrams are RC4 encrypted... Variant D ... Datagrams are encrypted with a combination of RC4 and differential XOR... Variant E ... Base64 encoded data... Variant F ... Datagrams are encoded using a single byte XOR with the value "0xAA".
9e4bd9676bb3460be68ba4559a824940a393bde7613850eda9196259e453b9f3 ... Ikarus Trojan.Win64.Themida
Variant A uses RC4 encryption to obfuscate import loading... Variant B performs the same RC4 key as variant A for Application Programming Interface (API) obfuscation... Variant C performs API loading at runtime but does not obfuscate the strings.
"...retrieves configuration information... from the ADS ... (T1564.004)."
Discovery
9 techniques"...create a malicious service (T1569.002, T1007)..."
"...gather basic system information (T1082, T1083, T1057, T1049, T1016, T1087.001)..."
"...gather basic system information (T1082, T1083, T1057, T1049, T1016, T1087.001)..."
"...gather basic system information (T1082, T1083, T1057, T1049, T1016, T1087.001)..."
Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data.
"...gather basic system information (T1082, T1083, T1057, T1049, T1016, T1087.001)..."
"...gather basic system information (T1082, T1083, T1057, T1049, T1016, T1087.001)..."
"...attempt to find valuable hosts to perform lateral movement (T1087.002, T1135)."
"...attempt to find valuable hosts to perform lateral movement (T1087.002, T1135)."
Command and Control
6 techniquesThis variant also obfuscates Hypertext Transfer Protocol (HTTP) header strings using a custom character manipulation where the certain ranges of characters are modified by either adding or subtracting a constant value 9.
The update function makes an HTTP POST request to a PHP script hosted on the TraderTraitor project’s domain at either the endpoint /update/ or /oath/checkupdate.php.
Variant A will generate HTTP POST requests with the following format... POST /<uri> HTTP/1.1 ... Content-Type: multipart/form-data ... Host: <domain> ... Variant B generates an HTTP POST request similar to Variant A... Variant C ... use of a generated cookie to pass certain information instead of multi-part HTTP POST requests... Variant E ... uses a single HTTP POST body with four parameters of Base64 encoded data... Variant F ... uses multi-part HTTP POST messages consisting of three parts holding the victim id, response code, and datagram.
FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.
This file is a 32-bit Windows executable and has been identified as Variant D.
Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads.
Exfiltration
1 techniqueManuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data.
IOCs tracked for this family
310 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
"APT-C-26(Lazarus)组织利用CVE-2025-55182与Copperhedge组件的攻击行动分析"
A named malware family referenced in TraderTraitor-related reporting alongside other DPRK malware.
Referenced as a Lazarus malware/tool family associated with custom cryptography and deployment patterns similar to the analyzed loader.
COPPERHEDGE is referenced as a Lazarus-associated malware/tool family with similar DLL sideloading via Windows service behavior.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.