Lizar
DiceLoader, also referred to as Lizar, IceBot, and Tirion, is a malware loader/post-exploitation tool associated with FIN7. Reported capabilities include use of PowerShell scripts; retrieval of browser history and browser database files; collection of usernames and passwords stored in browsers; taking JPEG screenshots; migration of the loader into another process; encrypted client-server communications; and encryption of data before sending it to its server. The malware has been described as a post-exploitation tool used on compromised devices to gain a foothold in targeted networks and support lateral movement, including activity leading to Clop ransomware deployment. DiceLoader was also identified by the FBI in PaperCut MF/NG CVE-2023-27350 exploitation-related intrusions, alongside TrueBot and Cobalt Strike Beacon, though the exact attack stage at which it was executed was unclear. In April 2024, eSentire reported FIN7 activity in which a fake browser-extension MSIX infection chain led to NetSupport RAT deployment, followed by delivery of a Python-based loader that decrypted and injected DiceLoader in memory. In that case, the decrypted loader payload was executed via allocated executable memory and a new thread, and its C2 IP addresses and ports were stored in the .data section XOR-obfuscated with a hardcoded key. High-confidence related infrastructure and artifacts from the broader FIN7 intrusion chain included meet-go[.]click, hxxps://cdn46[.]space/, 91.219.238[.]214:4673, csvde.exe (MD5: b6f12d39edbfe3b33952be4329064b35), Adobe_017301.zip (MD5: e7b1fb0ef5dd20f4522945b902803f10), svchostc.exe (MD5: 0740803404a58d9c1c1f4bd9edaf4186), svchostc.py (MD5: 782621d1062a8fc7d626ceb68af314e5), and a scheduled task named Microsoft\Windows\Updater used for persistence.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. | The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lizar FIN7 has obtained and used tools such as Impacket, Mimikatz, and PsExec.
The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons, although it is unclear at which stage in the attack these tools were executed.
...deploy the Lizar post-exploitation tool on compromised devices. This allowed the threat actors to gain a foothold within the targeted network and move laterally to deploy Clop ransomware...
...deploy the Lizar post-exploitation tool on compromised devices. This allowed the threat actors to gain a foothold within the targeted network and move laterally to deploy Clop ransomware...
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueCVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the affected installations of PaperCut... malicious actors exploited CVE-2023-27350 beginning in mid-April 2023.
Execution
3 techniquesThe content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Privilege Escalation
2 techniquesThe content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
Stealth
5 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
The content repeatedly describes adversaries and malware injecting code, shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, wuauclt.exe, lsass.exe, and browser processes.
The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'
Credential Access
3 techniquesMultiple actors and tools are described as using Mimikatz/Windows Credential Editor/LaZagne/ProcDump to “dump credentials,” often by targeting LSASS memory (e.g., “used Mimikatz to capture and use legitimate credentials,” “dumped the LSASS process memory using the MiniDump function,” “injecting itself into lsass.exe”).
The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.
Discovery
7 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.
Collection
2 techniques"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
"AppleSeed has compressed collected data before exfiltration."; "APT28 used a publicly available tool to gather and compress multiple documents..."; "Aria-body has used ZIP to compress data..."; "Cadelspy...compress stolen data into a .cab file."; "Daserf hides collected data in password-protected .rar archives."; "FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration."; "Lazarus Group has compressed exfiltrated data with RAR...archive specified directories in .zip format"; "XCSSET will compress entire ~/Desktop folders..."
Command and Control
5 techniquesThe FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons... Associated with TrueBot C2... Associated with Cobalt Strike Beacon.
Legitimate remote management and maintenance (RMM) software was downloaded and executed on victim systems via commands issued through PaperCut’s print scripting interface... The FBI also identified information relating to the download and execution of command and control (C2) malware such as DiceLoader, TrueBot, and Cobalt Strike Beacons.
“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… MacMa has used TLS encryption… Magic Hound has used an encrypted http proxy in C2 communications… gh0st RAT has encrypted TCP communications…”
“APT29 has used multiple layers of encryption within malware to protect C2 communication… BITTER has encrypted their C2 communications… Emotet has encrypted data before sending to the C2 server… gh0st RAT has encrypted TCP communications to evade detection… Gomir uses a custom encryption algorithm…”
Recent activity
42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
... Lizar ... (v1.0→v2.0) ...
Lizar (v1.0→v2.0)
A backdoor used by FIN7 to establish C2 channels, execute code in-memory, and maintain persistence. Delivered via Powertrash loaders and controlled via a UI client. Used for lateral movement and further exploitation.
Secondary payload/loader delivered after NetSupport RAT; stores XOR-obfuscated C2 IPs/ports in the .data section and uses injected in-memory execution (allocate RWX, copy payload, create thread) as part of its execution chain.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.