The Lazarus Group [1] [2] [3] [4] [5], a state-sponsored threat group from North Korea, has recently been linked to a new backdoor malware called LightlessCan [2]. Discovered by ESET researchers [2], this advanced malware is an evolution of its predecessor, BlindingCan [2] [4] [5], and is utilized by the Lazarus Group for cyber espionage purposes.


LightlessCan is a remote access trojan (RAT) that has the ability to imitate native Windows commands, enabling it to operate discreetly within the RAT itself. This clever tactic allows the malware to evade real-time monitoring solutions and post-incident digital forensic tools. Additionally, LightlessCan incorporates “execution guardrails” to prevent unauthorized decryption [5] [6].

In a recent attack on a Spanish aerospace company [6], employees were deceived into downloading the malware [5], which was disguised as coding challenges [5]. This incident serves as a stark reminder of the ongoing threat posed by the Lazarus Group and underscores the importance of awareness to prevent further attacks.

The Lazarus Group has a history of targeting various organizations, carrying out cryptocurrency heists [2], and executing supply chain attacks. Notably, they were responsible for high-profile cyber attacks such as the Sony hack in 2014 and WannaCry in 2017 [6].


The discovery of LightlessCan highlights the evolving capabilities of the Lazarus Group and their persistent efforts in carrying out cyber espionage. It is crucial for organizations to remain vigilant and educate their employees about the risks posed by such scams. Implementing robust security measures and staying informed about emerging threats are essential in mitigating the potential impact of future attacks.