Lazarus Group Using Mata Framework to Deliver TFlower Ransomware

The North Korean hacking group Lazarus (also known as Hidden Kobra) has launched several high-profile attacks over the past few years to fulfill its financial motives. Recently, the group has been observed expanding its arsenal with TFlower ransomware in a double extortion campaign.

Diving into details

Sygnia researchers have reported the use of the MATA framework by the Lazarus Group to deliver TFlower ransomware in the campaign.
  • With a new and so far undocumented variant of MATA and TFlower, the recent Lazarus campaign has targeted a dozen victims for data exfiltration or extortion.
  • The MATA malware framework is the key technical component here, which works as an advanced cross-platform malware framework.
  • Additionally, during the attack, the group has leveraged multiple tools including the MATA backdoor to evade detection.
  • Lazarus has operated and maintained an extensive C2 infrastructure while targeting multiple platforms, such as Windows, Linux, and mac, during the attack.

A lookback

The MATA framework was previously reported by Kaspersky on July 22, 2020, and by Netlab on December 19, 2019. Further, it is suspected that Lazarus possibly deployed over 150 C2 servers over time, with the latest one identified on February 4 this year.


The recent report indicating a connection or collaboration between the Lazarus Group and TFlower reflects the continued effort by North Korea to scale its cyber-extortion activities. Researchers anticipate that the group is now possibly collaborating with additional crime entities, creating such entities, outsourcing its capabilities, or selling offensive tools to other groups to achieve its financial targets.


Next Post

CISA Will Manage .Gov Domain in Effort to Enhance Security

Thu Mar 11 , 2021
Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management More Layers of Security Anticipated for Government Websites Scott Ferguson (Ferguson_Writes) • March 10, 2021     The Cybersecurity and Infrastructure Security Agency will take over the day-to-day management of the official .gov top-level domain in April, […]