Security researchers at ENKI have uncovered a sophisticated espionage campaign targeting aerospace and defense organizations, in which the Lazarus Group is weaponizing a new variant of the Comebacker backdoor to infiltrate high-value targets.
The threat actor has been actively conducting phishing operations since at least March 2025, distributing malicious documents disguised as legitimate communications from prominent industry organizations.
The investigation began in June 2025 following threat intelligence reports of a malicious domain, office-theme[.]com, attributed to the Lazarus Group.
Analysis revealed that malicious Word documents (.docx files) hosted on this domain initiated a complex multi-stage infection chain, ultimately delivering the newly identified Comebacker variant to victim systems.
By examining the malware’s command-and-control infrastructure, researchers identified an additional C&C domain and related samples, suggesting the campaign has maintained continuous activity for several months.
The weaponized documents employ highly targeted lures impersonating aerospace and defense sector organizations, including Edge Group, the Indian Institute of Technology Kanpur (IIT Kanpur), and Airbus.
This deliberate tailoring of decoys to specific organizations represents a classic hallmark of spear phishing operations aimed at a carefully selected group of victims rather than broad-based attacks.
Technical Sophistication
The new Comebacker variant demonstrates significant technical evolution compared to previous iterations. The infection chain begins when a victim opens a malicious .docx file and enables macros.
The embedded VBA code executes, decrypting and deploying a loader DLL and decoy document using custom XOR and bit-swapping operations a departure from the RC4 and HC256 encryption methods observed in older variants.
The multi-stage infection process involves sophisticated persistence mechanisms and in-memory execution techniques.
The loader initially writes components to system directories, including C:ProgramDataWPSOfficewpsoffice_aam.ocx, then creates shortcuts in startup folders to maintain persistence across system reboots.
Subsequent stages utilize ChaCha20 stream cipher encryption with hardcoded keys, introducing a level of operational security not present in earlier Comebacker variants.
One notable enhancement in this campaign is the implementation of encrypted command-and-control communications.
Unlike previous Comebacker variants that transmitted data in plaintext, this new iteration encrypts all C&C traffic using AES-128-CBC encryption, making network-based detection significantly more challenging for defensive teams.
Infrastructure and Command Structure
The malware beacons to C&C servers over HTTPS, employing a sophisticated query string structure containing randomized parameters and base64-encoded identifiers.
After decryption and decompression, the loader writes the next stage to C:ProgramDataUSOSharedUSOInfo.dat and executes it using rundll32.exe.
When the C&C server responds, it can issue various commands including process termination, sleep-retry loops with increasing intervals, or direct payload download and execution instructions.
The inclusion of MD5 hash verification for downloaded payloads indicates a focus on operational reliability and anti-tampering measures.
Infrastructure pivoting identified a second active C&C domain, birancearea[.]com, with an associated Comebacker sample first detected in March 2025.
This discovery suggests the threat actor maintains multiple operational C&C servers, likely as redundancy and to compartmentalize different campaign phases or target groups.
The campaign’s focus on aerospace and defense sectors indicates strategic targeting aligned with nation-state espionage objectives.
Organizations in these industries face elevated risk from this ongoing threat. Security teams should implement robust defenses against macro-based malware, including strict macro execution policies, network segmentation, and advanced threat detection capabilities.
Employees should receive training to identify spear phishing attempts, particularly those referencing industry-specific organizations or events.
Maintaining vigilant monitoring of suspicious network communications and implementing endpoint detection and response solutions remains critical for defending against this persistent adversary.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.