The Lazarus Group, a North Korean hacking operation also known as Hidden Cobra, is deploying TFlower ransomware, using its MATA malware framework, security firm Sygnia reports.
The group has been using the MATA framework to deliver payloads since 2019, according to previous reports from security firms Kaspersky and NetLabs (see: Lazarus Group Deploying Fresh Malware Framework).
The deployment of TFlower using the MATA framework “raises the possibility that the Lazarus Group is either the group behind TFlower or has some level of collaboration in operations or capabilities with it,” the report says. “Alternatively, the group may be masquerading as TFlower for some of its ransomware operations.”
The campaign using TFlower ransomware has targeted a dozen victims for data exfiltration or extortion, says Arie Zilberstein, vice president, incident response at Sygnia.