Researchers have linked a previously unknown advanced persistent threat actor to data exfiltration attacks spanning various sectors in the United States, Europe. Some tactics associated with LilacSquid overlap with those used by Andariel, a North Korean threat actor that acts as a sub-cluster within the Lazarus Group.

According to Cisco Talos, the group’s methods for initial compromise include exploiting publicly known vulnerabilities to breach Internet-facing application servers as well as using stolen remote desktop protocol credentials. Once the system is compromised, LilacSquid launches multiple open source tools such as open source remote management tool MeshAgent to connect to an attacker-controlled command-and-control server and conduct reconnaissance activities. LilacSquid also uses InkLoader, a .NET-based loader, to read from a hardcoded file path on disk and decrypt contents.