Home/ Threat Actors/ LazyScripter

🌐LazyScripter

🌐 LazyScripter is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 20 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0140) ↗

14Use cases

0Articles

20Techniques

0IOCs

About this actor (MITRE)

[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

Known aliases

LazyScripter

Top techniques

T1027.010 · Command Obfuscation T1036 · Masquerading T1059.001 · PowerShell

All other tracked techniques

T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.007 · JavaScript T1071.004 · DNS T1102 · Web Service T1105 · Ingress Tool Transfer T1204.001 · Malicious Link T1204.002 · Malicious File T1218.005 · Mshta T1218.011 · Rundll32 T1547.001 · Registry Run Keys / Startup Folder T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1583.001 · Domains T1583.006 · Web Services T1588.001 · Malware T1608.001 · Upload Malware

Detection use cases (14)

LazyScripter (G0140) — open-source toolkit retrieval from GitHub raw / paste-site staging via LOLBin script interpreters AI · profile SΣ LazyScripter (G0140) — IATA/airline-themed lure script dropper chain to Run-key persistence (≤15 min) AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match