Brambul Description

Brambul is a worm that is a part of the hacking arsenal of the infamous Lazarus hacking group (also called Hidden Cobra). They have been identified as an APT (Advanced Persistent Threat) by cybersecurity experts. Lazarus originates from North Korea, and it is widely believed that they work for the North Korean government on projects involving espionage. It would seem that the Brambul worm was employed in an attack on institutions dealing with finance and aerospace.

Lazarus used the Brambul worm to infiltrate and exploit the Windows SMB (Server Message Block). The Windows SMB is a feature that links a group of computers to the same network and allows them to share data, access to office hardware such as printers, etc. However, this means that if one of the systems in the network gets infected, it is likely that all of them may end up being affected. With the NSA leak of 2018, it became clear that there are two zero-day exploits within the Windows SMB.

Once the Brambul worm manages to infiltrate a computer, which is a part of an SMB, it would scan for the other IP addresses connected to the network. Then, using a compiled list of credentials, a brute force method is applied to guess the right username and password to check if the targeted system's login is not secured properly. If the brute force attack is a success and the Brambul worm gets access to the remote system, it may get to work by creating an admin share, and also dropping its files in the Windows installation directory immediately. By default, Brambul uses the name 'crss.exe,' but this property might be subject to change. The data collected by the Brambul worm is transferred to '' This data consists of the operating system of the infected computer, its IP address, the username and password that infiltrated it successfully, and the IP address of the computer infected with Brambul.

The Brambul worm does not cause any immediate harm to the systems it has infected but instead stays in the shadows and gathers information. It is likely that Lazarus is making sure they spread it far and wide before employing it in a future hacking operation.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.