ForeLord Description

The ForeLord malware is a newly spotted threat that is likely to originate from Iran. Cybersecurity researchers speculate that the party behind the ForeLord threat is an Iranian based APT (Advanced Persistent Threat) called Cobalt Ulster. However, this is yet to be confirmed. What lead experts to suspect the involvement of the Cobalt Ulster hacking group is the fact that previous threats deployed by the group bear similarities to the ForeLord Trojan. Furthermore, the targets in this latest campaign involving the ForeLord Trojan are rather similar to past targets of the Cobalt Ulster hacking group. It would appear that most of the targets of the ForeLord malware campaign are located in Iraq, Azerbaijan, Turkey, Jordan and Georgia.

Propagation Method

The ForeLord malware is a Trojan designed to steal login credentials from its targets. The attackers are propagating the ForeLord Trojan via specially crafted phishing emails. The emails in question would contain a fake Microsoft Excel attachment that carries the harmful payload of the ForeLord threat. After opening the fake attachment, the users will be asked to click on the ‘Enable Content’ button on their screen. However, doing so would enable the installation and execution of the ForeLord Trojan on their systems. This is why users should avoid opening attachments from unknown sources.


Once it has been installed on the targeted system successfully, the ForeLord threat will establish a connection with the deployers’ C&C (Command & Control) server. The C&C would send a confirmation to the ForeLord Trojan that reads ‘lordlordlordlord’ – this is where the name of the threat is derived from. Once this has been completed, the ForeLord malware will receive the payload of several publicly available hacking tools that will then be planted on the host. One of the tools in question is named ‘CredNinja,’ and it serves to help the attackers collect the necessary hashes from the Windows installation, as well as the login credentials they were seeking. It is likely that the authors of the ForeLord Trojan will diversify their operation by deploying different secondary payloads that will help them to collect sensitive data from the targeted hosts.

The ForeLord Trojan is a threat that is meant to remain unnoticed on the compromised system over a long period to gather the information needed. Make sure your computer is protected by a genuine anti-malware application.