LaZagne

LaZagne is an open-source password recovery and credential theft tool used to retrieve passwords stored on a local computer. It is designed to extract credentials across multiple platforms, including Windows, Linux, and macOS, and supports numerous sources such as web browsers, chat applications, databases, mail clients, Wi-Fi profiles, operating system credential stores, and various sysadmin and file transfer tools. Reported supported targets include browsers such as Chrome, Firefox, Edge, Opera, Brave, Chromium, Vivaldi, and Yandex; mail clients such as Outlook and Thunderbird; chat applications such as Pidgin, Psi, and Skype; database tools such as DBVisualizer and PostgreSQL; and tools such as FileZilla, OpenSSH, OpenVPN, WinSCP, CyberDuck, mRemoteNG, PuttyCM, Rclone, RDPManager, and VNC. It can also access internal credential stores and artifacts including Autologon, MSCache, Credential Files, Credman, DPAPI, LSA secrets, Vault files, GNOME Keyring, Kwallet, LM/NT hashes, and on Linux items such as AWS and Docker environment variables, SSH private keys, and Wi-Fi credentials. On Windows, administrator privileges are required for some sources such as Wi-Fi passwords and Windows Secrets. LaZagne supports output in text and JSON formats and can run all modules or selected modules only.

The tool is also notable for in-memory use through the Pupy post-exploitation framework, where its Python code can be interpreted without touching disk. Detection-focused reporting notes that LaZagne and similar browser credential extraction tools commonly read fixed browser storage paths, including Firefox files such as cookies.sqlite, key3.db, key4.db, and logins.json, and Chromium-family files such as Login Data, Network Cookies, and Local State.

LaZagne is widely used by threat actors as a publicly available dual-use credential harvesting utility. The provided content explicitly associates its use with APT33, APT15, Inception, MuddyWater, OilRig, Leafminer, Pupy, RedCurl, Akira ransomware operators, Beast Ransomware operators, and YoroTrooper-derived tooling, among others. Reported operational use includes harvesting credentials from infected systems, browsers, databases, email clients, Outlook Web Access, Wi-Fi, files, and Windows Registry-stored secrets to support privilege escalation, lateral movement, persistence, and broader post-compromise activity. The content also references LaZagne being used alongside tools such as Mimikatz, Meterpreter, Metasploit, Invoke-Obfuscation, Browser64, HackBrowserData, and Automim.

High-confidence behavior described in the content includes obtaining credentials from chats, databases, mail, Wi-Fi, browsers, and files across multiple platforms; recovering stored passwords from local systems; and being used in intrusion chains by both espionage and ransomware actors. Detection-relevant artifacts mentioned in the content include command-line keywords such as 'browsers', 'Databases', 'Mails', and 'Sysadmin'; default execution from AppData\Local\Temp in some cases; loading of Python27.dll and a bundled SQLite3 DLL in some detections; and access to browser credential files under %LOCALAPPDATA%.