Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

HazyLoad

HazyLoad is a custom-made proxy tool associated with North Korean Lazarus/Andariel activity. Cisco Talos identified it as a common artifact in the Lazarus Group campaign dubbed Operation Blacksmith and described BottomLoader as being used to fetch additional payloads such as HazyLoad. Talos reported HazyLoad targeting a European firm and an American subsidiary of a South Korean physical security and surveillance company as early as May 2023. The broader Operation Blacksmith activity opportunistically targeted internet-exposed enterprise infrastructure through n-day exploitation, including CVE-2021-44228 (Log4Shell) on publicly facing VMware Horizon servers, followed by reconnaissance, credential dumping, and deployment of proxy tooling for persistent access. The campaign showed overlaps with activity attributed to Onyx Sleet/PLUTIONIUM/Andariel, a subgroup under the Lazarus umbrella. Separate reporting also lists HazyLoad among tools associated with NICKEL HYATT/Andariel. High-confidence details in the provided content identify HazyLoad specifically as a custom proxy tool used in Lazarus/Andariel-linked intrusions; no additional technical indicators or standalone infection vector details are provided beyond its role as a fetched payload within that campaign.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
NICKEL HYATT

"Tools Rifle, ActiveX 0-day, Valefor, HazyLoad, HotCriossant, DTrack, UnitBot"

via secureworks threat profilessecureworks.com
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
talos intelligence blogNews
Dec 11, 2023
Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

Custom proxy/reverse-proxy tool used to maintain direct access and provide redundant backdoor connectivity after initial compromise, reducing the need to repeatedly exploit the initial-access vulnerability.

Read more
picus security blogNews
Nov 13, 2023
October 2023: Key Threat Actors, Malware and Exploited Vulnerabilities

Referenced as malware associated with exploitation of JetBrains TeamCity CVE-2023-42793 (no further details provided in the content).

Read more
secureworks threat profilesNews
Mar 18, 2026
NICKEL HYATT

Tooling attributed to NICKEL HYATT; the content lists it as part of the group’s toolset but does not describe functionality beyond being a named tool.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.