Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

LsaRecorder

LsaRecorder is a credential-theft tool used by the intrusion cluster tracked by Palo Alto Networks Unit 42 as CL-UNK-1068 (assessed as a Chinese-linked/Chinese-speaking actor). In reported intrusions, LsaRecorder is used to capture Windows logon credentials by hooking the LSA authentication callback function LsaApLogonUserEx2 to record the WinLogon password. It is part of a broader credential-access toolkit observed in this campaign alongside Mimikatz and memory-dumping workflows (e.g., DumpIt/Volatility). The activity described occurs in long-running compromises of organizations across South, Southeast, and East Asia, targeting sectors including telecommunications, energy, technology, pharmaceuticals, government, and law enforcement, consistent with an espionage-oriented operation.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
CL-UNK-1068

Other tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool.

via scworldscworld.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

3 techniques
T1003OS Credential DumpingEvidence3
TacticCredential Access

"Other tools powering CL-UNK-1068's credential theft activities include Mimikatz, LsaRecorder, DumpItForLinux, Volatility Framework, and the SQL Server Management Studio Password Export Tool."

T1003.001LSASS MemoryEvidence1
TacticCredential Access

"...credential theft activities include Mimikatz, LsaRecorder..."

T1056Input CaptureEvidence1
TacticsCredential AccessCollection

“The LsaRecorder tool captures login passwords by hooking the LsaApLogonUserEx2 callback function.”

Collection

1 technique
T1056Input CaptureEvidence1
TacticsCredential AccessCollection

“The LsaRecorder tool captures login passwords by hooking the LsaApLogonUserEx2 callback function.”

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
scworldNews
Mar 10, 2026
Asian critical infrastructure subjected to clandestine Chinese hacking campaign | brief | SC Media

Tool used for credential theft activities (credential access) in the described intrusion set.

Read more
the hacker newsNews
Mar 9, 2026
Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure

Credential theft tool that hooks Windows authentication routines to capture logon passwords.

Read more
dark readingNews
Mar 9, 2026
Chinese Cyber Threat Lurks In Critical Asian Sectors for Years

Password capture/credential theft tool used to obtain credentials from Windows systems.

Read more
palo alto networks unit 42 blogNews
Mar 6, 2026
An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Windows credential theft tool that hooks LSA authentication callback (LsaApLogonUserEx2) to capture users’ logon passwords.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.