VERY IMPORTANT

Operation LagTime IT by TA428 is an attack campaign targeting governmental organizations of East Asian countries, reported by Proofpoint in July 2019. It is still in the wild and active as of 2020. Through detailed research on two samples (document files on Qasem Soleimani and COVID-19) observed in January and February 2020, we have successfully unveiled and determined the whole attack picture, including how TA428 interacts with a target. Previous research on Operation LagTime IT only reported that it used the Royal Road RTF Weaponizer, Poison Ivy and Cotx RAT. However, according to the behaviour that we have observed, TA428 also performs user environment checking, credential stealing, lateral movement and highly sophisticated defence evasion.