To keep the victim unaware of the infection, the archive may actually contain a PDF or a text file with genuine poker strategy content. This "front" ensures the user doesn't suspect foul play while the malware installs itself in the background [2]. Indicators of Compromise (IoCs)
Use of .7z or .rar archives protected by a password (provided in the chat/email) to bypass email gateway scanners [3].
Unsolicited files sent via social media or messaging apps from accounts posing as recruiters or industry experts [1]. Poker Stratigy.7z
The user downloads and extracts Poker Stratigy.7z . It contains a legitimate-looking but malicious application [2].
If you have encountered this file, look for these common Lazarus Group indicators: Poker Stratigy.7z (Note the "i" in Stratigy) [1]. To keep the victim unaware of the infection,
When the user runs the "poker" application, the legitimate program automatically loads the malicious DLL from the same directory—a technique called DLL Side-Loading [2].
To give the attacker full control over the infected machine. Decoy Content Unsolicited files sent via social media or messaging
Once active, the malware connects to a Command and Control (C2) server to download further payloads, such as: Trojanized Downloader: To fetch more specialized tools.