North Korean cybercrime operation Lazarus Group, also known as APT38, Hidden Cobra, Dark Seoul, and Zinc, has been using the new MagicRAT malware in attacks against networks that have been compromised through vulnerable VMware Horizon servers, according to The Hacker News. Despite being a fairly C++-based implant, MagicRAT has been leveraging the Qt Framework to better evade human analysis and detection by machine learning technologies, Cisco Talos researchers reported. The report also showed that aside from establishing scheduled tasks to achieve persistence on impacted systems, the malware could also facilitate the deployment of more payloads from a remote server, one of which is a lightweight port scanner purporting to be a GIF image file. Newer versions of the TigerRAT backdoor linked to Lazarus spinoff Andariel has also been found in MagicRAT's command-and-control infrastructure. "The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide," researchers added.