HOMETHREATSBLINDINGCAN
APT / THREAT GROUP

BLINDINGCAN

4
aliases
Last seen:Mar 17, 2026

Intelligence Profile

BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).

It uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic.

It sends information about the victim's environment, like computer name, IP, Windows product name and processor name.

It supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped.

It uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.

It contains specific RTTI symbols like ".?AVCHTTP_Protocol@@", ".?AVCFileRW@@" or ".?AVCSinSocket@@".

BLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.

Threat Analysis

BLINDINGCAN is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases4

Also Known As

AIRDRYBLINDINGCANZetaNilewin.blindingcan

External Intelligence

Malpedia: win.blindingcan

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
BLINDINGCAN — APT / Threat Group | Threat Intelligence | CTIWATCH.COM