HOMETHREATSLightlessCan
MALWARE FAMILY

LightlessCan

Internal ID: win.lightlesscan
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

LightlessCan is a complex HTTP(S) RAT, that is a successor of the Lazarus RAT named BlindingCan.

In Q2 2022 and Q1 2023, it was deployed in targeted attacks against an aerospace company in Spain and a technology company in India.

Besides the support for commands already present in BlindingCan, its most significant update is mimicked functionality of many native Windows commands:

• ipconfig

• net

• netsh advfirewall firewall

• netstat

• reg

• sc

• ping (for both IPv4 and IPv6 protocols)

• wmic process call create

• nslookup

• schstasks

• systeminfo

• arp

These native commands are often abused by the attackers after they have gotten a foothold in the target’s system. Lightless is able to execute them discreetly within the RAT itself, rather than being executed visibly in the system console. This provides stealthiness, both in evading real-time monitoring solutions like EDRs, and postmortem digital forensic tools.

LightlessCan use RC6 for decryption of its configuration, and also for encryption and decryption of network traffic.

Threat Analysis

LightlessCan is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

win.lightlesscan

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
LightlessCan — Malware Family | Threat Intelligence | CTIWATCH.COM