BLINDINGCAN is a remote access trojan (RAT) attributed to the North Korean state-sponsored APT group Lazarus. First documented in public reporting around 2020, this malware provides attackers with comprehensive control over infected Windows machines through an encrypted HTTP or HTTPS communication channel. Unlike ransomware that announces itself loudly, BLINDINGCAN operates quietly in the background, waiting for instructions from its command-and-control infrastructure. It's particularly dangerous because it combines stealthy persistence with a broad command set—roughly 30 different operations—that allow attackers to steal files, run arbitrary programs, and install additional malware payloads at will.

BLINDINGCAN — cybersecurity illustration
Photo by Miguel Á. Padriñán on Pexels
Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not attempt online banking, email, or password entry on this machine. Call us at (770) 676-0TMB or bring the computer to our Roswell shop at your earliest opportunity. BLINDINGCAN is espionage-grade malware—removing it correctly requires forensic care.

Threat Profile

Threat NameBLINDINGCAN
AliasesAIRDRY, ZetaNile
Threat TypeRemote Access Trojan (RAT)
Target PlatformWindows (PE executable)
AttributionLazarus Group (North Korean APT)
First DocumentedCirca 2020
Command Count~30 distinct operations
Network ProtocolHTTP/HTTPS with custom RC4 or AES encryption
Primary FunctionSystem reconnaissance, file exfiltration, remote command execution, payload delivery
Persistence MechanismRegistry Run keys, scheduled tasks (varies by variant)
Detection DifficultyHigh—encrypted traffic, polymorphic samples, state-level operational security
Typical Payload Size100–500 KB (varies)

How It Spreads

BLINDINGCAN is not mass-distributed spam malware. Lazarus uses it in targeted operations against organizations and individuals of intelligence interest—defense contractors, cryptocurrency exchanges, financial institutions, and technology firms have all been documented victims. The initial infection vector is almost always a spear-phishing email containing a malicious Microsoft Office document (often weaponized with macros or exploits) or a disguised executable attachment. The attackers research their targets carefully, crafting emails that reference real projects, real colleagues, or real business contexts to maximize the chance the recipient will open the attachment.

Once the victim enables macros or runs the disguised file, a dropper installs the BLINDINGCAN payload and establishes persistence. In some campaigns, the trojan arrives as a second-stage payload delivered by another Lazarus tool after the initial foothold is secured. The group is also known to compromise legitimate software supply chains and trojanize installers, though this is less common for BLINDINGCAN specifically.

Common distribution methods:

  • Spear-phishing emails with weaponized Office documents (macros, embedded exploits)
  • Executable attachments disguised as PDFs, images, or legitimate installers
  • Watering-hole attacks on industry-specific websites
  • Second-stage deployment after initial compromise by other Lazarus malware
  • Exploitation of public-facing applications (rare, but documented)

What It Does On Your Machine

After installation, BLINDINGCAN collects baseline reconnaissance data about your system: computer name, local and external IP addresses, Windows version (e.g., "Windows 10 Pro"), processor model, and username. This "victim profile" is encrypted with RC4 or AES and transmitted to the C&C server over HTTP or HTTPS. The encryption makes the traffic look like meaningless binary data to network monitoring tools, helping the malware evade detection. The C&C server responds with a 16-bit command code, and BLINDINGCAN's dispatcher executes the corresponding function.

The command set is extensive. Attackers can list, read, write, delete, and move files anywhere on your system. They can enumerate running processes, start new processes, and terminate existing ones. They can execute arbitrary shell commands via cmd.exe, capturing the output and sending it back. Critically, BLINDINGCAN supports file exfiltration: the malware reads a specified file, encrypts it, and uploads it to the C&C in chunks. This is how sensitive documents, financial records, source code, credentials, and intellectual property leave your network without setting off alarms. The trojan can also download and execute additional payloads—enabling the attackers to deploy ransomware, credential-dumping tools, or lateral-movement utilities once they've mapped your environment.

Behavioral indicators observed in sandbox analysis show the malware writing itself to disk and establishing persistence, then initiating encrypted outbound connections. While specific paths and registry keys vary across samples, a representative execution trace looks like this:

# Installation and persistence (observed in sandbox) C:\Users\[User]\AppData\Local\Temp\svchost.exe ← Dropped payload (masquerades as Windows service host) HKCU\Software\Microsoft\Windows\CurrentVersion\Run "WindowsUpdate" = "C:\Users\[User]\AppData\Local\Temp\svchost.exe" ← Autostart registry key # Network communication TCP connection initiated to C&C server (IP varies by campaign) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ← HTTP request with generic browser string POST /board/view.php ← C&C URI (path varies) ← Encrypted payload in HTTP body (RC4/AES, appears as random bytes) # Command execution cmd.exe /c whoami ← Shell command issued by C&C cmd.exe /c systeminfo cmd.exe /c net view ← Network enumeration

Because BLINDINGCAN is state-sponsored malware, its operational tempo is measured in weeks or months, not hours. The attackers may remain dormant in your system, periodically checking in, and only exfiltrate data when they've identified high-value targets. This "low and slow" approach makes detection extremely difficult without endpoint detection and response (EDR) tools or careful forensic analysis.

Manual Removal — Step by Step

01

Disconnect from the Network

Before you do anything else, physically disconnect the infected machine from the internet—unplug the Ethernet cable or turn off Wi-Fi. BLINDINGCAN's entire purpose is to communicate with its controllers; severing that link stops active data theft and prevents the attackers from issuing a self-destruct command that could complicate forensics.

02

Boot Into Safe Mode with Networking

Restart the computer and press F8 (or Shift+F8 on newer systems) during boot to access Advanced Boot Options. Select Safe Mode with Networking. This loads Windows with minimal drivers and prevents most malware from auto-starting, giving you a cleaner environment to work in. (You'll need networking briefly to download tools in step 4.)

03

Reveal Hidden Files and System Files

Open File Explorer, click ViewOptionsChange folder and search options. Under the View tab, select Show hidden files, folders, and drives and uncheck Hide protected operating system files. Click Apply. This allows you to see the malware executable and any companion files it may have dropped.

04

Run a Full System Scan with Multiple Tools

Download (on a clean machine) and transfer via USB: Malwarebytes, Kaspersky Rescue Disk, or ESET Online Scanner. Run each in sequence and allow full system scans. BLINDINGCAN samples are often polymorphic, so one engine may miss what another catches. Quarantine or delete any detections. Pay special attention to items flagged as "Trojan.Lazarus," "Backdoor.BLINDINGCAN," or generically as "Trojan.Agent."

05

Manually Check and Remove Persistence Entries

Press Win+R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries with suspicious names (e.g., "WindowsUpdate," "svchost," "SystemService") pointing to executables in %TEMP%, %APPDATA%, or unusual subdirectories. Right-click and delete these entries. Also check Task Scheduler (taskschd.msc) for scheduled tasks with random names or suspicious triggers.

06

Delete the Malware Files from Disk

Navigate to the file paths identified in the registry or by your AV scan—commonly C:\Users\[User]\AppData\Local\Temp\ or C:\Users\[User]\AppData\Roaming\. Delete the executable (often masquerading with a generic name like svchost.exe, lsass.exe, or a random alphanumeric string). Check for companion DLLs or .dat configuration files in the same directory and delete those too. Empty the Recycle Bin immediately.

07

Clear Browser Caches and Temporary Files

Run Disk Cleanup (search for it in the Start menu), check all boxes including Temporary files and Temporary Internet Files, and click OK. Then manually clear browser history and cache in Chrome/Edge/Firefox. BLINDINGCAN doesn't typically operate via browser, but cached payloads or downloaded scripts may linger.

08

Check the Hosts File and Flush DNS

Open C:\Windows\System32\drivers\etc\hosts in Notepad (run as Administrator). Look for unfamiliar entries redirecting domains. Delete any suspicious lines. Save and close. Then open Command Prompt as Administrator and run ipconfig /flushdns to clear the DNS resolver cache.

09

Reset All Passwords from a Clean Device

BLINDINGCAN can log keystrokes and exfiltrate files—including browser credential stores and password manager databases. From a different, known-clean computer or phone, change the passwords for your email, banking, work accounts, and any other sensitive services. Enable two-factor authentication wherever possible.

10

Reboot and Monitor for 48 Hours

Restart the machine normally (not in Safe Mode). Reconnect to the network cautiously. Monitor Task Manager and Resource Monitor for unusual processes or network activity. Run follow-up scans daily for the next two days. If anything suspicious reappears, the infection may have rootkit components or you may have missed a persistence mechanism—at that point, professional forensic remediation is strongly advised.

Prevention

  1. Train yourself and employees to recognize spear-phishing. Be skeptical of unexpected attachments, even from known contacts. Verify requests via a separate communication channel (phone call, separate email thread) before opening documents or enabling macros.
  2. Disable macros by default in Microsoft Office. Set the Trust Center to "Disable all macros without notification." If you must use macros, enable them only for digitally signed macros from trusted publishers.
  3. Keep Windows and all software fully patched. Lazarus frequently exploits known vulnerabilities in Office, browsers, and third-party plugins. Enable automatic updates for Windows, Office, Adobe Reader, Java, and other common targets.
  4. Deploy endpoint detection and response (EDR) software. Consumer antivirus is insufficient against state-level threats. EDR solutions (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) use behavioral analysis and threat intelligence to detect BLINDINGCAN-style RATs even when signatures fail.
  5. Segment your network and restrict outbound traffic. Use application-layer firewalls to block unauthorized outbound connections. Whitelist allowed domains and protocols. This won't stop BLINDINGCAN entirely, but it will make C&C communication harder and more visible.
  6. Enable and monitor Windows Event Logs. Configure Sysmon or Windows Audit Policy to log process creation, network connections, and registry modifications. Route logs to a central SIEM or at least review Security and System logs weekly for anomalies.
  7. Implement application whitelisting. Use Windows AppLocker or third-party solutions to permit only approved executables. This prevents arbitrary payloads dropped by BLINDINGCAN from running, even if the initial dropper succeeds.
  8. Conduct regular offline backups. Store critical data on external drives or cloud storage with versioning, and disconnect backup media when not in use. If BLINDINGCAN exfiltrates or encrypts your files, clean backups are your insurance policy.
Our 90-Day Warranty: When Computer Repair Roswell removes BLINDINGCAN or any other malware from your machine, we back our work with a 90-day warranty. If the same threat reappears within that window, we'll re-clean your system at no additional charge. That's our commitment to getting it right the first time.

Bring It In

BLINDINGCAN is not script-kiddie malware—it's a sophisticated espionage tool built and operated by one of the world's most capable threat actors. Manual removal is possible if you catch it early and follow the steps carefully, but the risk of incomplete remediation is high. A single missed registry key or forgotten scheduled task can allow the attackers to re-establish their foothold. Worse, BLINDINGCAN may have already stolen credentials, exfiltrated sensitive documents, or installed additional backdoors before you detected it. Professional forensic analysis is the only way to know for certain what happened and confirm your system is truly clean.

At Computer Repair Roswell, we have the tools, training, and threat intelligence feeds to handle state-sponsored malware. We'll perform a comprehensive scan, remove all traces of BLINDINGCAN and any companion payloads, document what data may have been at risk, and harden your system against re-infection. If you're in the Roswell, Alpharetta, or North Fulton area and you suspect a targeted attack or simply can't shake the feeling something's wrong with your computer, call us at (770) 676-0TMB or stop by our shop. We're here Monday through Saturday, and we'll treat your case with the seriousness it deserves. Don't gamble with espionage-grade threats—let's get your machine clean and your data secure.