Loader
Racket Downloader
Racket Downloader is an HTTP(S) downloader.
Racket Downloader is a Windows loader operated by Lazarus Group.
Background
Racket Downloader retrieves payloads over HTTP(S). It relies on a bespoke substitution cipher to decode its embedded strings and uses RC5 with a 256-bit key to protect its network communications. Its HTTP POST requests carry a telltale value that gave the malware its name, such as "?product_field=racket" or "prd_fld=racket". The downloader was used against South Korean victims running Initech's INISAFE CrossWeb EX software during Q2 2021 and Q1 2022.
Source: Malpedia (Fraunhofer FKIE).