2024-06-27ììëìë³ê³ìêµìììêìííìêìëëëLazarusêë¹.pdf (886 KB)

Hauri reports Lazarus activity in which attackers posed as recruiters on LinkedIn and delivered malicious blockchain job-assignment projects through GitHub or Bitbucket to software developers. The NodeJS malware steals cryptocurrency wallets from browser extensions, sends the stolen data with the infected PC name to 23.106.253.209:1244, then downloads Python 3.11 and runs additional Python payloads. The follow-on chain includes a downloader, a browser infostealer that collects saved logins and credit cards from Chrome, Opera, Brave, Yandex, and Edge, and an InvisibleFerret backdoor that gathers host data, contacts 173.211.106.101:1245, and supports keylogging, file theft, remote control, and AnyDesk installation. The report provides repository URLs, C2 paths, and hashes for the JavaScript and Python components.