APT Lazarus: Eager Crypto Beavers, Video calls and Games
2024-09-04 • Group-IB •
Group-IB tracks Lazarus activity in the Contagious Interview campaign, where developers and blockchain professionals are approached through job platforms and moved to Telegram before being asked to run fake interview tasks or conferencing software. The infection chain uses trojanized Node.js projects, malicious JavaScript, and fraudulent video-call applications such as FCCCall to deliver BeaverTail and the Python backdoor InvisibleFerret. The Windows BeaverTail variant collects browser credentials, keychain data, and cryptocurrency wallet extension files, stages them under a hidden local directory, and uploads them to C2 endpoints before downloading further payloads. The report also notes active development, expanded wallet-extension targeting, use of AnyDesk for unattended access, and infrastructure overlap with earlier fake MiroTalk activity, making the campaign relevant for developer, crypto, and software-supply-chain defenses.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 95.164.17.24 | 2024-07-15 | 2026-04-01 |
| IPv4 | 147.124.214.129 | 2024-05-10 | 2026-02-03 |
| IPv4 | 147.124.214.237 | 2024-05-10 | 2026-01-21 |
| IPv4 | 147.124.214.131 | 2024-04-25 | 2026-01-21 |
| IPv4 | 172.86.98.240 | 2024-09-04 | 2025-11-13 |
| IPv4 | 23.106.253.194 | 2024-09-04 | 2025-11-13 |
| IPv4 | 185.235.241.208 | 2024-08-13 | 2025-11-13 |
| IPv4 | 147.124.212.146 | 2024-05-10 | 2025-11-13 |
| IPv4 | 67.203.7.171 | 2024-05-10 | 2025-11-13 |
| IPv4 | 147.124.212.89 | 2023-12-12 | 2025-11-13 |
| IPv4 | 173.211.106.101 | 2024-04-25 | 2025-07-26 |
| DOMAIN | regioncheck.net | 2024-09-04 | 2025-05-30 |
| DOMAIN | mirotalk.net | 2024-07-15 | 2025-02-20 |
| IPv4 | 45.61.131.218 | 2024-05-10 | 2025-02-20 |
| IPv4 | 45.140.147.208 | 2024-09-04 | 2025-01-20 |
| HASH | 9abf6b93eafb797a3556bea1fe8a3b7… | 2024-07-15 | 2025-01-01 |
| DOMAIN | freeconference.io | 2024-09-04 | 2024-11-14 |
| IPv4 | 167.88.36.13 | 2024-08-29 | 2024-11-14 |
| HASH | b8e69d6a766b9088d650e850a638d7a… | 2024-09-04 | 2024-10-23 |
| HASH | 000b4a77b1905cabdb59d2b576f6da1… | 2024-09-04 | 2024-10-23 |
| HASH | 36cac29ff3c503c2123514ea903836d… | 2024-09-04 | 2024-10-23 |
| HASH | 0621d37818c35e2557fdd8a729e50ea… | 2024-09-04 | 2024-10-23 |
| HASH | a87b6664b718a9985267f9670e10339… | 2024-09-04 | 2024-10-23 |
| IPv4 | 77.37.37.81 | 2024-07-31 | 2024-10-23 |
| IPv4 | 91.92.120.135 | 2024-05-10 | 2024-10-23 |
| IPv4 | 67.203.7.245 | 2024-05-10 | 2024-10-23 |
| IPv4 | 172.86.97.80 | 2024-05-10 | 2024-10-23 |
| IPv4 | 147.124.213.29 | 2024-05-10 | 2024-10-23 |
| IPv4 | 147.124.213.11 | 2024-05-10 | 2024-10-23 |
| IPv4 | 144.172.79.23 | 2023-11-21 | 2024-10-23 |
| IPv4 | 167.88.168.24 | 2023-11-21 | 2024-10-23 |
| IPv4 | 45.61.169.187 | 2023-11-21 | 2024-10-23 |
| IPv4 | 167.88.168.152 | 2023-11-21 | 2024-10-23 |
| IPv4 | 144.172.74.48 | 2023-11-21 | 2024-10-23 |
| IPv4 | 45.61.160.14 | 2023-11-21 | 2024-10-23 |
| IPv4 | 172.86.123.35 | 2023-11-21 | 2024-10-23 |
| HASH | d801ad1beeab3500c65434da51326d7… | 2024-09-04 | 2024-10-09 |
| HASH | 9e3a9dbf10793a27361b3cef4d2c87d… | 2024-09-04 | 2024-10-09 |
| HASH | de6f9e9e2ce58a604fe22a9d4214419… | 2024-09-04 | 2024-10-09 |
| HASH | d5c0b89e1dfbe9f5e5b2c3f745af895… | 2024-09-04 | 2024-10-09 |
| HASH | fd9e8fcc5bda88870b12b47cbb1cc87… | 2024-09-04 | 2024-10-09 |
| HASH | 0f5f0a3ac843df675168f82021c2418… | 2024-07-15 | 2024-10-09 |
| HASH | 301678669e05064d13f1912caae530f… | 2024-09-04 | 2024-09-04 |
| HASH | 0049e2f4f746aa0ec1713cb83dbf8e3… | 2024-09-04 | 2024-09-04 |
| HASH | b378d389fd31c6cb65fc85ea960b609… | 2024-09-04 | 2024-09-04 |
| HASH | d356a0668a0f7827d8041eaebdbc003… | 2024-09-04 | 2024-09-04 |
| HASH | 0620a7fa8c6e416d96fe3d3baf4cd92… | 2024-09-04 | 2024-09-04 |
| HASH | c19cdedf8f800d2eeccd5094d7d054d… | 2024-09-04 | 2024-09-04 |
| HASH | d8806fb404bf29e4a3941c912cbb485… | 2024-09-04 | 2024-09-04 |
| HASH | a6c9f8c06fdb15de26656e5e4909909… | 2024-09-04 | 2024-09-04 |
| HASH | 9742da5b33866edb8b280fe10909f3f… | 2024-09-04 | 2024-09-04 |
| HASH | dcde59721b78e6797ee7f79c0e19c4a… | 2024-09-04 | 2024-09-04 |
| HASH | 306adab1769c48e09e5a637c82b6b32… | 2024-09-04 | 2024-09-04 |
| HASH | 2a8c90885a8bea74cfe918f3ac6b939… | 2024-09-04 | 2024-09-04 |
| HASH | 7e378c2f0a92c355473b2e2d25d6df9… | 2024-09-04 | 2024-09-04 |
| HASH | 2f86acdfdf19c1719189fb121cc9391… | 2024-09-04 | 2024-09-04 |
| HASH | 9110515c2d5f6f48871f0631f411d55… | 2024-09-04 | 2024-09-04 |
| HASH | b653153a94c275f8f1156298c905b86… | 2024-09-04 | 2024-09-04 |
| HASH | 887594f18cdbbae4ceef62572e81381… | 2024-09-04 | 2024-09-04 |
| HASH | 2ed5e202190df967c06750ba11aa848… | 2024-09-04 | 2024-09-04 |
| HASH | 14e52430f1d1fa390973294d50849ee… | 2024-09-04 | 2024-09-04 |
| HASH | 01b7306554f6e6bac63f5524588ff5c… | 2024-09-04 | 2024-09-04 |
| HASH | 24b89c77eaeebd4b02c8e8ab6ad3bd7… | 2024-09-04 | 2024-09-04 |
| HASH | 23b2df9ae70e592c6d82ee1aa1edd00… | 2024-09-04 | 2024-09-04 |
| HASH | 06384aedc3614ee73cc7319e30975fc… | 2024-09-04 | 2024-09-04 |
| HASH | cd13a9c92210ada940a44769874dd67… | 2024-09-04 | 2024-09-04 |
| HASH | 7f13ca9848086e3de9be971ea8d44ea… | 2024-09-04 | 2024-09-04 |
| HASH | 64b1aca7b36e662132ae60c2d2df6ea… | 2024-09-04 | 2024-09-04 |
| HASH | c0110cb21ae0e7fb5dec83ca90db9e2… | 2024-09-04 | 2024-09-04 |
| HASH | 1e5d3ee4c0eb6d67f6bc812cf492c53… | 2024-09-04 | 2024-09-04 |
| HASH | ce572304131bd7c4fd34c3a919de403… | 2024-09-04 | 2024-09-04 |
| HASH | c373c4c2922f7ca49e2cf5670052d07… | 2024-09-04 | 2024-09-04 |
| HASH | 1be03204709c037378ae96197700148… | 2024-09-04 | 2024-09-04 |
| HASH | ddc4162a71f13cc39519c0f8917b960… | 2024-09-04 | 2024-09-04 |
| HASH | 7180f5a1c2554b77b4c21a727cca65c… | 2024-09-04 | 2024-09-04 |
| HASH | 675928d7a0a28f70740b7eedf021de82 | 2024-09-04 | 2024-09-04 |
| HASH | 2c5e45a85a8eed94ffed26a7c3b0790e | 2024-09-04 | 2024-09-04 |
| HASH | 1bbb953890e752a6898afe711215838… | 2024-09-04 | 2024-09-04 |
| HASH | 47e876110f5e478a739ca3ad034707c… | 2024-09-04 | 2024-09-04 |
| HASH | d502f822e6c52345227b64e3c326e2d… | 2024-09-04 | 2024-09-04 |
| URL | http://freeconference.io | 2024-09-04 | 2024-09-04 |
| URL | http://mirotalk.net | 2024-09-04 | 2024-09-04 |
| URL | http://regioncheck.net | 2024-09-04 | 2024-09-04 |
| URL | http://ipcheck.cloud | 2024-09-04 | 2024-09-04 |
| DOMAIN | ipcheck.cloud | 2024-09-04 | 2024-09-04 |
| IPv4 | 172.86.98.143 | 2023-12-12 | 2024-09-04 |
| DOMAIN | blocktestingto.com | 2023-11-21 | 2024-09-04 |
Related Actors
Related Reports
2024-08-13 •
61% Match
Group-IB researchers noticed a Windows version of BeaverTail, which was attributed to Lazarus
Group-IB
Shares tags: BeaverTail, Lazarus • Shares 2 IOCs • Same author: Group-IB • Published within a month
2024-10-23 •
55% Match
Lazarus' Espionage-related Cryptocurrency Activities Remain Active, With A Significant Amount of Assets Still in Circulation
Threat Book
Shares tags: Lazarus, FCCCall • Shares 32 IOCs
2024-10-09 •
52% Match
Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
Paloalto Networks
Shares tags: ContagiousInterview, BeaverTail, InvisibleFerret • Shares 12 IOCs
Shares tags: ContagiousInterview, Lazarus • Published within a month
Shares tags: BeaverTail, InvisibleFerret, Lazarus • Shares 1 IOC
2024-11-04 •
47% Match
#ContagiousInterview
#Wagemole
#BeaverTail
#InvisibleFerret
#T1027.013
#T1082
#T1005
#T1041
#T1071.001
#T1083
#T1059.006
#T1059.007
#T1204.002
#T1566.003
#T1555.003
#T1071.002
#T1560.001
Shares tags: ContagiousInterview, BeaverTail, InvisibleFerret