Cryptocurrency APT Intelligence: Unveiling Lazarus Group’s Intrusion Techniques
2025-02-23 • Slowmist •
SlowMist attributes a June 2024 intrusion set against cryptocurrency exchanges to Lazarus Group after forensic work across multiple incidents. The attackers used social engineering against developers, including fake project-team and investment personas, to get employees to run trojanized Python projects such as StockInvestSimulator-main.zip and MonteCarloStockInvestSimulator-main.zip. The payload abused unsafe PyYAML loading for remote code execution, established access on employee devices and Docker environments, then moved through internal services, stole SSH keys, reached wallet servers, and deleted or tampered with logs and samples. SlowMist published representative infrastructure including gossipsnare.com, showmanroast.com, getstockprice.info, eclairdomain.com, replaydreary.com, several IP addresses, GitHub accounts, and a Telegram handle tied to the activity.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 208.95.112.1 | 2022-11-14 | 2026-01-21 |
| DOMAIN | showmanroast.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | getstockprice.info | 2025-02-23 | 2025-08-06 |
| DOMAIN | gossipsnare.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | coreladao.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | replaydreary.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | cdn.clubinfo.io | 2025-02-23 | 2025-08-06 |
| DOMAIN | eclairdomain.com | 2025-02-23 | 2025-08-06 |
| IPv4 | 131.226.2.120 | 2025-02-23 | 2025-08-06 |
| IPv4 | 51.38.145.49 | 2025-02-23 | 2025-08-06 |
| IPv4 | 37.120.247.180 | 2025-02-23 | 2025-08-06 |
| IPv4 | 88.119.175.208 | 2025-02-23 | 2025-08-06 |
| IPv4 | 193.233.171.58 | 2025-02-23 | 2025-08-06 |
| IPv4 | 193.233.85.234 | 2025-02-23 | 2025-08-06 |
| IPv4 | 213.252.232.171 | 2025-02-23 | 2025-08-06 |