Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
2026-01-12 • Red Asgard •
https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure
Red Asgard maps active Lazarus Group infrastructure discovered while vetting a cryptocurrency Upwork project containing Contagious Interview-style malware. The repository used VS Code auto-execution, a malicious npm dependency, and backend Function.constructor execution to reach Vercel-hosted Stage 1 servers before pulling modular payloads from dedicated C2 hosts. The investigation identifies infrastructure such as task-hrec.vercel.app, kb102531x.vercel.app, brantwork.vercel.app, 147.124.213.232, 147.124.212.125, 216.250.251.87, 66.235.168.238, and 45.59.163.55. Deobfuscation exposed a Python backdoor with Tsunami-style remote access, XMRig mining, scheduled-task persistence, Defender exclusions, Pastebin dead drops, and a custom XOR-encoded binary protocol on Z238. The reporting is significant because it documents both developer-targeted infection vectors and live operator responses such as rate limiting, service shutdowns, and payload rotation.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 147.124.213.232 | 2026-01-12 | 2026-02-26 |
| IPv4 | 216.250.251.87 | 2026-01-12 | 2026-02-26 |
| IPv4 | 45.59.163.55 | 2026-01-12 | 2026-02-26 |
| IPv4 | 66.235.168.238 | 2026-01-12 | 2026-02-15 |
| IPv4 | 45.43.11.199 | 2026-01-12 | 2026-02-04 |
| IPv4 | 147.124.212.125 | 2026-01-12 | 2026-02-03 |
| HASH | 40b59567a2b580f1952dadae5dd5868… | 2026-01-12 | 2026-01-12 |
| URL | https://pastebin.com/u/HolesGar… | 2026-01-12 | 2026-01-12 |
| URL | https://pastebin.com/u/KerrWhal… | 2026-01-12 | 2026-01-12 |
| URL | https://pastebin.com/u/CrackEde… | 2026-01-12 | 2026-01-12 |
| IPv4 | 66.235.63.55 | 2026-01-12 | 2026-01-12 |