Lazarus' Espionage-related Cryptocurrency Activities Remain Active, With A Significant Amount of Assets Still in Circulation
2024-10-23 • Threat Book •
ThreatBook reports that Lazarus is still running cryptocurrency theft operations through fake job offers and project opportunities on LinkedIn, X, Facebook, GitHub, Stack Overflow, and related recruiter channels. Victims are pushed toward malicious cryptocurrency projects or fake video-conferencing software such as the forged FCCCall installer, which launches a QT6-based stealer while showing a legitimate-looking conference window. The Windows sample connects to 185.235.241[.]208:1224, uploads browser wallet data, downloads a Python environment and main99.py, then retrieves payloads for host reconnaissance, file theft, browser credential theft, clipboard and window monitoring, keylogging, shell access, and AnyDesk configuration. The excerpt says Lazarus uses lightweight Python and JavaScript tooling across Windows, Linux, and macOS, with active infrastructure and IOCs still available for detection.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 95.164.17.24 | 2024-07-15 | 2026-04-01 |
| IPv4 | 147.124.214.129 | 2024-05-10 | 2026-02-03 |
| IPv4 | 67.203.7.163 | 2024-10-23 | 2026-01-21 |
| IPv4 | 23.106.70.154 | 2024-10-23 | 2026-01-21 |
| IPv4 | 147.124.214.237 | 2024-05-10 | 2026-01-21 |
| IPv4 | 147.124.214.131 | 2024-04-25 | 2026-01-21 |
| IPv4 | 23.106.253.215 | 2024-10-23 | 2025-11-13 |
| IPv4 | 172.86.98.240 | 2024-09-04 | 2025-11-13 |
| IPv4 | 23.106.253.194 | 2024-09-04 | 2025-11-13 |
| IPv4 | 185.235.241.208 | 2024-08-13 | 2025-11-13 |
| IPv4 | 147.124.212.146 | 2024-05-10 | 2025-11-13 |
| IPv4 | 67.203.7.171 | 2024-05-10 | 2025-11-13 |
| IPv4 | 147.124.212.89 | 2023-12-12 | 2025-11-13 |
| IPv4 | 166.88.132.39 | 2024-10-23 | 2025-10-20 |
| HASH | 6a104f07ab6c5711b6bc8bf6ff956ab… | 2024-10-23 | 2025-07-26 |
| IPv4 | 173.211.106.101 | 2024-04-25 | 2025-07-26 |
| IPv4 | 45.61.131.218 | 2024-05-10 | 2025-02-20 |
| DOMAIN | freeconference.com | 2024-10-23 | 2025-02-13 |
| IPv4 | 45.140.147.208 | 2024-09-04 | 2025-01-20 |
| HASH | 8ebca0b7ef7dbfc14da3ee39f478e880 | 2024-08-13 | 2025-01-20 |
| HASH | 9abf6b93eafb797a3556bea1fe8a3b7… | 2024-07-15 | 2025-01-01 |
| HASH | f474c840501076b1aceba06e1376cee… | 2024-10-23 | 2024-10-23 |
| HASH | dfb8c0525681d6fa8f65bbd62293c61… | 2024-10-23 | 2024-10-23 |
| HASH | 8a23dd86da0aff9b460b8ebc9dd3e89… | 2024-10-23 | 2024-10-23 |
| HASH | 5b70972c72bf8af098350f8a53ec830… | 2024-10-23 | 2024-10-23 |
| HASH | c73e3fdfeb574497c70e4a73a3dabe0… | 2024-10-23 | 2024-10-23 |
| HASH | 04cc30ea566af31abc2fdced5f9503a… | 2024-10-23 | 2024-10-23 |
| HASH | 247b10932d52c9a66ef073b7bc44618… | 2024-10-23 | 2024-10-23 |
| HASH | 6156127355d8016c8e741de98ee4ef2… | 2024-10-23 | 2024-10-23 |
| HASH | bbad95905eb7a2b62685da98ba46aa3… | 2024-10-23 | 2024-10-23 |
| HASH | 7f1f51d216e621ed4fd9f5346044685… | 2024-10-23 | 2024-10-23 |
| HASH | 5209782555a10ee0a301faf1eff6982… | 2024-10-23 | 2024-10-23 |
| HASH | b5aa25da526121df9c520b622bfde52… | 2024-10-23 | 2024-10-23 |
| HASH | fca6351f0a913e3ca9df5cb0e0d5c0a… | 2024-10-23 | 2024-10-23 |
| HASH | 94076a58c29d7e7f8b5f61739ab85ad… | 2024-10-23 | 2024-10-23 |
| HASH | 5f002c34ff4549dc73e648f0f6b487e… | 2024-10-23 | 2024-10-23 |
| DOMAIN | hirog.io | 2024-10-23 | 2024-10-23 |
| IPv4 | 23.254.244.242 | 2024-10-23 | 2024-10-23 |
| IPv4 | 147.124.213.17 | 2024-10-23 | 2024-10-23 |
| IPv4 | 67.203.6.171 | 2024-10-23 | 2024-10-23 |
| IPv4 | 67.203.0.152 | 2024-10-23 | 2024-10-23 |
| IPv4 | 172.86.100.168 | 2024-10-23 | 2024-10-23 |
| IPv4 | 144.172.74.108 | 2024-10-23 | 2024-10-23 |
| IPv4 | 45.61.169.99 | 2024-10-23 | 2024-10-23 |
| IPv4 | 45.61.158.7 | 2024-10-23 | 2024-10-23 |
| IPv4 | 45.61.158.54 | 2024-10-23 | 2024-10-23 |
| IPv4 | 140.99.223.36 | 2024-10-23 | 2024-10-23 |
| IPv4 | 135.181.242.24 | 2024-10-23 | 2024-10-23 |
| IPv4 | 167.88.164.29 | 2024-10-23 | 2024-10-23 |
| IPv4 | 46.4.224.205 | 2024-10-23 | 2024-10-23 |
| IPv4 | 45.89.53.59 | 2024-10-23 | 2024-10-23 |
| HASH | 5cce14436b3ae5315feec2e12ce6121… | 2024-10-15 | 2024-10-23 |
| HASH | 9ece783ac52c9ec2f6bdfa669763a7e… | 2024-10-09 | 2024-10-23 |
| HASH | b8e69d6a766b9088d650e850a638d7a… | 2024-09-04 | 2024-10-23 |
| HASH | 000b4a77b1905cabdb59d2b576f6da1… | 2024-09-04 | 2024-10-23 |
| HASH | 36cac29ff3c503c2123514ea903836d… | 2024-09-04 | 2024-10-23 |
| HASH | 0621d37818c35e2557fdd8a729e50ea… | 2024-09-04 | 2024-10-23 |
| HASH | a87b6664b718a9985267f9670e10339… | 2024-09-04 | 2024-10-23 |
| IPv4 | 67.203.123.171 | 2024-07-31 | 2024-10-23 |
| IPv4 | 77.37.37.81 | 2024-07-31 | 2024-10-23 |
| IPv4 | 23.106.253.209 | 2024-06-27 | 2024-10-23 |
| IPv4 | 91.92.120.135 | 2024-05-10 | 2024-10-23 |
| IPv4 | 67.203.7.245 | 2024-05-10 | 2024-10-23 |
| IPv4 | 172.86.97.80 | 2024-05-10 | 2024-10-23 |
| IPv4 | 147.124.213.29 | 2024-05-10 | 2024-10-23 |
| IPv4 | 147.124.213.11 | 2024-05-10 | 2024-10-23 |
| HASH | 6465f7ddc9cf8ab6714cbbd49e1fd47… | 2023-11-21 | 2024-10-23 |
| IPv4 | 144.172.79.23 | 2023-11-21 | 2024-10-23 |
| IPv4 | 167.88.168.24 | 2023-11-21 | 2024-10-23 |
| IPv4 | 45.61.169.187 | 2023-11-21 | 2024-10-23 |
| IPv4 | 167.88.168.152 | 2023-11-21 | 2024-10-23 |
| IPv4 | 144.172.74.48 | 2023-11-21 | 2024-10-23 |
| IPv4 | 45.61.160.14 | 2023-11-21 | 2024-10-23 |
| IPv4 | 172.86.123.35 | 2023-11-21 | 2024-10-23 |
Related Actors
Related Reports
Shares tags: Lazarus, FCCCall • Shares 3 IOCs • Same author: Threat Book • Published within a month
2024-09-04 •
87% Match
#ContagiousInterview
#BeaverTail
#InvisibleFerret
#MiroTalk
#Lazarus
#CivetQ
#FCCCall
Shares tags: Lazarus, FCCCall • Shares 32 IOCs
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Published within a month
2024-11-14 •
60% Match
Lazarus Group Uses New RustyAttr Malware for Extended Attribute Abuse to Target macOS – Active IOCs
Rewterz
Shares tag: Lazarus • Published within a month
Shares tag: Lazarus • Shares 1 IOC • Published within a month