Lazarus Group Bybit Heist: C2 forensics
2025-03-11 • Validin •
https://www.validin.com/blog/bybit_hack_infrastructure_hunt/
Validin pivots from Safe{Wallet}, SlowMist, and Mandiant/Google Cloud indicators tied to the FBI-attributed North Korean Lazarus Group Bybit hack to hunt for related command-and-control infrastructure. The analysis uses rare host-response traits from getstockprice domains, including Werkzeug/Python server values, banner and header hashes, JARM, and 404 title patterns, to identify additional finance- and crypto-themed domains. Newly surfaced infrastructure includes getcoinprice[.]info, financecap[.]io, en[.]stocksindex[.]org, wfinance-related hosts, api[.]stockinfo[.]io, and associated IPs and PTR patterns observed across late 2024 and early 2025. The value for defenders is a repeatable DNS-history and host-fingerprinting method that narrows infrastructure hunting around a high-impact cryptocurrency theft without treating every pivot result as confirmed actor-controlled.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | getstockprice.com | 2025-03-11 | 2025-12-10 |
| DOMAIN | goingladies.com | 2025-03-11 | 2025-08-06 |
| DOMAIN | trashcrease.com | 2025-03-11 | 2025-08-06 |
| DOMAIN | anglerstatic.com | 2025-03-11 | 2025-08-06 |
| IPv4 | 131.226.2.43 | 2025-03-11 | 2025-08-06 |
| IPv4 | 178.128.77.132 | 2025-03-11 | 2025-08-06 |
| IPv4 | 23.236.169.233 | 2025-03-11 | 2025-08-06 |
| IPv4 | 70.34.245.118 | 2025-03-11 | 2025-08-06 |
| DOMAIN | clubinfo.io | 2025-02-23 | 2025-08-06 |
| DOMAIN | showmanroast.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | getstockprice.info | 2025-02-23 | 2025-08-06 |
| DOMAIN | gossipsnare.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | coreladao.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | replaydreary.com | 2025-02-23 | 2025-08-06 |
| DOMAIN | cdn.clubinfo.io | 2025-02-23 | 2025-08-06 |
| DOMAIN | eclairdomain.com | 2025-02-23 | 2025-08-06 |
| IPv4 | 131.226.2.120 | 2025-02-23 | 2025-08-06 |
| IPv4 | 51.38.145.49 | 2025-02-23 | 2025-08-06 |
| IPv4 | 37.120.247.180 | 2025-02-23 | 2025-08-06 |
| IPv4 | 88.119.175.208 | 2025-02-23 | 2025-08-06 |
| IPv4 | 213.252.232.171 | 2025-02-23 | 2025-08-06 |
| DOMAIN | wfinance.org | 2025-03-11 | 2025-04-14 |
| DOMAIN | stocksindex.org | 2025-03-11 | 2025-04-14 |
| DOMAIN | stockinfo.io | 2025-03-11 | 2025-04-14 |
| DOMAIN | en.stocksindex.org | 2025-03-11 | 2025-04-14 |
| DOMAIN | en.wfinance.org | 2025-03-11 | 2025-04-14 |
| DOMAIN | api.stockinfo.io | 2025-03-11 | 2025-04-14 |
| IPv4 | 136.244.93.248 | 2025-03-11 | 2025-04-14 |
| IPv4 | 195.133.26.32 | 2025-03-11 | 2025-04-14 |
| IPv4 | 5.206.227.51 | 2025-03-11 | 2025-04-14 |
| IPv4 | 185.236.231.224 | 2025-03-11 | 2025-04-14 |
| HASH | d767b3cb0ad66544c649e4165fc4b37… | 2025-03-11 | 2025-03-11 |
| HASH | b21405ce3c3456214ad8fc5263eeabb1 | 2025-03-11 | 2025-03-11 |
| DOMAIN | firexch.com | 2025-03-11 | 2025-03-11 |
| DOMAIN | getcoinprice.info | 2025-03-11 | 2025-03-11 |
| DOMAIN | brown.gallagher-williams.com | 2025-03-11 | 2025-03-11 |
| DOMAIN | castro.smith.com | 2025-03-11 | 2025-03-11 |
| DOMAIN | smith-jones.graham.info | 2025-03-11 | 2025-03-11 |
| DOMAIN | smith.com | 2025-03-11 | 2025-03-11 |
| DOMAIN | gallagher-williams.com | 2025-03-11 | 2025-03-11 |
| DOMAIN | financecap.io | 2025-03-11 | 2025-03-11 |
| IPv4 | 185.194.178.88 | 2025-03-11 | 2025-03-11 |
| IPv4 | 192.248.167.90 | 2025-03-11 | 2025-03-11 |
| IPv4 | 45.86.202.224 | 2025-03-11 | 2025-03-11 |
| IPv4 | 185.69.16.236 | 2025-03-11 | 2025-03-11 |