Lazarus Group is Using the Solana Blockchain as a Dead-Drop C2 Channel -- and Nobody Noticed for 4 Months
2026-03-16 • Break Glass Intelligence •
A Node.js stage-one dropper attributed in the excerpt to Lazarus Group's TraderTraitor sub-cluster uses Solana transaction memos as a dead-drop resolver for rotating C2 infrastructure. The malware queries a specific Solana wallet through the public mainnet RPC API, extracts the latest memo, decodes a base64 URL, and fetches an AES-encrypted second-stage payload whose IV and key are supplied in HTTP response headers. The campaign is described as targeting macOS-first Solana developers through malicious npm postinstall scripts, with a 120-second anti-sandbox delay and a beacon limiter stored in ~/init.json. The source says 51 memo transactions and seven Vultr VPS nodes were observed over roughly four months, while a 20-byte kill-switch response caused the dropper to exit during live probing.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 48109c33cf45749a7fdc2629a4c11d9… | 2026-03-16 | 2026-03-16 |
| HASH | b81d8031450264845cdf79851b6a4807 | 2026-03-16 | 2026-03-16 |
| HASH | 5dfa031ccd4cb45f5338eeaad6416a5… | 2026-03-16 | 2026-03-16 |
| URL | https://api.mainnet-beta.solana… | 2026-03-16 | 2026-03-16 |
| DOMAIN | vultrusercontent.com | 2026-03-16 | 2026-03-16 |
| DOMAIN | api.mainnet-beta.solana.com | 2026-03-16 | 2026-03-16 |
| IPv4 | 217.69.11.57 | 2026-03-16 | 2026-03-16 |
| IPv4 | 45.32.151.157 | 2026-03-16 | 2026-03-16 |
| IPv4 | 45.32.150.97 | 2026-03-16 | 2026-03-16 |
| IPv4 | 217.69.0.159 | 2026-03-16 | 2026-03-16 |
| IPv4 | 217.69.11.60 | 2026-03-16 | 2026-03-16 |
| IPv4 | 45.76.44.240 | 2026-03-16 | 2026-03-16 |
| IPv4 | 217.69.11.99 | 2026-03-16 | 2026-03-16 |