Report_011325_Strike_Operation99.pdf (5 MB)

SecurityScorecard attributes Operation 99 to Lazarus Group and says it targets developers seeking freelance Web3 and cryptocurrency work. Fake recruiters on LinkedIn direct victims to clone malicious GitLab repositories for project tests or code reviews, causing the code to contact C2 servers and install malware in the developer environment. The toolset includes Main99 downloaders, Payload99 and Payload73 implants, and MCLIP for keyboard and clipboard monitoring, with variants built for Windows, macOS, and Linux. The malware can collect system details, browser credentials, clipboard data, API keys, source code, and cryptocurrency wallet material, supporting North Korea's financially motivated developer-targeting operations.