This threat involves a North Korean state-sponsored Lazarus Group malware campaign discovered through an investigation triggered by a malicious Upwork cryptocurrency project. The malware uses three infection mechanisms: automatic execution within Visual Studio Code environments, backend remote code execution exploiting JavaScript's Function Constructor, and payload delivery via browser cookies. The attackers established a two-stage command-and-control infrastructure, with Stage 1 servers hosted on Vercel, a popular cloud platform for frontend deployments, and Stage 2 servers dedicated to further command and control. A timing oracle vulnerability in the infrastructure enabled enumeration of authentication tokens, revealing three concurrent active campaigns. The malware payload chain is modular, including components for data extraction, RAT functionality enabling remote control of infected hosts, and cryptocurrency mining using tools like XMRig. The attackers employ sophisticated persistence mechanisms (e.g., scheduled tasks), masquerading techniques to blend with legitimate processes, and a custom binary protocol for C2 communications to avoid detection. During threat hunting and reconnaissance, operators actively defended their infrastructure, indicating a high level of operational security and adaptability. The campaign leverages legitimate-looking development projects and supply chain vectors to mask malicious activity, complicating detection efforts. While no CVE or known exploits in the wild are currently reported, the campaign's complexity and targeting of cryptocurrency and supply chain sectors pose significant risks.

European organizations involved in software development, cryptocurrency trading, or supply chain management are at risk of infection through this malware. The use of VSCode auto-execution and backend RCE indicates that developers and CI/CD pipelines could be targeted, potentially leading to widespread compromise of development environments and software supply chains. Data exfiltration and RAT capabilities threaten confidentiality and integrity of sensitive corporate and personal data. Cryptocurrency mining modules could degrade system performance and increase operational costs. The sophisticated persistence and masquerading techniques make detection and removal difficult, increasing dwell time and potential damage. Real-time operator defensive actions suggest attackers can adapt quickly to defensive measures, complicating incident response. The use of cloud platforms like Vercel for C2 infrastructure means that organizations relying on cloud services may face indirect exposure. The threat could disrupt business operations, damage reputation, and cause financial losses, especially for firms with cryptocurrency assets or those heavily reliant on software development workflows.

1. Implement strict code execution policies in development environments, particularly restricting VSCode auto-execution features and extensions. 2. Harden backend systems against JavaScript injection and remote code execution by validating and sanitizing all inputs, and employing runtime application self-protection (RASP) tools. 3. Monitor and restrict cookie payload delivery mechanisms and inspect cookies for anomalous content. 4. Conduct thorough network monitoring to detect communications with known malicious IPs associated with this campaign (e.g., 147.124.212.125, 147.124.213.232, 216.250.251.87, etc.). 5. Employ endpoint detection and response (EDR) solutions capable of identifying custom binary protocols and unusual persistence mechanisms such as scheduled tasks or masquerading processes. 6. Audit and secure supply chain components, including third-party development projects and cloud-hosted services like Vercel, to detect and prevent malicious code injection. 7. Use threat intelligence feeds to update detection signatures with the provided file hashes and IoCs. 8. Train developers and security teams to recognize social engineering tactics and suspicious project proposals on freelance platforms like Upwork. 9. Implement multi-factor authentication and strict access controls to limit lateral movement if initial compromise occurs. 10. Establish incident response playbooks tailored to advanced persistent threats with real-time operator interaction.