Threats Tagged 'lazarus'

The Contagious Trader campaign is a sophisticated malware operation targeting cryptocurrency users, attributed to North Korea with high confidence. It involves malicious cryptocurrency trading bot projects on GitHub that exfiltrate sensitive data and private keys using various techniques, including malicious npm dependencies. The campaign demonstrates overlaps with known North Korean tactics, particularly those of FAMOUS CHOLLIMA, including the use of GitHub, npm, and Vercel infrastructure, Base64-encoded payload URLs, and anonymizing VPNs for npm package publishing. The operation represents a shift in tactics, expanding beyond the previous Contagious Interview campaign to target a broader range of cryptocurrency users.

MediumMalwareUnited StatesSouth KoreaJapan+7#pylangghost#invisibleferrett#bigsquatrat

The Contagious Interview campaign is a coordinated cyber espionage operation by North Korean threat actors, notably linked to the Lazarus group, targeting the cryptocurrency sector. These actors actively monitor cyber threat intelligence platforms such as Validin, VirusTotal, and Maltrail to identify exposed infrastructure and new targets. They prioritize rapid deployment of malicious infrastructure over stealth and use social engineering techniques, including the ClickFix method, to trick victims into executing malware. Between January and March 2025, over 230 victims were engaged, demonstrating the campaign's scale and sophistication. Although no known exploits for CVE-2023-42793 have been observed in the wild, the campaign poses a medium severity threat. European cryptocurrency organizations, especially in countries with significant crypto markets and financial sectors, are at risk. Mitigation requires targeted monitoring of threat intelligence platforms, enhanced user training against social engineering, and rapid incident response capabilities.

MediumCampaignGermanyFranceNetherlands+4#cyber espionage#social engineering#north korea