Skip to Content

Lazarus massive phishing campaign that targeted NFT investors

Updated on 2022-12-29

K7 has a report out on recent Lazarus APT operations, namely, one baiting users with job vacancies at Coinbase that try to infect victims with macOS malware. Read more: Lazarus APT’s Operation Interception Uses Signed Binary

Updated on 2022-12-26

The Lazarus threat group is linked to a massive phishing campaign that targeted NFT investors. The attackers had used around 500 phishing domains to dupe victims. Read more: SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users

Updated on 2022-12-06

Volexity observed a new campaign by the North Korean Lazarus APT group, which propagates fake cryptocurrency apps—under the fake brand name BloxHolder—to deploy the AppleJeus malware. Read more: Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware

Updated on 2022-12-05: Lazarus AppleJeus campaign

Volexity researchers have spotted a fake cryptocurrency application that installs a version of AppleJeus, a malware strain previously associated with the Lazarus North Korean hacking group. Volexity says the malware used a novel DLL side-loading technique to infect targets, a technique that was later also spotted as part of a Lazarus spear-phishing campaign as well. Read more: ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware

Updated on 2022-12-04: More Lazarus

More on another Lazarus campaign, this time targeting South Korea with malicious LNK files. Read more:

외교안보 학술회의 토론 주제 사칭한 北 연계 해킹 공격 주의!

Updated on 2022-11-29

QiAnXin also has a report on Lazarus attacks targeting Japan. Read more: 求职陷阱:Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析

Updated on 2022-11-25: ZINC/Lazarus

Avertium has a detailed rundown of all the TTPs employed by ZINC, a North Korean APT, also known as the Lazarus Group. Read more: AN IN-DEPTH LOOK AT THE NORTH KOREAN THREAT ACTOR, ZINC

Updated on 2022-11-15: Lazarus DTrack

Kaspersky has a new report out on how the Lazarus Group has used the DTrack backdoor over the past few years since its initial discovery in 2019. Read more: DTrack activity targeting Europe and Latin America

“The DTrack backdoor continues to be used actively by the Lazarus group. Modifications in the way the malware is packed show that Lazarus still sees DTrack as an important asset. Despite this, Lazarus has not changed the backdoor much since 2019, when it was initially discovered. When the victimology is analyzed, it becomes clear that operations have expanded to Europe and Latin America, a trend we’re seeing more and more often.”

Updated on 2022-11-14

Lazarus APT group has been found using the DTrack backdoor to target education, IT, chemical manufacturing, telecoms, utility, and government industries in Latin America and Europe. Read more: DTrack activity targeting Europe and Latin America

Updated on 2022-11-04: Lazarus attacks on South Korea

Researchers from Chinese security firm Antiy have a report out on a series of Lazarus APT attacks against South Korean organizations. AhnLab has one too. Read more:

Updated on 2022-10-17: Japan warning

The Japanese National Police Agency published a public advisory last week, warning that Lazarus, a group of North Korean state-sponsored hackers, sent multiple phishing emails to the employees of Japanese-based cryptocurrency companies in the hopes of infecting their systems and stealing funds. Read more: Authorities name North Korea hacker group, warn of attacks on Japanese crypto assets

Updated on 2022-10-04: Lazarus Hacker Group Targets MacOS Users Through Crypto Jobs

North Korean hackers the Lazarus Group are now targeting Apple macOS users with fake and unsolicited crypto job ads containing malware, which then attacks its victims. The group’s phishing campaign reportedly only targets Mac users, so far… Other victims have been contacted with job offers on LinkedIn. Read More: Lazarus Hacker Group Targets MacOS Users Through Crypto Jobs

Updated on 2022-10-03: North Korea-linked Hackers Exploited a Dell Firmware Driver Vulnerability to Install Rootkit

Researchers from ESET have observed cyberthreat actors with links to North Korea exploiting a known vulnerability in a Dell firmware driver to install a Windows rootkit. The campaign took place last autumn; the attackers sent targets phony job offers to a political journalist in Belgium and an aerospace company employee in the Netherlands. The goal of the campaign appears to have been data exfiltration.


  • While the intended targets so far have been small, it’s not hard to take mitigation steps regardless of being targeted. Dell provided updates to the DBUtil drivers in May of 2021. Make sure that you’ve deployed them.


Updated on 2022-10-03: Lazarus campaign in NE/BE

ESET published a report on Friday about an Amazon-themed spear-phishing campaign carried out by the Lazarus North Korean APT against targets in Belgium and the Netherlands during the fall of 2021. Confirmed targets of these attacks include an employee of an aerospace company in the Netherlands and a political journalist in Belgium. Lazarus used their tried-and-tested BYOVD (Bring Your Own Vulnerable Driver) technique to elevate privileges on the attacked machine and install the BLINDINGCAN backdoor. In this case, ESET said Lazarus exploited a vulnerability in a Dell driver. Read more:

Lazarus hackers were seen carrying out a spearphishing campaign wherein it installs a Windows rootkit to abuse a Dell hardware driver in a Bring Your Own Vulnerable Driver attack. Read more: Lazarus hackers abuse Dell driver bug using new FudModule rootkit

Updated on 2022-09-27

In its latest campaign, the Lazarus APT group was observed leveraging unsolicited job opportunities to drop malware on macOS. These fake ads are part of its Operation In(ter)caption campaign. Read more: North Korea’s Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

Updated on 2022-09-23: Lazarus BYOVD attacks

AhnLab researchers have published an extensive report on BYOVD (Bring Your Own Vulnerable Driver) attacks employed by the Lazarus North Korean APT. The company notes that while these attacks have been seen since 2014, Lazarus is the first APT to have designed an elaborate rootkit that takes advantage of BYOVD techniques to elevate privileges and compromise all major Windows versions from the old Windows 7 up to the most recent OS version, Windows Server 2022. Read more: Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Updated on 2022-09-22: New Lazarus attack

In the meantime, Chinese security researcher Hao Zhixiang said this week that he detected a new phishing campaign linked to the Lazarus group that has targeted virtual currency company Maitixport. IOCs in the Twitter thread below:

The North Korean state-sponsored hacking group known as Lazarus has launched a campaign to steal sensitive information from computer networks of energy providers in the US, Canada, and Japan. Researchers from Cisco Talos say the hackers are exploiting Log4j vulnerabilities in VMware Horizon servers to access the targeted networks.


  • What is new is that a new implant “MagicRAT” is being deployed three days before the deployment of their previously known VSingle malware. The entry point remains vulnerable services, such as unpatched VMWare Horizon servers vulnerable to Log4Shell, which have, in this case, patches for the flaw. Yes, it’s a bummer getting downtime to patch these services, but it’s far better than the dust-up if you’re compromised. Yes, your internal network is safer than Internet exposed services, and it’s too risky to assume hackers can’t penetrate your perimeter. Core capabilities in the Lazarus toolkit include disabling endpoint protection and other mitigations you’ve deployed to detect and prevent compromise.

Updated on 2022-09-15: Lazarus APT deploying three trojans in attacks against users in North America

Description: Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold in targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan. The campaign is meant to infiltrate organizations around the world for establishing long-term access and subsequently exfiltrating data of interest to the adversary’s nation-state. Talos has discovered the use of two known families of malware in these intrusions — VSingle and YamaBot. Talos has also discovered the use of a recently disclosed implant we’re calling “MagicRAT” in this campaign.


Axie Recovery

The US has recovered $30 million stolen from Axie Infinity by North Korea’s Lazarus group. Leveraging blockchain analysis expertise by Chainanalasis and the FBI, law enforcement groups were able to seize funds after cashout (not from the blockchain itself). This is yet another reminder that the blockchain doesn’t just leave crumbs—it’s a crumb-leaving technology—and criminals are often vulnerable at the cashout step. Read more: US recovers $30 million stolen from Axie Infinity by Lazarus hackers

Overview: Lazarus Group starts using new MagicRAT in attacks targeting vulnerable VMware Horizon platforms

Cisco Talos discovered a new remote access trojan (RAT) named “MagicRAT” that Talos attributed with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely. Talos also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.