The North Korea-linked Lazarus Group has been attributed to a brand new cyber assault marketing campaign dubbed Operation 99 that focused software program builders searching for freelance Web3 and cryptocurrency work to ship malware.
“The marketing campaign begins with pretend recruiters, posing on platforms like LinkedIn, luring builders with undertaking checks and code opinions,” Ryan Sherstobitoff, senior vice chairman of Risk Analysis and Intelligence at SecurityScorecard, mentioned in a brand new report printed as we speak.
“As soon as a sufferer takes the bait, they’re directed to clone a malicious GitLab repository – seemingly innocent, however filled with catastrophe. The cloned code connects to command-and-control (C2) servers, embedding malware into the sufferer’s setting.”
Victims of the marketing campaign have been recognized throughout the globe, with a major focus recorded in Italy. A lesser variety of impacted victims are positioned in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.Ok., and the U.S.
The cybersecurity firm mentioned the marketing campaign, which it found on January 9, 2025, builds on job-themed ways beforehand noticed in Lazarus assaults, corresponding to Operation Dream Job (aka NukeSped), to significantly give attention to concentrating on builders in Web3 and cryptocurrency fields.
What makes Operation 99 distinctive is that it entices builders with coding initiatives as a part of an elaborate recruitment scheme that entails crafting misleading LinkedIn profiles, that are then used to direct them to rogue GitLab repositories.
The tip objective of the assaults is to deploy data-stealing implants which can be able to extracting supply code, secrets and techniques, cryptocurrency pockets keys, and different delicate information from improvement environments.
These embody Main5346 and its variant Main99, which serves as a downloader for 3 further payloads –
- Payload99/73 (and its functionally related Payload5346), which collects system information (e.g., information and clipboard content material), terminate internet browser processes, executes arbitrary, and establishes a persistent connection to the C2 server
- Brow99/73, which steals information from internet browsers to facilitate credential theft
- MCLIP, which displays and exfiltrates keyboard and clipboard exercise in real-time
“By compromising developer accounts, attackers not solely exfiltrate mental property but in addition achieve entry to cryptocurrency wallets, enabling direct monetary theft,” the corporate mentioned. “The focused theft of personal and secret keys may result in tens of millions in stolen digital property, furthering the Lazarus Group’s monetary targets.”
The malware structure adopts a modular design and is versatile, and able to working throughout Home windows, macOS, and Linux working programs. It additionally serves to spotlight the ever-evolving and adaptable nature of nation-state cyber threats.
“For North Korea, hacking is a income producing lifeline,” Sherstobitoff mentioned. “The Lazarus Group has constantly funneled stolen cryptocurrency to gasoline the regime’s ambitions, amassing staggering sums. With Web3 and cryptocurrency industries booming, Operation 99 zeroes in on these high-growth sectors.”