CyberSecurity news

FlagThis - #lazarusgroup

Editor-In-Chief, BitDegree@bitdegree.org //
The BitMEX cryptocurrency exchange has successfully thwarted an intrusion attempt orchestrated by the Lazarus Group, a notorious hacking organization with ties to North Korea. The exchange's security team detected the attack, preventing any compromise of their systems. In a significant countermove, BitMEX's security team managed to access one of the Lazarus Group's servers, providing valuable insights into their operations and tactics.

Researchers at BitMEX uncovered critical missteps made by the Lazarus Group during their campaigns, including exposed IP addresses and an accessible database. One key finding involved a rare slip-up where a hacker inadvertently revealed their real IP address, which was traced to Jiaxing, China. This location is near Shanghai and represents a notable lapse in security for the typically secretive group. BitMEX also blocked a phishing attempt linked to the Lazarus Group, where attackers posed as NFT partners on LinkedIn to trick one of its employees.

The Lazarus Group's attack strategy often begins with relatively unsophisticated methods like phishing to gain initial access to targeted systems. In this case, the attackers invited a BitMEX employee to a private GitHub repository containing code for a fake Next.js/React website. The goal was to make the victim run the project, which included malicious code, on their computer. BitMEX emphasized that the "Lazarus Group" comprises multiple hacking teams under the control of the North Korean government, responsible for stealing significant sums of money through various cyberattacks.

Recommended read:
References :
  • blog.bitmex.com: The BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus. BitMEX's security team gained access to one of the group's servers and traced one of its operators to Jiaxing, China.
  • bsky.app: The BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus.
  • DataBreaches.Net: Researchers at crypto exchange BitMEX on Friday said that they had uncovered several critical missteps that North Korean state-sponsored hacker group Lazarus had made during its campaigns. Those lapses included exposed IP addresses, an accessible Supabase database, and tracking algorithms.
  • Catalin Cimpanu: BitMEX cryptocurrency exchange says it detected and stopped an intrusion attempt from North Korean hacking group Lazarus. BitMEX's security team gained access to one of the group's servers and traced one of its operators to Jiaxing, China.
  • www.bitdegree.org: BitMEX has blocked a phishing attempt linked to the Lazarus Group , a hacking operation with ties to North Korea.
  • Metacurity: German police ID Trickbot's "Stern," BitMEX thwarts Lazarus Group attack, Shin Bet thwarted 85 Iranian cyberattacks aimed at civilians, Vibe coding app Lovable failed to fix critical flaw, China's quantum satellite Micius has a security flaw, Russia's Unit 29155 has a hacker team, much more
  • bsky.app: The BitMEX cryptocurrency exchange thwarted an intrusion attempt from the North Korean hacking group Lazarus Group.
  • securityonline.info: BitMEX Turns Tables on Lazarus Group: Infiltrates Hacker Infrastructure
  • securityonline.info: BitMEX Turns Tables on Lazarus Group: Infiltrates Hacker Infrastructure
  • Metacurity: Bitcoin options trading venue BitMEX discovered an operational security mistake in a thwarted attack by N. Korea's Lazarus Group, which revealed the attackers' IP address and uncovered at least 10 potential accounts used to test or develop its malware.

@www.silentpush.com //
References: gbhackers.com , iHLS ,
North Korean operatives have infiltrated hundreds of Fortune 500 companies, posing a significant threat to IT infrastructure and sensitive data. Security experts revealed at the RSAC 2025 Conference that the infiltration extends across virtually every major corporation, with many Fortune 500 companies unknowingly employing North Korean technical workers. This alarming trend raises serious concerns about potential security breaches and data theft. The experts said that dozens of experts and law enforcement at RSA said the campaign is now out of control, impacting thousands of companies.

Even tech giant Google has detected North Korean technical workers in their talent pipeline as job candidates and applicants, although they have not been hired to date. "If you're not seeing this, it's because you're not detecting it, not because it's not happening to you," warned Iain Mulholland, senior director of security engineering at Google Cloud, emphasizing the universality of the threat. Insider risk management firm DTEX corroborated these findings, reporting that 7% of its customer base-representing a cross-section of the Fortune 2000-has been infiltrated by North Korean operatives working as full-time employees with privileged access.

The North Korean IT worker scam has expanded beyond the tech and crypto industries and is now a threat to all companies. One cybersecurity expert even found evidence that a U.S. political campaign in Oregon hired a North Korean IT worker to build its website. Initially, the workers primarily focused on legitimate employment to generate funds for the regime in Pyongyang, but experts are now seeing a tactical shift toward extortion, which has been observed.

Recommended read:
References :
  • gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
  • iHLS: North Korean Hackers Set Up Fake U.S. Businesses to Target Cryptocurrency Developers
  • www.cysecurity.news: Threat analysts at Silent Push, a U.S. cybersecurity firm, told Reuters that North Korean cyber spies established two companies in the U.S., Blocknovas LLC and Softglide LLC, using fictitious personas and addresses to infect developers in the cryptocurrency industry with malicious software, in violation of Treasury sanctions.

@www.silentpush.com //
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.

The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities.

The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group.

Recommended read:
References :
  • hackread.com: North Korean Hackers Use Fake Crypto Firms in Job Malware Scam
  • The Hacker News: North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
  • www.silentpush.com: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
  • Anonymous ???????? :af:: Threat analysts have uncovered that North Korea's Contagious Interview APT group is using three front companies to distribute malware strains BeaverTail, InvisibleFerret, and OtterCookie through fake cryptocurrency job offers.
  • www.silentpush.com: North Korean APT registers three cryptocurrency companies to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • cyberpress.org: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • bsky.app: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • www.scworld.com: North Korean cyberespionage facilitated by bogus US firms, crackdown underway
  • Virus Bulletin: Silent Push researchers have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview. BeaverTail, InvisibleFerret & OtterCookie are being spread from this infrastructure to unsuspecting cryptocurrency job applicants.
  • www.scworld.com: New Lazarus campaign hits South Korea BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group
  • Cyber Security News: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • PCMag UK security: Okta finds evidence that North Koreans are using a variety of AI services to upgrade their chances of fraudulently securing remote work so they can line their country's coffers or steal secrets.
  • malware.news: North Korean Group Creates Fake Crypto Firms in Job Complex Scam
  • www.bitdegree.org: North Korean hackers use AI and fake job offers within cryptocurrency companies to distribute malware to unsuspecting job seekers
  • cyberpress.org: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • malware.news: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
  • securityonline.info: Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group,
  • securityonline.info: Threat actors are using fake companies in the cryptocurrency consulting industry to spread malware to unsuspecting job applicants.
  • Cybernews: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
  • gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers

@nvd.nist.gov //
Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.

Recommended read:
References :
  • cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
  • Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
  • thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
  • www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
  • cyberinsider.com: Cybercriminals are distributing FOG ransomware through phishing emails that spoof ties to the U.S. Department of Government Efficiency (DOGE), embedding politically themed messages and exploiting old vulnerabilities to compromise victims across multiple sectors.
  • gbhackers.com: A new variant of the FOG ransomware has been identified, with attackers exploiting the name of the Department of Government Efficiency (DOGE) to mislead victims.
  • www.trendmicro.com: This blog details our investigation of malware samples that conceal within them a FOG ransomware payload.

Ddos@Daily CyberSecurity //
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.

The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation.

Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats.

Recommended read:
References :
  • Security Risk Advisors: Socket Research Team's report
  • The Hacker News: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
  • ciso2ciso.com: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – Source:thehackernews.com
  • Talkback Resources: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages [net] [mal]
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • www.scworld.com: Malicious npm packages, BeaverTail malware leveraged in new North Korean attacks
  • Cyber Security News: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
  • cyberpress.org: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages. Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
  • Chris Wysopal: Infosec.Exchange post on new supply chain NPM package malware attacks found.