Lazarus Group hacks crypto-wallets with hidden malicious

lazarus Group opened the security guards. This is a hidden malicious campaign from North Korea. Her last business was the hacking of crypto-wallets.

The campaign, which began to develop at the end of 2024, writes Xrust, is a developer of a recently identified implant called Marstech1. This complex tool marks a significant evolution of the group’s tactical approach. Its essence is the introduction of unique functionality.

According to security analysis, the attackers created the control and control server posted on the Stark Industries LLC infrastructure. Unlike their previous operations, which usually interacted through ports 1224 and 1245, this new server operates on Porto 3000 and uses another tactic, including Node.js Express Bacund without a previously observed react web panel.Researchers discovered the GitHub profile associated with the Lazarus operator working under the name of the user «Successfriend». This account, active in July 2024, maintained the appearance of legal development before in November 2024 began to publish repository related to malware.

malicious software uses complex methods of abuse, including alignment of the control flow, self-calling functions, randomly called random The names of variables and functions, as well as measures to combat debugging. This complex architecture allows the malicious code to be introduced into legitimate websites, software packages and even NPM packages aimed at cryptocurrency and web3 sectors.

The specific orientation of the malicious is of malicious software Cryptocurrency wallets. The implant is actively looking for cryptocurrency wallets of Exodus and Atomic in Linux, MacOS and Windows systems, trying to scan and extract confidential data from these applications.