Saturday, May 3, 2025
HomeCyber AttackLazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

Lazarus Group Targeting Organizations in the Cryptocurrency and Blockchain

Published on

SIEM as a Service

Follow Us on Google News

The FBI, CISA, and the U.S. Department of Treasury have issued a joint statement about the cryptocurrency theft and the tactics used by the North Korean State-Sponsored APT hacker group since 2020.

This group is commonly known as the Lazarus group, APT 38, Stardust Chollima, and BlueNoroff.

Several organizations relating to cryptocurrency, blockchain, DeFi, Play-to-earn cryptocurrency video games, trading companies, venture capital funds, and valuable non-fungible token holders (NFTs) were targeted.

- Advertisement - Google News

The attack vector was based on social engineering through various communication platforms and making the victims install trojans in their systems in the name of cryptocurrency applications.

Once the application is installed, the threat actors gain access to the victim’s environment and steal private keys or exploit security gaps. Following these, they also initiate fraudulent blockchain transactions. 

AppleJeus was one of the malware used by these North Korean hackers to steal cryptocurrency. Other malware used for stealing money from banks were

  • HIDDEN COBRA – FASTCash Campaign
  • FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks

Technical Details

The U.S Government has noticed a group of North Korean State-Sponsored threat actors using the same methods and tactics that were used by the previous Lazarus group that was using AppleJeus malware.

The previous Lazarus group targeted individuals and companies related to cryptocurrency exchanges and other financial services. They distributed the malware by dissemination of cryptocurrency trading applications that had embedded trojans resulting in the theft of cryptocurrency. The report by CISA stated that,

As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.

Tactics, Techniques, and Procedures (TTP)

The attack was started by targeting employees working in cryptocurrency companies in a position like a system administrator or other development operations position.

A large number of spear-phishing messages were sent to the employees stating about a recruitment effort and to guide them to download cryptocurrency applications that contain the malware. This was referred to as “TradeTraitor” by the U.S. government.

The JS code that has the core functionalities is bundled as a Webpack. The code has a function that states to be an “Update” with the name “UpdateCheckSync()”. However, this function is responsible for downloading and executing the malicious payload.

This UpdateCheckSync() function initiates an HTTP POST request to a PHP script that is hosted on the TradeTraitor project’s domain. The request hits the endpoint at either /update/ or /oath/checkupdate.php .

In the recent versions, the response from the server is parsed as a JSON document with a key-value pair. This key is used as an AES 256 encryption key which is decrypted in Counter (CTR) mode or Cipher Block Chaining (CBC) mode.

The decrypted value is then written to a file and saved in the temporary directory. This is done with the help of os.tmpdir() method of Node.js. The file is then executed using the child_process.exec() which spawns a shell. The terminal is posted with a text “Update finished” to notify the user.

The payloads that were observed for macOS and Windows variants of Manuscrypt, a Remote Access Trojan (RAT). This trojan collects information and executes arbitrary commands.

It can also download additional payloads. After compromising the systems, activities by the threat actors are based upon the victim’s environment and are completed within a week’s time.

The CISA has published several Indicators of Compromise and Mitigation steps to prevent these hackers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...