HQ/EMEAFind out how we can help your business
The notorious North Korean advanced persistent cybercriminal organisation dubbed Lazarus Group is the alleged operator of a new campaign called Operation 99.
Reports claimed the cyberattack is trying to launch malware by targeting software developers looking for freelancing Web3 and Bitcoin employment. Researchers explained that the malicious campaign was initiated through fraudulent recruiters acting as developers on platforms like LinkedIn and drawing in targeted job seekers through project testing and code reviews.
Once a victim bites the bait, they are instructed to clone a rogue GitLab repository, which appears harmless but full of compromise. The copied code communicates with the attacker-controlled C2 servers, embedding malware in the victim’s infrastructure.
The new Lazarus Group campaign has already reached various countries globally.
The Lazarus Group operation has already achieved global scale, with Italy acquiring the most targeted individuals. On the other hand, a smaller number of victims were reported in multiple countries on various continents, such as Egypt, Argentina, Brazil, France, Germany, Mexico, Pakistan, the Philippines, the United Kingdom, and the United States.
Researchers identified the campaign earlier this year and noted that its primary strategy is to draw victims with job-themed tactics, specifically targeting developers in the Web3 and cryptocurrency industries.
This technique remains effective because North Korean threat actors continually upgrade their methods, making their job-themed lures more complex and authentic.
Additionally, the attackers may trick even the most alert individuals by exploiting technological advances such as AI-generated profiles and realistic communication strategies. The constant improvement of these strategies improves their ability and chances to exploit human trust and curiosity.
Operation 99 sets itself apart from previously identified Lazarus campaigns since it entices engineers with coding projects as part of a complex recruitment operation that includes creating fraudulent LinkedIn profiles that are then used to steer them to rogue GitLab repositories.
Its primary purpose is to deploy infostealing payloads capable of harvesting essential information, such as codes, confidential files, cryptocurrency wallet keys, and other sensitive data from development environments.
The malware architecture is modular, versatile, and compatible with Windows, macOS, and Linux operating systems. Job-seeking Web3 developers, especially cryptocurrency enthusiasts, should be careful with job offers from LinkedIn that contain unknown links to avoid falling victim to this new cybercriminal campaign.
