CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lazarus Group Expands Operations with AI-Generated Video, Malware, and Malicious Packages in Cryptocurrency and Defense Sectors

First reported
Last updated
5 unique sources, 11 articles

Summary

Hide ▲

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. In 2026, North Korean hackers have been observed using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers. The attack had a strong social engineering component, with the victim being contacted over Telegram from a compromised executive account. The hackers used a Calendly link to a spoofed Zoom meeting page and showed a deepfake video of a CEO to facilitate the attack. Mandiant researchers found seven distinct macOS malware families attributed to UNC1069, a threat group they've been tracking since 2018. UNC1069 has been active since at least April 2018 and is also tracked under the monikers CryptoCore and MASAN. The group has used generative AI tools like Gemini to produce lure material and other messaging related to cryptocurrency. They have attempted to misuse Gemini to develop code to steal cryptocurrency and have leveraged deepfake images and video lures mimicking individuals in the cryptocurrency industry. The group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry since at least 2023, targeting centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds. In the latest intrusion documented by Google's threat intelligence division, UNC1069 deployed as many as seven unique malware families, including several new malware families such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack involved a social engineering scheme using a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. The group used a fake website masquerading as Zoom to deceive victims and reused videos of previous victims to deceive new victims. The attack proceeded with a ClickFix-style troubleshooting command to deliver malware, leading to the deployment of various malicious components designed to gather system information, provide hands-on keyboard access, and steal sensitive data. Additionally, the Lazarus Group has been active since May 2025 with a campaign codenamed graphalgo, involving malicious packages in npm and PyPI repositories. Developers are targeted via social platforms like LinkedIn, Facebook, and Reddit. The campaign includes a fake company named Veltrix Capital in the blockchain and cryptocurrency trading space. Malicious packages are used to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The RAT supports commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. The command-and-control (C2) communication is protected by a token-based mechanism. The campaign checks for the MetaMask browser extension, indicating a focus on cryptocurrency theft. A malicious npm package called "duer-js" was found to harbor a Windows information stealer called Bada Stealer, capable of gathering Discord tokens, passwords, cookies, autofill data, cryptocurrency wallet details, and system information. Another malware campaign weaponizes npm to extort cryptocurrency payments from developers during package installation, blocking installation until victims pay 0.1 USDC/ETH to the attacker's wallet. The campaign has been ongoing since at least May 2025 and is characterized by modularity, allowing the threat actor to quickly resume it in case of partial compromise. The threat actor relies on packages published on the npm and PyPi registries that act as downloaders for a remote access trojan (RAT). Researchers found 192 malicious packages related to this campaign, which they dubbed 'Graphalgo'. The threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project, which causes a malicious dependency from a legitimate repository to be installed and executed. The package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. The package was later removed and marked as deprecated. The Graphalgo name of the campaign is derived from packages that have 'graph' in their name, typically impersonating legitimate, popular libraries like graphlib. From December 2025 onward, the North Korean actor shifted to packages with 'big' in their name. The actor uses Github Organizations, which are shared accounts for collaboration across multiple projects. Malicious code is introduced indirectly via dependencies hosted on npm and PyPI. The RAT can list the running processes on the host, execute arbitrary commands per instructions from the command-and-control (C2) server, and exfiltrate files or drop additional payloads. The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim’s browser, indicating its money-stealing goals. The RAT's C2 communication is token-protected to lock out unauthorized observers, a common tactic for North Korean hackers. ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets. ReversingLabs attributes the Graphalgo fake recruiter campaign to the Lazarus group with medium-to-high confidence based on the approach, the use of coding tests as an infection vector, and the cryptocurrency-focused targeting, all of which align with previous activity associated with the North Korean threat actor. The delayed activation of malicious code in the packages is consistent with Lazarus' patience displayed in other attacks. The Git commits show the GMT +9 time zone, matching North Korea time.

Timeline

  1. 11.02.2026 00:17 6 articles · 4d ago

    UNC1069 Targets Cryptocurrency Sector with AI-Generated Video and Malware

    The article provides additional details on the attack, including the use of a compromised cryptocurrency executive's Telegram account to target a secondary victim. The attackers sent a Calendly link to schedule a 30-minute meeting that directed to a spoofed Zoom meeting hosted on the threat actor's infrastructure. The spoofed Zoom call was a deepfake video posing as another cryptocurrency executive. The attackers tricked the victim into troubleshooting audio issues by running malicious commands on their macOS device. The command installed a backdoor that enabled follow-on activity, including deployment of a downloader for additional tooling and a second backdoor. The additional tools included two data miners to seize keychain credentials, browser data, Telegram user data, and Apple Notes user data. UNC1069 uses large language models (LLMs) like Gemini to conduct research and develop tooling for attacks. Additionally, the Lazarus Group has been active since May 2025 with a campaign codenamed graphalgo, involving malicious packages in npm and PyPI repositories. Developers are targeted via social platforms like LinkedIn, Facebook, and Reddit. The campaign includes a fake company named Veltrix Capital in the blockchain and cryptocurrency trading space. Malicious packages are used to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The RAT supports commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. The command-and-control (C2) communication is protected by a token-based mechanism. The campaign checks for the MetaMask browser extension, indicating a focus on cryptocurrency theft. A malicious npm package called "duer-js" was found to harbor a Windows information stealer called Bada Stealer, capable of gathering Discord tokens, passwords, cookies, autofill data, cryptocurrency wallet details, and system information. Another malware campaign weaponizes npm to extort cryptocurrency payments from developers during package installation, blocking installation until victims pay 0.1 USDC/ETH to the attacker's wallet. The campaign has been ongoing since at least May 2025 and is characterized by modularity, allowing the threat actor to quickly resume it in case of partial compromise. The threat actor relies on packages published on the npm and PyPI registries that act as downloaders for a remote access trojan (RAT). Researchers found 192 malicious packages related to this campaign, which they dubbed 'Graphalgo'. The threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project, which causes a malicious dependency from a legitimate repository to be installed and executed. The package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. The package was later removed and marked as deprecated. The Graphalgo name of the campaign is derived from packages that have 'graph' in their name, typically impersonating legitimate, popular libraries like graphlib. From December 2025 onward, the North Korean actor shifted to packages with 'big' in their name. The actor uses Github Organizations, which are shared accounts for collaboration across multiple projects. Malicious code is introduced indirectly via dependencies hosted on npm and PyPI. The RAT can list the running processes on the host, execute arbitrary commands per instructions from the command-and-control (C2) server, and exfiltrate files or drop additional payloads. The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim’s browser, indicating its money-stealing goals. The RAT's C2 communication is token-protected to lock out unauthorized observers, a common tactic for North Korean hackers. ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets. ReversingLabs attributes the Graphalgo fake recruiter campaign to the Lazarus group with medium-to-high confidence based on the approach, the use of coding tests as an infection vector, and the cryptocurrency-focused targeting, all of which align with previous activity associated with the North Korean threat actor. The delayed activation of malicious code in the packages is consistent with Lazarus' patience displayed in other attacks. The Git commits show the GMT +9 time zone, matching North Korea time.

    Show sources
    Open in new tab
  2. 23.10.2025 15:38 5 articles · 3mo ago

    Lazarus Group Targets European Defense Companies in Operation DreamJob

    The campaign began in late March 2025. The attackers used a trojanized PDF reader to deliver malware. The campaign exhibits overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

    Show sources
    Open in new tab
  3. 02.09.2025 19:39 3 articles · 5mo ago

    Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

    In 2024, the Lazarus Group targeted a DeFi organization using a social engineering campaign. The attack involved the deployment of PondRAT, ThemeForestRAT, and RemotePE. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs for more complex tasks. The campaign began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

A cybercrime operation named 'Bizarre Bazaar' is actively targeting exposed or poorly authenticated LLM (Large Language Model) service endpoints. Over 35,000 attack sessions were recorded in 40 days, involving unauthorized access to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign highlights the emerging threat of 'LLMjacking' attacks, where attackers exploit misconfigurations in LLM infrastructure to monetize access through cryptocurrency mining and darknet markets. The SilverInc service, marketed on Telegram and Discord, resells access to more than 50 AI models in exchange for cryptocurrency or PayPal payments. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks.

Open in new tab

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025. The campaign delivered the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. The campaign highlights the increasing use of mobile devices as prime targets due to their poor protection and monitoring. Additionally, the Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of new cyber attacks targeting its defense forces with malware known as PLUGGYAPE between October and December 2025. The threat actor is believed to be active since at least April 2024. The malware is written in Python and establishes communication with a remote server over WebSocket or Message Queuing Telemetry Transport (MQTT). The command-and-control (C2) addresses are retrieved from external paste services such as rentry[.]co and pastebin[.]com, where they are stored in base64-encoded form.

Open in new tab

GoBruteforcer Botnet Expands Attacks on Linux Servers

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Open in new tab

NodeCordRAT Malware Delivered via Bitcoin-Themed npm Packages

Researchers discovered three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—that delivered a previously undocumented remote access trojan (RAT) named NodeCordRAT. The packages, uploaded by a user named "wenmoonx," were designed to steal Google Chrome credentials, API tokens, and cryptocurrency wallet seed phrases. NodeCordRAT uses Discord servers for command-and-control (C2) communications and was capable of executing arbitrary shell commands, taking screenshots, and exfiltrating files. The packages were taken down in November 2025.

Open in new tab