CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lazarus Group Expands Operations with AI-Generated Video, Malware, and Malicious Packages in Cryptocurrency and Defense Sectors

First reported
Last updated
5 unique sources, 13 articles

Summary

Hide ▲

The North Korean Lazarus Group (UNC1069, also tracked as WaterPlum) continues to expand its operations with new malware and refined tactics targeting the cryptocurrency and defense sectors. Recent activity includes the deployment of StoatWaffle, a modular malware delivered via malicious Visual Studio Code (VS Code) projects, which abuses auto-run tasks to maintain persistence and execute next-stage payloads. The malware includes stealer and RAT modules, targeting sensitive data such as browser credentials and iCloud Keychain on macOS. The threat actor has also disseminated additional malware families—including PylangGhost, PolinRider, and FlexibleFerret (WeaselStore)—through npm packages, GitHub repositories, and staged recruitment processes. Targets include founders, CTOs, and senior engineers in cryptocurrency and Web3 sectors, often approached via LinkedIn or fake job interviews. Microsoft has introduced mitigations in VS Code (v1.109/1.110) to block auto-run tasks, addressing abuse of the 'tasks.json' file. The campaign overlaps with previously documented activity by UNC1069 and GhostCall, highlighting the group's persistent focus on the open-source ecosystem and cross-platform attacks.

Timeline

  1. 11.02.2026 00:17 8 articles · 1mo ago

    UNC1069 Targets Cryptocurrency Sector with AI-Generated Video and Malware

    The article provides additional details on the attack, including the use of a compromised cryptocurrency executive's Telegram account to target a secondary victim. The attackers sent a Calendly link to schedule a 30-minute meeting that directed to a spoofed Zoom meeting hosted on the threat actor's infrastructure. The spoofed Zoom call was a deepfake video posing as another cryptocurrency executive. The attackers tricked the victim into troubleshooting audio issues by running malicious commands on their macOS device. The command installed a backdoor that enabled follow-on activity, including deployment of a downloader for additional tooling and a second backdoor. The additional tools included two data miners to seize keychain credentials, browser data, Telegram user data, and Apple Notes user data. UNC1069 uses large language models (LLMs) like Gemini to conduct research and develop tooling for attacks. Additionally, the Lazarus Group has been active since May 2025 with a campaign codenamed graphalgo, involving malicious packages in npm and PyPI repositories. Developers are targeted via social platforms like LinkedIn, Facebook, and Reddit. The campaign includes a fake company named Veltrix Capital in the blockchain and cryptocurrency trading space. Malicious packages are used to deploy a remote access trojan (RAT) that fetches and executes commands from an external server. The RAT supports commands to gather system information, enumerate files and directories, list running processes, create folders, rename files, delete files, and upload/download files. The command-and-control (C2) communication is protected by a token-based mechanism. The campaign checks for the MetaMask browser extension, indicating a focus on cryptocurrency theft. A malicious npm package called "duer-js" was found to harbor a Windows information stealer called Bada Stealer, capable of gathering Discord tokens, passwords, cookies, autofill data, cryptocurrency wallet details, and system information. Another malware campaign weaponizes npm to extort cryptocurrency payments from developers during package installation, blocking installation until victims pay 0.1 USDC/ETH to the attacker's wallet. The campaign has been ongoing since at least May 2025 and is characterized by modularity, allowing the threat actor to quickly resume it in case of partial compromise. The threat actor relies on packages published on the npm and PyPI registries that act as downloaders for a remote access trojan (RAT). Researchers found 192 malicious packages related to this campaign, which they dubbed 'Graphalgo'. The threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit. Developers applying for the job are required to show their skills by running, debugging, and improving a given project, which causes a malicious dependency from a legitimate repository to be installed and executed. The package named 'bigmathutils,' with 10,000 downloads, was benign until it reached version 1.1.0, which introduced malicious payloads. The package was later removed and marked as deprecated. The Graphalgo name of the campaign is derived from packages that have 'graph' in their name, typically impersonating legitimate, popular libraries like graphlib. From December 2025 onward, the North Korean actor shifted to packages with 'big' in their name. The actor uses Github Organizations, which are shared accounts for collaboration across multiple projects. Malicious code is introduced indirectly via dependencies hosted on npm and PyPI. The RAT can list the running processes on the host, execute arbitrary commands per instructions from the command-and-control (C2) server, and exfiltrate files or drop additional payloads. The RAT checks whether the MetaMask cryptocurrency extension is installed on the victim’s browser, indicating its money-stealing goals. The RAT's C2 communication is token-protected to lock out unauthorized observers, a common tactic for North Korean hackers. ReversingLabs has found multiple variants written in JavaScript, Python, and VBS, showing an intention to cover all possible targets. ReversingLabs attributes the Graphalgo fake recruiter campaign to the Lazarus group with medium-to-high confidence based on the approach, the use of coding tests as an infection vector, and the cryptocurrency-focused targeting, all of which align with previous activity associated with the North Korean threat actor. The delayed activation of malicious code in the packages is consistent with Lazarus' patience displayed in other attacks. The Git commits show the GMT +9 time zone, matching North Korea time. In a new iteration of the ongoing Contagious Interview campaign, North Korean hackers have published 26 malicious npm packages to the npm registry. These packages masquerade as developer tools but contain functionality to extract the actual command-and-control (C2) by using Pastebin content as a dead drop resolver. The C2 infrastructure is hosted on Vercel across 31 deployments. The campaign is being tracked under the moniker StegaBin. The loader extracts C2 URLs steganographically encoded within three Pastebin pastes, which are innocuous computer science essays. The decoder strips zero-width Unicode characters, reads a 5-digit length marker from the beginning, calculates evenly-spaced character positions throughout the text, and extracts the characters at those positions. The extracted characters are then split on a ||| separator to produce an array of C2 domain names. The malware reaches out to the decoded domain to fetch platform-specific payloads for Windows, macOS, and Linux. The Trojan connects to 103.106.67[.]63:1244 to await further instructions that allow it to change the current directory and execute shell commands. The comprehensive intelligence collection suite contains nine modules to facilitate Microsoft Visual Studio Code (VS Code) persistence, keylogging and clipboard theft, browser credential harvesting, TruffleHog secret scanning, and Git repository and SSH key exfiltration. The vs module uses a malicious tasks.json file to contact a Vercel domain every time a project is opened in VS Code. The clip module acts as a keylogger, mouse tracker, and clipboard stealer with support for active window tracking and conducts periodic exfiltration every 10 minutes. The bro module is a Python payload to steal browser credential stores. The j module is a Node.js module used for browser and cryptocurrency theft by targeting Google Chrome, Brave, Firefox, Opera, and Microsoft Edge, and extensions like MetaMask, Phantom, Coinbase Wallet, Binance, Trust, Exodus, and Keplr. The z module enumerates the file system and steals files matching certain predefined patterns. The n module acts as a RAT to grant the attacker the ability to remotely control the infected host in real-time via a persistent WebSocket connection to 103.106.67[.]63:1247 and exfiltrate data of interest over FTP. The truffle module downloads the legitimate TruffleHog secrets scanner from the official GitHub page to discover and exfiltrate developer secrets. The git module collects files from .ssh directories, extracts Git credentials, and scans repositories. The sched module is the same as "vendor/scrypt-js/version.js" and is redeployed as a persistence mechanism. The North Korean actors have also been observed publishing malicious npm packages (e.g., express-core-validator) to fetch a next-stage JavaScript payload hosted on Google Drive. Only a single package has been published with this new technique, indicating that FAMOUS CHOLLIMA will continue to leverage multiple techniques and infrastructure to deliver follow-on payloads.

    Show sources
    Open in new tab
  2. 23.10.2025 15:38 5 articles · 5mo ago

    Lazarus Group Targets European Defense Companies in Operation DreamJob

    The campaign began in late March 2025. The attackers used a trojanized PDF reader to deliver malware. The campaign exhibits overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

    Show sources
    Open in new tab
  3. 02.09.2025 19:39 3 articles · 6mo ago

    Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

    In 2024, the Lazarus Group targeted a DeFi organization using a social engineering campaign. The attack involved the deployment of PondRAT, ThemeForestRAT, and RemotePE. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs for more complex tasks. The campaign began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Iran-linked Dust Specter Targets Iraqi Officials with AI-Assisted Malware

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

Open in new tab

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

Open in new tab

Bizarre Bazaar Campaign Exploits Exposed LLM Endpoints

A cybercrime operation named 'Bizarre Bazaar' is actively targeting exposed or poorly authenticated LLM (Large Language Model) service endpoints. Over 35,000 attack sessions were recorded in 40 days, involving unauthorized access to steal computing resources, resell API access, exfiltrate data, and pivot into internal systems. The campaign highlights the emerging threat of 'LLMjacking' attacks, where attackers exploit misconfigurations in LLM infrastructure to monetize access through cryptocurrency mining and darknet markets. The SilverInc service, marketed on Telegram and Discord, resells access to more than 50 AI models in exchange for cryptocurrency or PayPal payments. A recent investigation by SentinelOne SentinelLABS and Censys revealed 175,000 unique Ollama hosts across 130 countries, many of which are configured with tool-calling capabilities, increasing the risk of LLMjacking attacks.

Open in new tab

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025, delivering the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. In February 2026, a new campaign targeting Ukrainian entities was observed, employing judicial and charity-themed lures to deploy a JavaScript-based backdoor codenamed DRILLAPP. This campaign is likely orchestrated by threat actors linked to Russia and shares overlaps with the prior PluggyApe campaign. The malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam. The threat actor is believed to be active since at least April 2024.

Open in new tab