What is the Lazarus group?

https://negativepid.blog/what-is-the-lazarus-group/

#lazarus #cyberwarfare #organizedCrime #stateSponsoredCrime #cyberUnits #LazarusGroup #hackers #onlineRecruitment #Cybersecurity #cyberattacks #cyberThreats #onlineSecurity #negativepid

Morning, cyber pros! ☕ It's been a slightly quieter 24 hours, but we've still got some critical updates to chew on, from a dominant threat actor exploiting Ivanti RCEs to North Korean fake recruiters and a low-tech crypto phishing scam. Let's dive in:

Ivanti RCE Exploitation Dominance ⚠️
- A single threat actor, using bulletproof infrastructure from IP 193.24.123.42, is behind 83% of recent active exploitation attempts targeting two critical Ivanti EPMM RCE vulnerabilities (CVE-2026-21962 and CVE-2026-24061).
- This IP address is not widely published in IOC lists, meaning many defenders might be missing the primary source of these automated attacks, which also target Oracle WebLogic and GNU Inetutils Telnetd.
- Ivanti has released hotfixes and recommends using specific RPM packages or, for the most conservative approach, rebuilding EPMM instances and migrating data until full patches are available in Q1.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/one-threat-actor-responsible-for-83-percent-of-recent-ivanti-rce-attacks/

Lazarus Group's Fake Job Scams 🕵️
- North Korean threat actors, likely the Lazarus Group, are targeting JavaScript and Python developers with fake job offers that include malicious coding challenges.
- These challenges trick developers into installing compromised packages from npm and PyPi (dubbed 'Graphalgo'), which then deploy a sophisticated Remote Access Trojan (RAT) capable of exfiltrating files and checking for MetaMask installations.
- Developers who may have installed packages like 'bigmathutils' or those with 'graph' or 'big' in their name from suspicious sources should immediately rotate all credentials, tokens, and consider a full OS reinstall.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Crypto Wallet Phishing via Snail Mail ✉️
- Threat actors are employing a rare physical phishing tactic, sending fake letters impersonating Trezor and Ledger to trick hardware wallet users into revealing their recovery phrases.
- The letters create urgency, claiming mandatory "Authentication Checks" or "Transaction Checks" and directing users to scan QR codes that lead to sophisticated phishing websites designed to steal 12-, 20-, or 24-word seed phrases.
- Remember: reputable hardware wallet manufacturers will NEVER ask you to enter your recovery phrase on a website or computer; it should only be entered directly on the device itself during restoration.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #Ivanti #LazarusGroup #APT #Malware #RAT #Phishing #SocialEngineering #CryptoSecurity #InfoSec #IncidentResponse

The “Graphalgo” campaign represents a modular software supply-chain intrusion targeting developers directly.

Per ReversingLabs findings:
• 192 malicious npm/PyPI packages
• Delayed payload activation (post-version change)
• GitHub repos clean — malicious logic introduced via dependency chain
• RAT variants in JS, Python, VBS
• MetaMask wallet targeting
• Token-protected C2 channels
• GMT+9 commit indicators

Attribution aligns with historical tradecraft associated with Lazarus Group:
Crypto-focused targeting
Recruitment vector infection
Patience-based staged activation

This is a direct developer-layer attack bypassing enterprise perimeter defenses.

Source: https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Are dependency registries the new primary attack surface?
Engage below.

Follow @technadu for advanced threat analysis.

#ThreatIntel #SupplyChainSecurity #MalwareAnalysis #RAT #OpenSourceSecurity #DevSecOps #LazarusGroup #PackageSecurity #AppSec #BlueTeam #CyberThreats #IoC #Infosec

📰 North Korean Hackers Lure Developers with Fake Job Interviews, Backdoor macOS via VS Code

North Korean hackers' 'Contagious Interview' campaign targets macOS developers using malicious VS Code projects on GitHub. Fake job offers lead to backdoors via trusted IDE features. 👨‍💻⚠️ #LazarusGroup #macOS #InfoSec #SupplyChain

🔗 https://cyber.netsecops.io/articles/north-korean-contagious-interview-campaign-weaponizes-vs-code-projects/?utm_source=mastodon&utm_medium=socia…

RE: https://social.troll.academy/@mushu/115937976404644181

https://runjak.codes/posts/2026-01-21-adversarial-coding-test/

Seems really similar to a recently reported variant of a North Korean state aligned campaign, ContagiousInterview. They've moved to VS Code tasks now

cc @lazarusholic

https://www.jamf.com/blog/threat-actors-expand-abuse-of-visual-studio-code/
https://opensourcemalware.com/blog/contagious-interview-vscode

#DPRK #ContagiousInterview #lazarus #LazarusGroup #FamousChollima

"Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera"

#CyberSecurity #LazarusGroup #LaptopFarms #ITrecruitment #Pattern ... https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html

You fail to realize you are on a honeypot.

https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/

#LazarusGroup #SituationalAwareness

North Korea lures engineers to rent identities in fake IT worker scheme
#NorthKorea #LazarusGroup #dprk

https://www.bleepingcomputer.com/news/security/north-korea-lures-engineers-to-rent-identities-in-fake-it-worker-scheme/

Alright cyber pros, it's been a pretty packed 24 hours! We've got major data breaches impacting millions, new insights into nation-state tactics, a huge takedown of a crypto mixer, and a stark warning about the security implications of agentic AI browsers. Let's dive in:

Major Data Breaches Unfold ⚠️
- South Korean e-commerce giant Coupang, often dubbed the "Amazon of Korea," confirmed a data breach impacting 33.7 million customers, over half the country's population. Exposed data includes names, emails, phone numbers, addresses, and order history, with local reports suggesting a former Chinese employee used unrevoked access tokens.
- The French Football Federation (FFF) also reported a breach of its member management software via a compromised account, exposing personal details like names, gender, DOB, nationality, and contact info for an undisclosed number of its 2.2 million members.
- The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, pushing a malicious update that included a hidden library for device fingerprinting and remote configuration. Users are urged to revert to older, safe builds and reset Google account passwords.

🗞️ The Record | https://therecord.media/coupang-south-korea-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/coupang_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/retail-giant-coupang-suffers-data-breach-impacting-337-million-people/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/french_football_federation_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/smarttube-youtube-app-for-android-tv-breached-to-push-malicious-update/

Nation-State Actors Evolve Tactics 🕵🏼
- North Korea's Lazarus Group is accused by South Korean officials of stealing $30 million from the Upbit cryptocurrency exchange, using tactics similar to a 2019 attack. The group allegedly impersonated administrators to transfer funds, prompting Upbit to suspend services and move assets to cold storage.
- The Tomiris APT, linked to Kazakhstan-based Storm-0473, is increasingly leveraging public services like Telegram and Discord for command-and-control (C2) in attacks targeting government entities and foreign ministries across Central Asia and Russia. This shift aims to blend malicious traffic with legitimate activity, making detection harder.
- Leaked documents, analysed by Iranian opposition activist Nariman Gharib, allegedly link Iran's "Charming Kitten" (APT35) to assassination operations, suggesting compromised airline, hotel, and medical databases are used to locate regime enemies.

🗞️ The Record | https://therecord.media/officials-accuse-north-korea-hackers-of-attack-on-crypto-exchange
📰 The Hacker News | https://thehackernews.com/2025/12/tomiris-shifts-to-public-service.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Malicious Browser Extensions Run Rampant 🛡️
- A seven-year-long "ShadyPanda" campaign infected over 4.3 million Chrome and Edge users through 145 seemingly legitimate browser extensions that later pushed malware-laden updates. These extensions evolved from affiliate fraud and search hijacking to deploying remote code execution (RCE) backdoors and spyware.
- The RCE backdoor checks for new instructions hourly, executing arbitrary JavaScript with full browser API access, while spyware components exfiltrate extensive user data including browsing history, keystrokes, and sensitive identifiers to Chinese servers.
- Despite Google removing some, several extensions with millions of installs remain active on the Microsoft Edge Add-ons platform, highlighting a critical gap in ongoing marketplace security reviews post-approval.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extensions/

AI Browsers: A New Security Nightmare 🧠
- The emergence of "agentic" AI browsers, like OpenAI's ChatGPT Atlas, is transforming browsers from passive tools into autonomous AI agents that can perform actions on behalf of users.
- These agents require maximum privileges, including access to session cookies, credentials, and payment details, creating an unprecedented attack surface and bypassing traditional "human-in-the-loop" safeguards and MFA.
- Prompt injection is a significant risk, where hidden text can command the AI to exfiltrate data, and traditional security tools often miss these threats due to a "session gap" where actions occur locally within the browser.

📰 The Hacker News | https://thehackernews.com/2025/12/webinar-agentic-trojan-horse-why-new-ai.html

Data Privacy Under Scrutiny 🔒
- Switzerland's data protection officers (Privatim) have advised public bodies to avoid hyperscale clouds and SaaS, specifically Microsoft 365, for sensitive data due to a lack of true end-to-end encryption, exposure to the US CLOUD Act, and providers' ability to unilaterally change terms.
- Exercise-tracking app Strava is updating its terms of service to require users to accept all risks associated with geolocation features, following past incidents where user data revealed sensitive locations like military bases.
- Edtech provider Illuminate Education settled with the FTC over a 2021 data breach affecting 10.1 million students, with allegations of poor security practices, deceptive claims, and delayed breach notifications (up to two years for some).

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/
🗞️ The Record | https://therecord.media/illuminate-education-data-breach-settlement-ftc

Regulatory Actions and Government Directives 📜
- Singapore's Ministry of Home Affairs has issued directives to Google and Apple, requiring them to prevent fake government messages and spoofed sender names on iMessage and Google Messages, with significant fines for non-compliance.
- Russia's Roskomnadzor has imposed "restrictive measures" on WhatsApp, citing violations of Russian law and its alleged use for terrorism, crime, and espionage, urging users to switch to domestic alternatives and threatening a full block.
- The Israel Defense Forces (IDF) is reportedly banning Android smartphones for top brass, standardising on iOS devices to reduce exposure to surveillance via social media apps.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_news_roundup/
🗞️ The Record | https://therecord.media/russia-whatsapp-restrictions
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Law Enforcement Strikes Back 🚨
- A major cryptocurrency mixing service, Cryptomixer, was taken down by Swiss and German law enforcement in "Operation Olympia," seizing three servers, its domain, and €24-29 million in Bitcoin. The service allegedly laundered over €1.3 billion for cybercriminals since 2016.
- South Korean police arrested four individuals for compromising over 120,000 IP cameras, with some suspects creating and selling sexually exploitative videos from intimate locations by exploiting weak passwords.
- In Australia, a man was jailed for over seven years for using "evil twin" Wi-Fi traps at airports and on flights to steal credentials and intimate material, while in the UK, a man received a 6.5-year sentence for operating a dark web drug empire.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/
🗞️ The Record | https://therecord.media/cryptomixer-service-takedown-bitcoin-seized
🤫 CyberScoop | https://cyberscoop.com/cryptomixer-takedown-seizure-europol/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/cybercrime_arrests_roundup/

Developer Secrets Exposed 🔑
- A security engineer scanned 5.6 million public GitLab repositories and discovered 17,000 verified live secrets, including over 5,000 Google Cloud credentials, 2,000+ MongoDB credentials, and numerous OpenAI, AWS, and Telegram bot tokens.
- The scan, costing about $770 and completed in 24 hours, found GitLab had a 35% higher density of leaked secrets per repository compared to Bitbucket, highlighting a pervasive issue of exposed credentials in public code.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/infosec_news_in_brief/

Teen Cybercrime: Just a Phase? 📊
- A Dutch government report suggests that most adolescent cybercriminals tend to desist from offending by the age of 20, similar to other types of youth crime.
- The study indicates that only about four percent of those who start a "black hat" career maintain it into adulthood, often driven by technological curiosity and skill-building rather than financial gain.
- The report highlights the challenge of quantifying the specific social cost of cybercrime due to a lack of longitudinal data and its rapidly evolving nature, though overall adolescent crime costs the Netherlands €10.3 billion annually.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/12/01/dutch_study_teen_cybercrime/

#CyberSecurity #ThreatIntelligence #DataBreach #APT #LazarusGroup #Tomiris #ShadyPanda #Malware #BrowserExtensions #RCE #AI #AgenticAI #DataPrivacy #RegulatoryCompliance #LawEnforcement #CryptoMixer #Cybercrime #InfoSec #IncidentResponse

one of the largest crypto #defi protocols #Balancer is currently being robbed, $88 million stolen and counting. it will probably turn out to be #NorthKorea (because it's almost always north korea) but TBD.

one of the fun things about crypto is that when someone robs a bank you can watch the getaway car drive away just by clicking on some links in a blockchain explorer.

[edit] details of the bug that was exploited if you’re into that kind of thing: https://x.com/moo9000/status/1985262739493687351

[edit] ended up being a ~$130 million heist.

#DPRK #hack #hacking #infosec #threatintel #cybersecurity #cryptocurrency #crypto #ethereum #LazarusGroup