Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
Contents
The Lazarus Group is a prominent hacking group associated with the North Korean government with a long history of targeting companies and individuals within the cryptocurrency space. They have been linked to the breaches of Phemex, WazirX, Bybit, Stake, among others.
Our security team frequently responds to attempts to attack us, many of which use techniques or infrastructure that have been tied to the Lazarus Group by other researchers.
A common pattern in their major operations is the use of relatively unsophisticated methods, often starting with phishing, to gain a foothold in their target’s systems.
For example, in the Bybit breach, the group tricked a Safe Wallet employee into running malicious code on their computer to establish initial access. Once this foothold was obtained, what looks like a more sophisticated “division” of the group took over and continued post-exploitation, obtaining access to Safe’s AWS account and modifying the wallet’s front-end source code, which …
Our security team frequently responds to attempts to attack us, many of which use techniques or infrastructure that have been tied to the Lazarus Group by other researchers.
A common pattern in their major operations is the use of relatively unsophisticated methods, often starting with phishing, to gain a foothold in their target’s systems.
For example, in the Bybit breach, the group tricked a Safe Wallet employee into running malicious code on their computer to establish initial access. Once this foothold was obtained, what looks like a more sophisticated “division” of the group took over and continued post-exploitation, obtaining access to Safe’s AWS account and modifying the wallet’s front-end source code, which …
IoC
http://fashdefi.store:6168/defy/v5
http://regioncheck.net/api/user/thirdcookie/v3/726
http://144.172.96.35/
https://mkswbddldpyiqkyu.supabase.co/
89.116.158.188
89.116.158.156
107.182.231.193
89.187.161.220
120.226.22.28
89.187.185.11
45.56.197.79
38.132.106.130
223.104.144.97
89.116.158.68
108.181.57.127
199.168.113.31
89.116.158.164
107.182.231.196
89.116.158.228
45.141.153.154
195.146.5.31
184.174.5.149
89.116.158.84
45.141.153.130
146.70.63.2
167.88.61.148
129.232.193.253
31.13.189.10
31.13.189.178
209.127.117.234
144.172.96.35
38.134.148.94
37.120.216.226
217.138.198.34
38.170.181.10
31.13.189.26
http://regioncheck.net/api/user/thirdcookie/v3/726
http://144.172.96.35/
https://mkswbddldpyiqkyu.supabase.co/
89.116.158.188
89.116.158.156
107.182.231.193
89.187.161.220
120.226.22.28
89.187.185.11
45.56.197.79
38.132.106.130
223.104.144.97
89.116.158.68
108.181.57.127
199.168.113.31
89.116.158.164
107.182.231.196
89.116.158.228
45.141.153.154
195.146.5.31
184.174.5.149
89.116.158.84
45.141.153.130
146.70.63.2
167.88.61.148
129.232.193.253
31.13.189.10
31.13.189.178
209.127.117.234
144.172.96.35
38.134.148.94
37.120.216.226
217.138.198.34
38.170.181.10
31.13.189.26