Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
Contents
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
We found North Korean malware in a client's Upwork project. Then we spent five days mapping the attackers' infrastructure.
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
We found North Korean malware in a client's Upwork project. Then we spent five days mapping the attackers' infrastructure.
When you vet enough freelancer code repositories, you develop instincts. A .vscode/tasks.json
with runOn: folderOpen
. A getCookie()
function that fetches from a Vercel domain. An errorHandler.js
with Function.constructor
. These patterns don't belong in legitimate projects.
In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard's threat research team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository.
What followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what we found.
Three Attack Vectors
The repository contained three distinct infection mechanisms:
1. VSCode Auto-Execution
A .vscode/tasks.json
file configured with runOn: folderOpen
—meaning the malicious code executes …
We found North Korean malware in a client's Upwork project. Then we spent five days mapping the attackers' infrastructure.
Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure
We found North Korean malware in a client's Upwork project. Then we spent five days mapping the attackers' infrastructure.
When you vet enough freelancer code repositories, you develop instincts. A .vscode/tasks.json
with runOn: folderOpen
. A getCookie()
function that fetches from a Vercel domain. An errorHandler.js
with Function.constructor
. These patterns don't belong in legitimate projects.
In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard's threat research team discovered all three. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository.
What followed was a five-day investigation into active Lazarus Group infrastructure. This article documents what we found.
Three Attack Vectors
The repository contained three distinct infection mechanisms:
1. VSCode Auto-Execution
A .vscode/tasks.json
file configured with runOn: folderOpen
—meaning the malicious code executes …
IoC
https://pastebin.com/u/HolesGarmin3166_OnsitePoet2677
https://pastebin.com/u/CrackEden1251_WaitsRenee9809
https://pastebin.com/u/KerrWhale2274_KnowNtsc6785
216.250.251.87
147.124.213.232
147.124.212.125
66.235.168.238
45.59.163.55
45.43.11.199
66.235.63.55
40b59567a2b580f1952dadae5dd586895b2316e590b84842f89aed1675f2d707
https://pastebin.com/u/CrackEden1251_WaitsRenee9809
https://pastebin.com/u/KerrWhale2274_KnowNtsc6785
216.250.251.87
147.124.213.232
147.124.212.125
66.235.168.238
45.59.163.55
45.43.11.199
66.235.63.55
40b59567a2b580f1952dadae5dd586895b2316e590b84842f89aed1675f2d707