Hunting Lazarus, Part 5: Eleven Hours on His Disk
Contents
Hunting Lazarus, Part 5: Eleven Hours on His Disk
Forensic examination of an active Lazarus Group operator machine: a target list of nearly 17,000 developers, six drained wallets, and a plaintext file containing his own keys.
This is Part 5 of the "Hunting Lazarus" series. Parts 1–4 documented the Contagious Interview campaign run by Lazarus Group – the DPRK-linked APT – which targets cryptocurrency and Web3 developers with fake job interviews, fabricated company identities, and malicious code repositories. This installment covers the forensic examination of a MonoVM VPS running Windows Server 2025, machine name WIN-RCH83RTDA5G, acquired via provider rescue mode. The operator left more behind than he knew.
What an active operation leaves behind
At 05:20 UTC on February 19, we booted WIN-RCH83RTDA5G into rescue mode and changed the Windows Administrator password.
At 06:13:44 UTC, the operator logged back in.
Security ID: SYSTEM
Account Name: WIN-RCH83RTDA5G$
Logon Type: 10
Source Address: 37.19.200.137
Source Port: 64821
Date: 2026-02-19
Time: 06:13:44 UTC
Event ID: 4624
Logon …
Forensic examination of an active Lazarus Group operator machine: a target list of nearly 17,000 developers, six drained wallets, and a plaintext file containing his own keys.
This is Part 5 of the "Hunting Lazarus" series. Parts 1–4 documented the Contagious Interview campaign run by Lazarus Group – the DPRK-linked APT – which targets cryptocurrency and Web3 developers with fake job interviews, fabricated company identities, and malicious code repositories. This installment covers the forensic examination of a MonoVM VPS running Windows Server 2025, machine name WIN-RCH83RTDA5G, acquired via provider rescue mode. The operator left more behind than he knew.
What an active operation leaves behind
At 05:20 UTC on February 19, we booted WIN-RCH83RTDA5G into rescue mode and changed the Windows Administrator password.
At 06:13:44 UTC, the operator logged back in.
Security ID: SYSTEM
Account Name: WIN-RCH83RTDA5G$
Logon Type: 10
Source Address: 37.19.200.137
Source Port: 64821
Date: 2026-02-19
Time: 06:13:44 UTC
Event ID: 4624
Logon …
IoC
https://gitlab.com/jason198511/evm-1-8-128-release
144.172.89.198
167.88.165.222
37.19.200.137
62.33.223.164
67.43.49.10
195.201.104.53
216.126.227.239
23.227.199.7
[email protected]
[email protected]
[email protected]
144.172.89.198
167.88.165.222
37.19.200.137
62.33.223.164
67.43.49.10
195.201.104.53
216.126.227.239
23.227.199.7
[email protected]
[email protected]
[email protected]