Hunting Lazarus Part II: When the Dead Drop Moved to the Blockchain
Contents
Hunting Lazarus Part II: When the Dead Drop Moved to the Blockchain
The attackers couldn't keep their Pastebin accounts online. So they moved their payload delivery to infrastructure that can't be taken down.
In Part I, Red Asgard's threat research team documented the Contagious Interview campaign: 1,000 Pastebin dead drop accounts, a timing oracle vulnerability, and a custom binary protocol on port 22411. That infrastructure was being disrupted—accounts taken down, IPs blocked.
Eleven days later, we found a new sample. Same campaign. Evolved tactics. The dead drop resolver had moved to the blockchain.
This report documents the first documented blockchain-based dead drop resolver used by Lazarus Group: Polygon NFT contracts as payload storage. Infrastructure that literally cannot be seized.
Key Findings
- Blockchain DDR: Polygon NFT contracts storing malicious JavaScript—immutable and globally replicated
- Brand impersonation: Attackers posed as real company Betfin with functional code and Figma designs
- 3 concurrent campaigns: Diversified infrastructure across dedicated servers, bulletproof …
The attackers couldn't keep their Pastebin accounts online. So they moved their payload delivery to infrastructure that can't be taken down.
In Part I, Red Asgard's threat research team documented the Contagious Interview campaign: 1,000 Pastebin dead drop accounts, a timing oracle vulnerability, and a custom binary protocol on port 22411. That infrastructure was being disrupted—accounts taken down, IPs blocked.
Eleven days later, we found a new sample. Same campaign. Evolved tactics. The dead drop resolver had moved to the blockchain.
This report documents the first documented blockchain-based dead drop resolver used by Lazarus Group: Polygon NFT contracts as payload storage. Infrastructure that literally cannot be seized.
Key Findings
- Blockchain DDR: Polygon NFT contracts storing malicious JavaScript—immutable and globally replicated
- Brand impersonation: Attackers posed as real company Betfin with functional code and Figma designs
- 3 concurrent campaigns: Diversified infrastructure across dedicated servers, bulletproof …
IoC
http://87.236.177.9:3000/api/errorMessage
147.124.213.232
11.34.242.92
147.124.212.125
87.236.177.9
45.59.163.55
66.235.168.238
ad031E8d8877481337cD53E141C16A2201BB6F4d
a80db78ff597c3D34cCAF3bdaC39f3E193595561
43223ce324e65b694bb8dd6bbf7992e29f75605a366532fe993bfdd924193f84
e695f6628abade062d5a2310e16c5b2d1707795c0214b939d328e0772a776fea
3e2d9bcf6ff5ae441493df87e8c46b68c12985d88152cd4ab047b236a77dd30d
147.124.213.232
11.34.242.92
147.124.212.125
87.236.177.9
45.59.163.55
66.235.168.238
ad031E8d8877481337cD53E141C16A2201BB6F4d
a80db78ff597c3D34cCAF3bdaC39f3E193595561
43223ce324e65b694bb8dd6bbf7992e29f75605a366532fe993bfdd924193f84
e695f6628abade062d5a2310e16c5b2d1707795c0214b939d328e0772a776fea
3e2d9bcf6ff5ae441493df87e8c46b68c12985d88152cd4ab047b236a77dd30d