Hunting Lazarus Part IV: Real Blood on the Wire
Contents
Hunting Lazarus Part IV: Real Blood on the Wire
It has been only days since we published Part III—where we asked whether we were hunting Lazarus or walking into a honeypot. We did not expect to be back this soon. But what we found makes everything before it look like a prologue.
Executive Summary
In the days following Part III's publication, continued investigation of the Contagious Interview campaign produced findings that fundamentally change the picture. Red Asgard's threat research team:
- Confirmed the C2 infrastructure is operationally real—not a honeypot—by recovering 241,764 stolen credentials belonging to 857 victims across 90 countries
- Discovered credentials for banking platforms (HDFC, Bank of America, Charles Schwab, Revolut), payment processors (PayPal, Payoneer, Stripe), and 4,280 Google accounts—all in plaintext on unauthenticated endpoints
- Identified the victim profile: software developers and freelancers, primarily in South Asia, recruited through fake job interviews on Upwork and Fiverr
- Discovered a fourth malware family: an …
It has been only days since we published Part III—where we asked whether we were hunting Lazarus or walking into a honeypot. We did not expect to be back this soon. But what we found makes everything before it look like a prologue.
Executive Summary
In the days following Part III's publication, continued investigation of the Contagious Interview campaign produced findings that fundamentally change the picture. Red Asgard's threat research team:
- Confirmed the C2 infrastructure is operationally real—not a honeypot—by recovering 241,764 stolen credentials belonging to 857 victims across 90 countries
- Discovered credentials for banking platforms (HDFC, Bank of America, Charles Schwab, Revolut), payment processors (PayPal, Payoneer, Stripe), and 4,280 Google accounts—all in plaintext on unauthenticated endpoints
- Identified the victim profile: software developers and freelancers, primarily in South Asia, recruited through fake job interviews on Upwork and Fiverr
- Discovered a fourth malware family: an …
IoC
http://146.70.253.107:1224/downloadFile/99\\77_e30028tech
https://www.paypal.com/signin
216.250.251.87
147.124.213.232
172.86.105.40
147.124.214.129
95.164.17.24
172.86.116.178
147.124.212.125
146.70.253.107
144.172.104.117
87.236.177.9
45.59.163.55
144.172.101.45
86.106.85.234
66.235.168.238
[email protected]
[email protected]
[email protected]
967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d
e43673a2a77ed68fa6e8074167350f8f
351535afd2d98b9a3a0e14905a60a345
https://www.paypal.com/signin
216.250.251.87
147.124.213.232
172.86.105.40
147.124.214.129
95.164.17.24
172.86.116.178
147.124.212.125
146.70.253.107
144.172.104.117
87.236.177.9
45.59.163.55
144.172.101.45
86.106.85.234
66.235.168.238
[email protected]
[email protected]
[email protected]
967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d
e43673a2a77ed68fa6e8074167350f8f
351535afd2d98b9a3a0e14905a60a345