Inside Lazarus: How North Korea uses AI to industrialize attacks on developers
Contents
TL;DR
- Expel is actively tracking an APT group that we assess with high confidence to be North Korean (DPRK) state-sponsored. We suspect that the threat actor is a subgroup or spin-off of a larger organization, potentially starting out as fraudulent IT workers before pivoting to malware.
- The group is extremely active in targeting Web3 developers and is primarily focused on stealing high-value digital assets such as cryptocurrency and NFTs.
- As much as $12M worth of cryptocurrency wallets were exfiltrated by the threat actor in 3 months, though hardware security tokens may limit damage.
- Whilst this specific group is financially motivated, many of their techniques overlap with other DPRK APTs, including those engaged in espionage.
- The group makes heavy use of Generative AI, often abusing tools like Cursor and ChatGPT.
Introducing Expel-TA-0001 (AKA HexagonalRodent)
Why yet another threat actor name?
Like many of you, we’re also frustrated with the endless creation of new names …
- Expel is actively tracking an APT group that we assess with high confidence to be North Korean (DPRK) state-sponsored. We suspect that the threat actor is a subgroup or spin-off of a larger organization, potentially starting out as fraudulent IT workers before pivoting to malware.
- The group is extremely active in targeting Web3 developers and is primarily focused on stealing high-value digital assets such as cryptocurrency and NFTs.
- As much as $12M worth of cryptocurrency wallets were exfiltrated by the threat actor in 3 months, though hardware security tokens may limit damage.
- Whilst this specific group is financially motivated, many of their techniques overlap with other DPRK APTs, including those engaged in espionage.
- The group makes heavy use of Generative AI, often abusing tools like Cursor and ChatGPT.
Introducing Expel-TA-0001 (AKA HexagonalRodent)
Why yet another threat actor name?
Like many of you, we’re also frustrated with the endless creation of new names …
IoC
http://codepointlab.com
http://aihealthchains.com
http://195.201.104.53
195.201.104.53
http://aihealthchains.com
http://195.201.104.53
195.201.104.53