Lazarus' Espionage-related Cryptocurrency Activities Remain Active, With A Significant Amount of Assets Still in Circulation
Contents
1. Overview
Lazarus is a state-backed APT group from Northeast Asia that has been active since at least 2009. Lazarus targets a wide range of victims and has evolved into a complex hacking organization with multiple branches. Unlike other APT groups, Lazarus is primarily motivated by financial gain. Over the past decade, the group has shown a keen interest in the cryptocurrency sector.
ThreatBook has observed that since the Lazarus PyPI poisoning incident involving Python repositories, the group has increasingly favored lightweight Python and JavaScript arsenals. Despite multiple disclosures of related attacks, many of their malicious assets remain active. Given the escalating political tensions on the Korean Peninsula, Lazarus may become even more active in the future.
lLazarus has been luring targets by posting fake cryptocurrency-related job ads or project opportunities on social media platforms. Once individuals take the bait, they are further tricked into installing malicious tools related to video interviews or …
Lazarus is a state-backed APT group from Northeast Asia that has been active since at least 2009. Lazarus targets a wide range of victims and has evolved into a complex hacking organization with multiple branches. Unlike other APT groups, Lazarus is primarily motivated by financial gain. Over the past decade, the group has shown a keen interest in the cryptocurrency sector.
ThreatBook has observed that since the Lazarus PyPI poisoning incident involving Python repositories, the group has increasingly favored lightweight Python and JavaScript arsenals. Despite multiple disclosures of related attacks, many of their malicious assets remain active. Given the escalating political tensions on the Korean Peninsula, Lazarus may become even more active in the future.
lLazarus has been luring targets by posting fake cryptocurrency-related job ads or project opportunities on social media platforms. Once individuals take the bait, they are further tricked into installing malicious tools related to video interviews or …
IoC
fca6351f0a913e3ca9df5cb0e0d5c0a05bcf580bcc57c4e858ee5378969430cd
b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
6156127355d8016c8e741de98ee4ef2a4cb5cb02cd44f22fd3c8fef033b69830
23.254.244.242
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
185.235.241.208
67.203.7.171
45.61.129.255
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
dfb8c0525681d6fa8f65bbd62293c619a778f4080ebe29e41fe31b4f122000cf
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af
147.124.214.237
167.88.168.152
67.203.123.171
http://185.235.241.208:1224/mclip/99/root
23.106.253.194
c73e3fdfeb574497c70e4a73a3dabe02ca74bc7beba3f4b9bf10f44968d20ccb
http://185.235.241.208:1224/pdown
172.86.97.80
http://185.235.241.208:1224/client/99
167.88.168.24
172.86.98.240
147.124.212.146
http://185.235.241.208:1224/payload/99/root
147.124.214.129
46.4.224.205
140.99.223.36
144.172.74.48
a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1
45.140.147.208
77.37.37.81
166.88.132.39
23.106.253.215
http://185.235.241.208:1224/brow/99/root
5f002c34ff4549dc73e648f0f6b487e01ef695684fffc00fb6c85914a97afdb4
23.106.253.209
45.61.130.0
67.203.7.163
5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
147.124.214.131
9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cf
247b10932d52c9a66ef073b7bc4461828081ffe07e06f6f20e4e32895acb61ba
bbad95905eb7a2b62685da98ba46aa3f19cb8a340ea71e5f85ee5b5a57aa27cb
23.106.70.154
172.86.123.35
7f1f51d216e621ed4fd9f5346044685a0e04c6a7fdd2c177f5d6233a67e2fd4e
67.203.7.245
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
45.61.158.7
5cce14436b3ae5315feec2e12ce6121186f597b3
5209782555a10ee0a301faf1eff698291aea0e0b298e3926eebd37dc9b5d1a46
45.61.169.99
8a23dd86da0aff9b460b8ebc9dd3e891d44ea0183ace4f5d28a7e4ddab47664a
8ebca0b7ef7dbfc14da3ee39f478e880
45.61.169.187
6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0
95.164.17.24
147.124.213.17
135.181.242.24
94076a58c29d7e7f8b5f61739ab85ada09e41cd9212bc610b89e0fde30d5de70
67.203.6.171
91.92.120.135
144.172.74.108
144.172.79.23
173.211.106.101
45.89.53.59
04cc30ea566af31abc2fdced5f9503aab30550373124d47985fbab19ace2caa8
147.124.212.89
172.86.100.168
http://185.235.241.208:1224
45.61.158.54
45.61.160.14
147.124.213.29
http://185.235.241.208:1224/uploads
167.88.164.29
b5aa25da526121df9c520b622bfde5272fb686b3e12ae33e069eeb8b346ab7fd
147.124.213.11
67.203.0.152
f474c840501076b1aceba06e1376cee142a7ff1fa642822f7592c92ae70578c2
45.61.131.218
b8e69d6a766b9088d650e850a638d7ab7c9f59f4e24e2bc8eac41c380876b0d8
6156127355d8016c8e741de98ee4ef2a4cb5cb02cd44f22fd3c8fef033b69830
23.254.244.242
000b4a77b1905cabdb59d2b576f6da1b2ef55a0258004e4a9e290e9f41fb6923
185.235.241.208
67.203.7.171
45.61.129.255
36cac29ff3c503c2123514ea903836d5ad81067508a8e16f7947e3e675a08670
dfb8c0525681d6fa8f65bbd62293c619a778f4080ebe29e41fe31b4f122000cf
0621d37818c35e2557fdd8a729e50ea662ba518df8ca61a44cc3add5c6deb3cd
6465f7ddc9cf8ab6714cbbd49e1fd472e19818a0babbaf3764e96552e179c9af
147.124.214.237
167.88.168.152
67.203.123.171
http://185.235.241.208:1224/mclip/99/root
23.106.253.194
c73e3fdfeb574497c70e4a73a3dabe02ca74bc7beba3f4b9bf10f44968d20ccb
http://185.235.241.208:1224/pdown
172.86.97.80
http://185.235.241.208:1224/client/99
167.88.168.24
172.86.98.240
147.124.212.146
http://185.235.241.208:1224/payload/99/root
147.124.214.129
46.4.224.205
140.99.223.36
144.172.74.48
a87b6664b718a9985267f9670e10339372419b320aa3d3da350f9f71dff35dd1
45.140.147.208
77.37.37.81
166.88.132.39
23.106.253.215
http://185.235.241.208:1224/brow/99/root
5f002c34ff4549dc73e648f0f6b487e01ef695684fffc00fb6c85914a97afdb4
23.106.253.209
45.61.130.0
67.203.7.163
5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
147.124.214.131
9ece783ac52c9ec2f6bdfa669763a7ed1bbb24af1e04e029a0a91954582690cf
247b10932d52c9a66ef073b7bc4461828081ffe07e06f6f20e4e32895acb61ba
bbad95905eb7a2b62685da98ba46aa3f19cb8a340ea71e5f85ee5b5a57aa27cb
23.106.70.154
172.86.123.35
7f1f51d216e621ed4fd9f5346044685a0e04c6a7fdd2c177f5d6233a67e2fd4e
67.203.7.245
9abf6b93eafb797a3556bea1fe8a3b7311d2864d5a9a3687fce84bc1ec4a428c
45.61.158.7
5cce14436b3ae5315feec2e12ce6121186f597b3
5209782555a10ee0a301faf1eff698291aea0e0b298e3926eebd37dc9b5d1a46
45.61.169.99
8a23dd86da0aff9b460b8ebc9dd3e891d44ea0183ace4f5d28a7e4ddab47664a
8ebca0b7ef7dbfc14da3ee39f478e880
45.61.169.187
6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0
95.164.17.24
147.124.213.17
135.181.242.24
94076a58c29d7e7f8b5f61739ab85ada09e41cd9212bc610b89e0fde30d5de70
67.203.6.171
91.92.120.135
144.172.74.108
144.172.79.23
173.211.106.101
45.89.53.59
04cc30ea566af31abc2fdced5f9503aab30550373124d47985fbab19ace2caa8
147.124.212.89
172.86.100.168
http://185.235.241.208:1224
45.61.158.54
45.61.160.14
147.124.213.29
http://185.235.241.208:1224/uploads
167.88.164.29
b5aa25da526121df9c520b622bfde5272fb686b3e12ae33e069eeb8b346ab7fd
147.124.213.11
67.203.0.152
f474c840501076b1aceba06e1376cee142a7ff1fa642822f7592c92ae70578c2
45.61.131.218