Lazarus Group Bybit Heist: C2 forensics
Contents
An in-depth hunt for Lazarus APT Group C2 infrastructure related to the Bybit hack.
On March 6, 2025, Safe{Wallet} published an investigation update and a call to action regarding the recent $1+ billion Bybit Hack that was attributed by the FBI to North Koreaâs Lazarus Group (aka UNC4899). This update builds upon an earlier update by SlowMist that disclosed attacker domains.
This post investigates reported ground truth domains leveraging Validinâs host response and historic DNS databases, uncovering additional related infrastructure. In this step-by-step analysis, weâll demonstrate how to use DNS and host response attributes to pivot from known indicators, finding related domains, ultimately providing an expanded set of indicators and search terms that can be leveraged for proactive hunting.
Starting Points - Ground Truth
These are domain names and IPs mentioned in the Safe{Wallet} and SlowMist updates:
Mandiant/Google Cloud Security network indicators published by Safe{Wallet}
getstockprice[.]com
,70.34.245[.]118
trashcrease[.]com
,178.128.77[.]132
anglerstatic[.]com
,131.226.2[.]43
goingladies[.]com
,23.236.169[.]233
185.194.178[.]88
45.86.202[.]224
SlowMist malicious domain and IP list
gossipsnare[.]com
,51.38.145[.]49:443
showmanroast[.]com
,213.252.232[.]171:443
getstockprice[.]info
,131.226.2[.]120:443
eclairdomain[.]com
,37.120.247[.]180:443
replaydreary[.]com
,88.119.175[.]208:443
coreladao[.]com
cdn.clubinfo[.]io
Weâll create a project in Validin …
On March 6, 2025, Safe{Wallet} published an investigation update and a call to action regarding the recent $1+ billion Bybit Hack that was attributed by the FBI to North Koreaâs Lazarus Group (aka UNC4899). This update builds upon an earlier update by SlowMist that disclosed attacker domains.
This post investigates reported ground truth domains leveraging Validinâs host response and historic DNS databases, uncovering additional related infrastructure. In this step-by-step analysis, weâll demonstrate how to use DNS and host response attributes to pivot from known indicators, finding related domains, ultimately providing an expanded set of indicators and search terms that can be leveraged for proactive hunting.
Starting Points - Ground Truth
These are domain names and IPs mentioned in the Safe{Wallet} and SlowMist updates:
Mandiant/Google Cloud Security network indicators published by Safe{Wallet}
getstockprice[.]com
,70.34.245[.]118
trashcrease[.]com
,178.128.77[.]132
anglerstatic[.]com
,131.226.2[.]43
goingladies[.]com
,23.236.169[.]233
185.194.178[.]88
45.86.202[.]224
SlowMist malicious domain and IP list
gossipsnare[.]com
,51.38.145[.]49:443
showmanroast[.]com
,213.252.232[.]171:443
getstockprice[.]info
,131.226.2[.]120:443
eclairdomain[.]com
,37.120.247[.]180:443
replaydreary[.]com
,88.119.175[.]208:443
coreladao[.]com
cdn.clubinfo[.]io
Weâll create a project in Validin …
IoC
http://45.86.202.224
http://185.69.16.236
http://stocksindex.org
http://www.en.stocksindex.org
http://gossipsnare.com
http://getstockprice.info
http://financecap.io
http://showmanroast.com
http://www.en.wfinance.org
http://wfinance.org
http://anglerstatic.com
http://51.38.145.49:443
http://eclairdomain.com
http://88.119.175.208:443
http://131.226.2.120:443
http://185.236.231.224
http://brown.gallagher-williams.com
http://firexch.com
http://clubinfo.io
http://195.133.26.32
http://gallagher-williams.com
http://castro.smith.com
http://smith.com
http://getcoinprice.info
http://trashcrease.com
http://en.stocksindex.org
http://70.34.245.118
http://goingladies.com
http://www.api.stockinfo.io
http://getstockprice.com
http://smith-jones.graham.info
http://coreladao.com
http://213.252.232.171:443
http://37.120.247.180:443
http://131.226.2.43
http://replaydreary.com
http://stockinfo.io
http://178.128.77.132
http://136.244.93.248
http://185.194.178.88
http://cdn.clubinfo.io
http://en.wfinance.org
http://5.206.227.51
http://23.236.169.233
http://192.248.167.90
http://api.stockinfo.io
185.236.231.224
131.226.2.43
213.252.232.171
131.226.2.120
192.248.167.90
136.244.93.248
178.128.77.132
5.206.227.51
51.38.145.49
185.194.178.88
37.120.247.180
185.69.16.236
70.34.245.118
88.119.175.208
23.236.169.233
45.86.202.224
195.133.26.32
b21405ce3c3456214ad8fc5263eeabb1
d767b3cb0ad66544c649e4165fc4b37e3c17e370
http://185.69.16.236
http://stocksindex.org
http://www.en.stocksindex.org
http://gossipsnare.com
http://getstockprice.info
http://financecap.io
http://showmanroast.com
http://www.en.wfinance.org
http://wfinance.org
http://anglerstatic.com
http://51.38.145.49:443
http://eclairdomain.com
http://88.119.175.208:443
http://131.226.2.120:443
http://185.236.231.224
http://brown.gallagher-williams.com
http://firexch.com
http://clubinfo.io
http://195.133.26.32
http://gallagher-williams.com
http://castro.smith.com
http://smith.com
http://getcoinprice.info
http://trashcrease.com
http://en.stocksindex.org
http://70.34.245.118
http://goingladies.com
http://www.api.stockinfo.io
http://getstockprice.com
http://smith-jones.graham.info
http://coreladao.com
http://213.252.232.171:443
http://37.120.247.180:443
http://131.226.2.43
http://replaydreary.com
http://stockinfo.io
http://178.128.77.132
http://136.244.93.248
http://185.194.178.88
http://cdn.clubinfo.io
http://en.wfinance.org
http://5.206.227.51
http://23.236.169.233
http://192.248.167.90
http://api.stockinfo.io
185.236.231.224
131.226.2.43
213.252.232.171
131.226.2.120
192.248.167.90
136.244.93.248
178.128.77.132
5.206.227.51
51.38.145.49
185.194.178.88
37.120.247.180
185.69.16.236
70.34.245.118
88.119.175.208
23.236.169.233
45.86.202.224
195.133.26.32
b21405ce3c3456214ad8fc5263eeabb1
d767b3cb0ad66544c649e4165fc4b37e3c17e370