Lazarus Group is Using the Solana Blockchain as a Dead-Drop C2 Channel -- and Nobody Noticed for 4 Months
Contents
Lazarus Group is Using the Solana Blockchain as a Dead-Drop C2 Channel -- and Nobody Noticed for 4 Months
Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-16
TL;DR
A Node.js Stage-1 dropper attributed to Lazarus Group's TraderTraitor sub-cluster (UNC4899 / Jade Sleet / Slow Pisces) uses Solana blockchain transaction memos as a dead-drop resolver for C2 rotation. The operator posts base64-encoded C2 URLs as memos to wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC
, and the malware reads them via the public Solana RPC API -- no domain to sinkhole, no DNS to block, no infrastructure to seize. The campaign has been running since November 2025 across 7 rotating Vultr VPS nodes in France, all on AS20473, with 51 memo transactions posted to the dead-drop wallet over roughly four months. AES-encrypted Stage-2 payloads have their keys delivered via HTTP response headers. A kill-switch (process.exit(0)
) was ACTIVE during our live probing, suggesting the operator knew they were being watched. …
Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-16
TL;DR
A Node.js Stage-1 dropper attributed to Lazarus Group's TraderTraitor sub-cluster (UNC4899 / Jade Sleet / Slow Pisces) uses Solana blockchain transaction memos as a dead-drop resolver for C2 rotation. The operator posts base64-encoded C2 URLs as memos to wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC
, and the malware reads them via the public Solana RPC API -- no domain to sinkhole, no DNS to block, no infrastructure to seize. The campaign has been running since November 2025 across 7 rotating Vultr VPS nodes in France, all on AS20473, with 51 memo transactions posted to the dead-drop wallet over roughly four months. AES-encrypted Stage-2 payloads have their keys delivered via HTTP response headers. A kill-switch (process.exit(0)
) was ACTIVE during our live probing, suggesting the operator knew they were being watched. …
IoC
http://45.32.150.97/vKSWcUJjPjJKzMSMI5OECA==
http://<IP
http://217.69.11.99
http://45.76.44.240/Xhwv9DF6OUXXS+phJ+eMgA==
http://217.69.11.60/uVK7ZJefmiIoJkIP6lxWXw==
http://217.69.11.57/wxSFx1KWOe5O5Lge8ckMKg==
http://217.69.11.99/q6AUyyAAatxzpCw2im8XFg==
http://217.69.0.159/NUTAqa6tLAe9ht824PEzhQ%3D%3D
https://api.mainnet-beta.solana.com
http://217.69.11.99:5000
http://<C2
http://217.69.0.159/dq1IMEteQ4AbO3daeYGXZw==
http://45.32.151.157/i6+IgUpodpQRiO4SgmKkCw==
http://217.69.0.159/NUTAqa6tLAe9ht824PEzhQ==
217.69.11.57
217.69.11.60
70.34.242.255
45.32.150.97
45.76.44.240
217.69.11.99
217.69.0.159
45.32.151.157
[email protected]
[email protected]
5dfa031ccd4cb45f5338eeaad6416a54b15bf0f8
48109c33cf45749a7fdc2629a4c11d9afc59e5378a4a368e08b20f9dbfca7963
b81d8031450264845cdf79851b6a4807
http://<IP
http://217.69.11.99
http://45.76.44.240/Xhwv9DF6OUXXS+phJ+eMgA==
http://217.69.11.60/uVK7ZJefmiIoJkIP6lxWXw==
http://217.69.11.57/wxSFx1KWOe5O5Lge8ckMKg==
http://217.69.11.99/q6AUyyAAatxzpCw2im8XFg==
http://217.69.0.159/NUTAqa6tLAe9ht824PEzhQ%3D%3D
https://api.mainnet-beta.solana.com
http://217.69.11.99:5000
http://<C2
http://217.69.0.159/dq1IMEteQ4AbO3daeYGXZw==
http://45.32.151.157/i6+IgUpodpQRiO4SgmKkCw==
http://217.69.0.159/NUTAqa6tLAe9ht824PEzhQ==
217.69.11.57
217.69.11.60
70.34.242.255
45.32.150.97
45.76.44.240
217.69.11.99
217.69.0.159
45.32.151.157
[email protected]
[email protected]
5dfa031ccd4cb45f5338eeaad6416a54b15bf0f8
48109c33cf45749a7fdc2629a4c11d9afc59e5378a4a368e08b20f9dbfca7963
b81d8031450264845cdf79851b6a4807