lazarusholic

Everyday is lazarus.dayβ

Lazarus Phishing Campaign Detected (APT38)

2025-06-29, BretWitt
https://www.youtube.com/watch?v=py4KMWYCgPk
#APT38 #Youtube

Contents

Continuing with the Incident Responder Path, we tackle an HIGH alert for an "Lazarus Phishing Campaign Detected". Was this a Click Fix scenario, phishing, simply a false positive or possibly something more malicious?

EventID: 315
Event Time: Mar, 06, 2025, 07:15 AM
Rule: SOC337 - Lazarus Phishing Campaign Detected (APT38)
Level: Incident Responder
SMTP Address: 152.89.61.96
Source Address: [email protected]
Destination Address: [email protected]
E-mail Subject: Invitation: Coinbase Crypto Trader Hiring Assessment
Device Action: Allowed


IP regarding email:
https://www.virustotal.com/gui/ip-add...

Link in email:
https://www.virustotal.com/gui/url/4d...
https://talosintelligence.com/reputat...
https://otx.alienvault.com/indicator/...
https://urlscan.io/result/0195be64-23...

URL in Powershell:
https://www.virustotal.com/gui/url/97...
https://talosintelligence.com/reputat...
https://otx.alienvault.com/indicator/...

nvidiaupdate.zip
https://www.virustotal.com/gui/file/e...

Zip Contents:
https://www.virustotal.com/gui/file/1...
https://www.virustotal.com/gui/file/2...
https://www.virustotal.com/gui/file/e...
https://www.virustotal.com/gui/file/f...
https://www.virustotal.com/gui/ip-add...
https://talosintelligence.com/reputat...
https://otx.alienvault.com/indicator/...
https://www.virustotal.com/gui/file/9...

NOTES:
https://attack.mitre.org/groups/G0082/
https://www.silentpush.com/blog/lazar...