Malware Analysis Targeting Windows and macOS by the Lazarus Group
Contents
1. Overview
In September 2025, a coordinated Advanced Persistent Threat (APT) campaign was discovered, targeting both Windows and macOS systems. The campaign masqueraded as legitimate software patches, including Nvidia updates, arm64-fixer, and mac_camera.driver. Through in-depth analysis, the operation has been attributed to the Lazarus Group, a North Korean state-sponsored APT actor.
Lazarus is known for conducting multifaceted cyber campaigns with diverse objectives, including financial gain (e.g., cryptocurrency theft and banking fraud), cyber espionage (targeting governments and defense contractors), and destructive attacks. Their operations commonly employ techniques such as spear-phishing, weaponized documents, watering hole attacks, custom binary deployment, and supply chain compromise. Their hallmark tactics include multi-stage C2 infrastructure, code obfuscation, and anti-analysis techniques to evade detection. International reports have linked the group to high-profile cryptocurrency heists, bank wire fraud, ransomware incidents, and data-wiping campaigns.
| OS | macOS | Windows |
|---|---|---|
| Trigger File | mac_camera.driver | run.vbs |
| Environment Setup | node.js installation …
In September 2025, a coordinated Advanced Persistent Threat (APT) campaign was discovered, targeting both Windows and macOS systems. The campaign masqueraded as legitimate software patches, including Nvidia updates, arm64-fixer, and mac_camera.driver. Through in-depth analysis, the operation has been attributed to the Lazarus Group, a North Korean state-sponsored APT actor.
Lazarus is known for conducting multifaceted cyber campaigns with diverse objectives, including financial gain (e.g., cryptocurrency theft and banking fraud), cyber espionage (targeting governments and defense contractors), and destructive attacks. Their operations commonly employ techniques such as spear-phishing, weaponized documents, watering hole attacks, custom binary deployment, and supply chain compromise. Their hallmark tactics include multi-stage C2 infrastructure, code obfuscation, and anti-analysis techniques to evade detection. International reports have linked the group to high-profile cryptocurrency heists, bank wire fraud, ransomware incidents, and data-wiping campaigns.
| OS | macOS | Windows |
|---|---|---|
| Trigger File | mac_camera.driver | run.vbs |
| Environment Setup | node.js installation …
IoC
http://webmail.driverservices.store/
http://driverservices.store/visiodrive
https://block-digital.online/drivers/mac_camera.driver
https://driverservices.store/visiodrive/nvidiaRelease.zip
http://block-digital.online/drivers/mac_camera.driver-fix1816
http://block-digital.online/drivers/cam_driver
http://avalabs-digital.store/cpanel
https://driverservices.store/visiodrive/nvidiaReleasenew.zip
https://www.driverservices.store:2096/
https://block-digital.online/
http://141.98.168.79
https://avalabs-digital.store/update/update93w/
https://driverservices.store/visiodrive/nvidiareleasenew.zip
https://block-digital.online/drivers/camera
http://avalabs-digital.store/update/update93w
http://driverservices.store/visiodrive/arm64-fixernew
https://driverservices.store/visiodri
https://driverservices.store/visiodrive/nvidiarelease.zip
http://block-digital.online/cpanel
https://block-digital.online/drive
https://driverservices.store/visiodrive/arm64-fixer
http://avalabs-digital.store/
http://www.driverservices.store/
https://driverservices.store/
http://driverservices.store/visiodrive/nvidiaRelease.zip
https://block-digital.online/drivers/cam_driver
https://avalabs-digital.store/update/update93w
https://driverservices.store/visiodrive/mac-v-j1721.fixer
https://webmail.driverservices.store/
http://block-digital.online/
https://block-digital.online/drivers/mac_camera.driver-fix1816
https://block-digital.online/drivers/
https://driverservices.store/visiodrive/nvidiaRelease.zi
https://www.block-digital.online/
https://driverservices.store/visiodrive/arm64-fixernew
http://69.10.53.86
https://driverservices.store/visiodrive/
https://avalabs-digital.store/update/z-update93m
http://driverservices.store/
69.10.53.86
198.54.116.177
103.231.75.101
45.159.248.110
198.54.119.94
45.89.53.54
141.98.168.79
199.188.200.147
192.64.119.25
15e48aef2e26f2367e5002e6c3148e1f
0550b73535fc3de5aec297707df73646
b52e105bd040bda6639e958f7d9e3090
cdf296d7404bd6193514284f021bfa54
6559d05cfcf294ef325a3eb772c3d3ba
945acbf53bd61ee1d6475c47f1db15d8
8731b650457211decd5a7aa940dd8f0e
f9e18687a38e968811b93351e9fca089
846b1734829ef754a42d915474b43192
37911a1e8ca8a481cd989fafe7bfb75a
983a8a6f4d0a8c887536f5787a6b01a2
2d8c8c6323a4fea1952405f2daad5d7a
858b616a388f6220e2fbcdaf545a9695
8c274285c5f8914cdbb090d72d1720d3
f277110800d861faa6a737c8d668d297
13400d5c844b7ab9aacc81822b1e7f02
57a3b11361ea5908d7f79395f12e14f8
0b73c183056cdbacddcd5eb0d1191b3b
fcc0114e34b352d9d3312118c6fd9341
a4e58b91531d199f268c5ea02c7bf456
ef7b96bffe252ede8259fea30fc3a9a3
3ef7717c8bcb26396fc50ed92e812d13
09d2336c6b76fa499f52773d930788a4
5a20eb4497913196212601430bd8da9d
8e8066fa5de1b8cad438c2323bdf2304
0dae0f501fca7db547726c78db4ae172
cbd183f5e5ed7d295d83e29b62b15431
6175efd148a89ca61b6835c77acc7a8d
fc7b67af44b474db1bbc808a8f2a25f0
http://driverservices.store/visiodrive
https://block-digital.online/drivers/mac_camera.driver
https://driverservices.store/visiodrive/nvidiaRelease.zip
http://block-digital.online/drivers/mac_camera.driver-fix1816
http://block-digital.online/drivers/cam_driver
http://avalabs-digital.store/cpanel
https://driverservices.store/visiodrive/nvidiaReleasenew.zip
https://www.driverservices.store:2096/
https://block-digital.online/
http://141.98.168.79
https://avalabs-digital.store/update/update93w/
https://driverservices.store/visiodrive/nvidiareleasenew.zip
https://block-digital.online/drivers/camera
http://avalabs-digital.store/update/update93w
http://driverservices.store/visiodrive/arm64-fixernew
https://driverservices.store/visiodri
https://driverservices.store/visiodrive/nvidiarelease.zip
http://block-digital.online/cpanel
https://block-digital.online/drive
https://driverservices.store/visiodrive/arm64-fixer
http://avalabs-digital.store/
http://www.driverservices.store/
https://driverservices.store/
http://driverservices.store/visiodrive/nvidiaRelease.zip
https://block-digital.online/drivers/cam_driver
https://avalabs-digital.store/update/update93w
https://driverservices.store/visiodrive/mac-v-j1721.fixer
https://webmail.driverservices.store/
http://block-digital.online/
https://block-digital.online/drivers/mac_camera.driver-fix1816
https://block-digital.online/drivers/
https://driverservices.store/visiodrive/nvidiaRelease.zi
https://www.block-digital.online/
https://driverservices.store/visiodrive/arm64-fixernew
http://69.10.53.86
https://driverservices.store/visiodrive/
https://avalabs-digital.store/update/z-update93m
http://driverservices.store/
69.10.53.86
198.54.116.177
103.231.75.101
45.159.248.110
198.54.119.94
45.89.53.54
141.98.168.79
199.188.200.147
192.64.119.25
15e48aef2e26f2367e5002e6c3148e1f
0550b73535fc3de5aec297707df73646
b52e105bd040bda6639e958f7d9e3090
cdf296d7404bd6193514284f021bfa54
6559d05cfcf294ef325a3eb772c3d3ba
945acbf53bd61ee1d6475c47f1db15d8
8731b650457211decd5a7aa940dd8f0e
f9e18687a38e968811b93351e9fca089
846b1734829ef754a42d915474b43192
37911a1e8ca8a481cd989fafe7bfb75a
983a8a6f4d0a8c887536f5787a6b01a2
2d8c8c6323a4fea1952405f2daad5d7a
858b616a388f6220e2fbcdaf545a9695
8c274285c5f8914cdbb090d72d1720d3
f277110800d861faa6a737c8d668d297
13400d5c844b7ab9aacc81822b1e7f02
57a3b11361ea5908d7f79395f12e14f8
0b73c183056cdbacddcd5eb0d1191b3b
fcc0114e34b352d9d3312118c6fd9341
a4e58b91531d199f268c5ea02c7bf456
ef7b96bffe252ede8259fea30fc3a9a3
3ef7717c8bcb26396fc50ed92e812d13
09d2336c6b76fa499f52773d930788a4
5a20eb4497913196212601430bd8da9d
8e8066fa5de1b8cad438c2323bdf2304
0dae0f501fca7db547726c78db4ae172
cbd183f5e5ed7d295d83e29b62b15431
6175efd148a89ca61b6835c77acc7a8d
fc7b67af44b474db1bbc808a8f2a25f0