##
Hot Topic Overview
Overview
The Lazarus Group, a North Korean hacking organization, launched a cyberattack dubbed "Operation 99" targeting Web3 and cryptocurrency software developers. The attackers, posing as recruiters, enticed developers on platforms like LinkedIn to participate in disguised project testing and code reviews. This led to the developers cloning a GitLab repository containing malicious code, resulting in the implantation of modular malware on their systems. These malicious programs are capable of stealing sensitive data such as passwords, API keys, and cryptocurrency wallet information. They maintain a connection through heavily obfuscated command-and-control (C2) servers, maximizing stealth and minimizing detection.
Ace Hot Topic Analysis
Analysis
Recently, the North Korean hacking group Lazarus Group has launched a cyberattack called "Operation 99" targeting Web3 and cryptocurrency software developers. The operation starts with fake recruiters, operating on platforms like LinkedIn, enticing developers with project tests and code reviews. Once the victims fall for the bait, they are led to clone a malicious GitLab repository, seemingly harmless but full of disaster. The cloned code connects to a command and control (C2) server, embedding malware into the victims' environments, taking control of their computers. These malicious programs are cross-platform adaptable, capable of stealing high-value data like passwords, API keys, cryptocurrency wallet information, and maintaining a connection through highly obfuscated command and control (C2) servers, maximizing their stealth. SlowMist CISO 23pds has reminded developers of this attack method on social media, advising them to increase their security awareness, be cautious about recruitment messages from strangers, and not easily clone code repositories from unknown sources.