The notorious Lazarus Group, closely linked to North Korea, has orchestrated a sophisticated cyber offensive labeled Operation 99. This campaign zeroes in on software engineers exploring freelance opportunities in the burgeoning Web3 and cryptocurrency domains, using duplicitous recruitment tactics to infiltrate systems with malicious software.
“The operation is spearheaded by impostor recruiters who masquerade on platforms such as LinkedIn,” explained Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, in a report released today. “Victims are enticed into cloning seemingly innocuous GitLab repositories, which are, in reality, vehicles laden with malicious code. Once cloned, these repositories establish connections to command-and-control (C2) servers, deploying malware into the unsuspecting developer’s environment.”
The campaign’s reach spans continents, with victims identified globally. Italy has reported the highest concentration of cases, while smaller clusters have emerged in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.K., and the U.S.
Unveiled on January 9, 2025, this operation builds upon the Lazarus Group’s repertoire of employment-themed stratagems, such as Operation Dream Job (also known as NukeSped). However, Operation 99 distinguishes itself by specifically preying on Web3 and cryptocurrency developers through elaborate deception involving counterfeit LinkedIn profiles and fraudulent GitLab repositories.
A Chilling Modus Operandi
The attackers’ ultimate objective is to deploy modular malware designed to exfiltrate sensitive data, including proprietary source code, API keys, cryptocurrency wallet credentials, and other confidential information. Key components of the malware suite include:
- Main5346 and Main99: Act as initial downloaders, introducing three subsequent payloads.
- Payload99/73 (and its variant Payload5346): Facilitates the collection of system data, termination of web browser processes, arbitrary command execution, and persistent C2 communication.
- Brow99/73: Harvests browser-stored data, aiding in credential theft.
- MCLIP: Captures keyboard strokes and clipboard content in real time, ensuring uninterrupted exfiltration.
“Compromising developer accounts grants adversaries a dual advantage—intellectual property theft and direct access to cryptocurrency wallets,” SecurityScorecard emphasized. “Seizing private and secret keys opens avenues for multimillion-dollar heists, aligning seamlessly with Lazarus Group’s financial motives.”
A Multifaceted Threat
The malware demonstrates a highly adaptable design, seamlessly operating across Windows, macOS, and Linux platforms. This modularity underscores the sophisticated and ever-evolving nature of nation-state cyber threats.
“For North Korea, cyber intrusions are not merely tactical maneuvers but a financial artery,” Sherstobitoff noted. “The Lazarus Group consistently channels stolen cryptocurrency to underwrite the regime’s ambitions, accumulating staggering wealth. The explosive growth of Web3 and cryptocurrency ecosystems has made them prime targets for Operation 99.”
This campaign serves as a stark reminder of the persistent and ingenious tactics employed by nation-state actors, particularly those leveraging the rapid expansion of decentralized technologies for malevolent gain.