North Korean Lazarus hackers launch large-scale cyberattack by cloning open source software

News
By
published

Lazarus clones the software, spice it up with malware, and return it to the wild

A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
(Image credit: Getty Images)
  • Lazarus was seen poisoning open source software with infostealers
  • The campaign is dubbed Phantom Circuit, and targets mostly European software devs
  • Multiple repositories were found poisoned with malware

The notorious North Korean hackers Lazarus have been targeting software developers, particularly those in the Web3 industry, with infostealing malware, grabbing their credentials, authentication tokens, and other valuable data, experts have warned.

Cybersecurity researchers SecurityScorecard released a report detailing the campaign, which included a software supply-chain attack and open-source poisoning.

Lazarus Group, an infamous hacking collective on North Korea’s payroll, was spotted grabbing different open source tools, poisoning them with malicious code, and then returning them to code repositories and platforms such as Gitlab.

Targeting Web3 devs

Developers would then pick up these tools by mistake, and would unknowingly get infected with malware.

The researchers named the operation Phantom Circuit, and apparently ended up compromising more than 1,500 victims. Most of them are based in Europe, with notable additions from India and Brazil.

The modified repositories apparently included Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and “other cryptocurrency-related apps, authentication packages, and web3 technologies”, citing Ryan Sherstobitoff, senior VP of research and threat intelligence at SecurityScorecard.

The researchers did not say if Lazarus used any known infostealer in this campaign, or created new code from scratch. The group is known for using a wide variety of tools in their attacks.

Lazarus often targets cryptocurrency companies. Some researchers are saying the country is engaging in crypto theft to fund its state apparatus, as well as its weapons program. The group is famous for its fake job campaign, called Operation DreamJob, in which it targets Web3 software developers with fake, lucrative job offers.

During the interview stages, the attackers would trick the candidate into downloading and running infostealers, grabbing their tokens, and those of their employers. In one such instance, Lazarus managed to steal roughly $600 million.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
North Korean flag with a hooded hacker
North Korean hackers are posing as software development recruiters to target freelancers
Hacker silhouette working on a laptop with North Korean flag on the background
North Korean Lazarus hackers are targeting nuclear workers
A digital representation of a lock
Looking for a new job? Watch out you don't fall for this new malware scam
A white padlock on a dark digital background.
Developers targeted by malicious Microsoft VSCode extensions
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
Circular Ring 2

The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
See more latest
Most Popular
Circular Ring 2
The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
HTC Viverse
The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first