The Lazarus Group, linked to North Korea, has been attributed to a new cyber attack campaign called Operation 99 targeting software developers looking for freelance Web3 and cryptocurrency experts to deliver malware.
“The campaign starts with fake recruiters posing on platforms like LinkedIn, luring developers with project tests and code reviews,” said Ryan Sherstabitov, SVP of Threat Research and Intelligence at SecurityScorecard. said in a new report released today.
“Once the victim takes the bait, they are told to clone a malicious GitLab repository that appears harmless but is filled with disaster. The cloned code connects to command and control (C2) servers, embedding malware in the victim’s environment.”
Victims of the campaign were found all over the world, with a significant concentration recorded in Italy. Fewer victims are in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, Philippines, UK and USA
The cybersecurity company said the campaign it discovered on January 9, 2025, is based on tactics of work topics previously seen in Lazarus attacks such as Operation Dream Job. (aka NukeSped) to specifically focus on Web3 and cryptocurrency developers.
What makes Operation 99 unique is that it lures developers with coding projects in a sophisticated recruitment scheme that involves creating fake LinkedIn profiles, which are then used to direct them to fake GitLab repositories.
The ultimate goal of the attacks is to deploy data-stealing implants capable of extracting source code, secrets, cryptocurrency wallet keys, and other sensitive data from the development environment.
This includes Main5346 and its variant Main99, which serves as a bootloader for three additional payloads –
- Payload99/73 (and its functionally similar Payload5346), which collects system data (such as files and clipboard contents), terminates web browser processes, performs arbitrary actions, and establishes a persistent connection to the C2 server
- Brow99/73, which steals data from web browsers to facilitate credential theft
- MCLIP, which monitors and exfiltrates keyboard and clipboard activity in real time
“By compromising developer accounts, attackers not only steal intellectual property, but also gain access to cryptocurrency wallets, enabling direct financial theft,” the company said. “Targeted theft of private and secret keys could lead to millions in stolen digital assets, furthering Lazarus Group’s financial goals.”
The architecture of the malware is modular, flexible and capable of running on Windows, macOS and Linux operating systems. It also serves to highlight the ever-evolving and adaptive nature of nation-state cyber threats.
“For North Korea, hacking is a lifeline that brings in profits,” Sherstabitov said. “The Lazarus Group has consistently funneled stolen cryptocurrency to fuel the regime’s ambitions, amassing staggering sums. With the growth of the Web3 and cryptocurrency industries, Operation 99 is targeting these fast-growing sectors.”
