##
Hot Topic Overview
Overview
The North Korean hacking group Lazarus Group launched a cyberattack dubbed "Operation 99," targeting Web3 and cryptocurrency developers. The attackers, posing as recruiters, lured developers on platforms like LinkedIn into participating in fake project testing and code reviews. They tricked developers into cloning GitLab repositories containing malicious code, ultimately infiltrating victims' systems with malware. This malware can steal valuable data such as passwords, API keys, and cryptocurrency wallet information. It also maintains connections through highly obfuscated command-and-control (C2) servers to maximize their stealth.
Ace Hot Topic Analysis
Analysis
North Korean hacking group Lazarus Group launched a cyberattack campaign called "Operation 99" targeting Web3 and cryptocurrency software developers. The attackers disguised themselves as recruiters, posting fake job listings on platforms such as LinkedIn, using project testing and code review as bait to lure developers into participating. Once a victim takes the bait, they are directed to clone what appears to be a harmless GitLab repository, but in reality, it contains malicious code. The cloned code connects to a command and control (C2) server, embedding malware into the victim's environment, thereby gaining control over their computer. These malicious programs are cross-platform compatible, able to steal high-value data like passwords, API keys, cryptocurrency wallet information, etc., and maintain connections through highly obfuscated C2 servers, maximizing their stealth.