##
Hot Topic Overview
Overview
The Lazarus Group, a North Korean hacking group, has launched a cyberattack dubbed "Operation 99" targeting Web3 and cryptocurrency software developers. The attackers are posing as recruiters on platforms like LinkedIn, enticing developers to participate in fake project testing and code review sessions. They induce developers to clone GitLab repositories containing malicious code, injecting modular malware into victims' systems. These malware can steal high-value data such as passwords, API keys, and cryptocurrency wallet information, and maintain connections through heavily obfuscated command and control (C2) servers to maximize their stealth. SlowMist CISO 23pds has issued a warning on social media, alerting developers to this attack method and urging them to take necessary security measures.
Ace Hot Topic Analysis
Analysis
The Lazarus Group, a North Korean hacking group, has launched a cyberattack campaign dubbed “Operation 99” targeting Web3 and cryptocurrency software developers. The attackers, posing as recruiters, post fake job listings on platforms like LinkedIn to lure developers into participating in disguised project testing and code reviews. Once victims bite, they are directed to clone a seemingly harmless GitLab repository containing malicious code, which connects to a command and control (C2) server, embedding malware into the victim's environment. This malware is cross-platform adaptable, capable of stealing high-value data like passwords, API keys, cryptocurrency wallet information, and maintaining a connection through highly obfuscated C2 servers to maximize stealth. Security experts are urging Web3 developers to be vigilant, avoid clicking on suspicious links, and safeguard their code and sensitive information.