##
Hot Topic Overview
Overview
The North Korean hacking group Lazarus Group launched a cyberattack called "Operation 99" targeting Web3 and cryptocurrency developers. The attackers disguised themselves as recruiters, luring developers on platforms like LinkedIn to participate in disguised project testing and code reviews, tricking them into cloning GitLab repositories containing malicious code. This implants modular malware onto victims' systems, which can steal high-value data such as passwords, API keys, cryptocurrency wallet information, and maintains a connection through highly obfuscated command and control (C2) servers to maximize stealth.
Ace Hot Topic Analysis
Analysis
Recently, the North Korean hacking group Lazarus Group launched a cyberattack called "Operation 99" targeting Web3 and cryptocurrency software developers. The operation starts with fake recruiters on platforms like LinkedIn, enticing developers with project tests and code reviews. Once victims take the bait, they are directed to clone a malicious GitLab repository that appears harmless but is fraught with disaster. The cloned code connects to a command and control (C2) server, embedding malware into the victim's environment, thereby controlling their computer. These malware possess cross-platform adaptability, stealing high-value data like passwords, API keys, cryptocurrency wallet information, and maintaining connection through heavily obfuscated command and control (C2) servers, maximizing their stealth. SlowMist CISO 23pds reminds developers to be vigilant, not to easily trust recruitment messages from strangers, and to carefully check code sources, avoiding cloning malicious code repositories.