Notorious North Korea state-sponsored Lazarus group is targeting software developers in an ongoing campaign, researchers from SecurityScorecard have revealed.
The campaign, dubbed ‘Operation 99’, was identified on January 9. It is designed to steal sensitive data from developer environments, including source code, secrets and configuration files and cryptocurrency wallet keys.
The researchers said the campaign marks an evolution in the Lazarus group’s tactics, including shifting from broad phishing attempts to targeted attacks on developers in the tech supply chain.
The analysis also highlighted upgrades to the malware used by the group, such as enhanced obfuscation and adaptability capabilities.
The researchers were able to identify impacted victims across the globe, highlighting the extensive reach of the campaign.
The campaign is part of broader efforts by the group to generate revenue for the Democratic People’s Republic of Korea (DPRK) regime.
“The campaign’s focus on developers reflects a strategic evolution. By compromising the creators of technology, the attackers indirectly jeopardize the projects and enterprises these developers support. It’s a devastatingly efficient method of supply chain attack,” SecurityScorecard wrote.
Read now: Lazarus Group Targets Developers in Fresh VMConnect Campaign
Freelance Developers in the Crosshairs
The campaign has a specialized focus on developers seeking freelance work in the cryptocurrency sectors.
It begins with the attackers posing as recruiters contacting targets on platforms like LinkedIn about coding projects tied to fake recruitment schemes. These include project tests and code reviews.
This is in contrast to an observed campaign by Lazarus that targeted developers in October 2024, which targeted job seekers with fake job descriptions, the researchers noted.
In the new attack, the victim is directed to clone a malicious GitHub repository named “coin promoting Webapp.”
When the code from the repository is executed by the victim, it connects to command-and-control (C2) servers, hosted by the provider Stark Industries Solutions Ltd.
The provider’s IP address hosts and Apache server is configured to deliver various payloads, designed for second-stage execution on the victim’s machine.
The C2 servers use heavily obfuscated Python scripts, often compressed with ZLIB, to evade detection.
The infrastructure also dynamically tailors malware for specific targets, ensuring compatibility with the victim’s operating system and environment. The modular framework enables the malware to function across multiple platforms, including Windows, macOS and Linux.
The campaign deploys multi-stage malware system with modular components to steal a range of sensitive data from the developer’s device. These malware include:
- Main99: A downloader that connects to C2 servers, retrieving additional payloads
- Payload99/73: Implants capable of keylogging, clipboard monitoring and file exfiltration
- Brow99/73: An implant designed for browser credential theft, such as passwords using the keychain
- MCLIP: A dedicated implant for keyboard and clipboard monitoring
The researchers noted that by embedding the malware into developer workflows, the attackers can not only compromise individual victims but also the projects and systems they contribute to.
Developers Urged to Adopt Proactive Security Measures
SecurityScorecard said the campaign highlights the security vulnerabilities in developer ecosystem, which contain valuable intellectual property and digital assets.
The firm urged organizations to adopt proactive security measures to tackle threats. They should:
- Deploy enhanced code repository verification, such as scrutinizing Git repositories before cloning
- Use advanced endpoint security solutions to detect unusual activity
- Verify recruiters and job offers on platforms like LinkedIn
- Equip developers with the knowledge to identify red flags in emails, repositories and LinkedIn profiles
