Lazarus Group Uses Shell Companies to Distribute Malware in Crypto Scam

Coin WorldFriday, Apr 25, 2025 2:22 am ET

1min read

A subgroup of the North Korea-linked hacker organization Lazarus has established three shell companies to distribute malware to unsuspecting users. These companies, BlockNovas, Angeloper Agency, and SoftGlide, are being used to distribute malware through fake job interviews. During the job application process, an error message is displayed, requiring the user to click, copy, and paste to fix it, which leads to the malware infection. The malware strains used in this campaign include BeaverTail, InvisibleFerret, and Otter Cookie. BeaverTail is designed for information theft and to load further stages of malware, while OtterCookie and InvisibleFerret target sensitive information, including crypto wallet keys and clipboard data.

The hackers use AI-generated images to create profiles of employees for the three front crypto companies and steal images of real people. The ruse involves the hackers using AI image modifier tools to create subtly different versions of real images. This malware campaign has been ongoing since 2024, with known public victims. Two developers targeted by the campaign; one of them reportedly had their MetaMask wallet compromised. The Federal Bureau of Investigation (FBI) has since shut down at least one of the companies, acquiring the Blocknovas domain, but Softglide is still live, along with some of their other infrastructure.

The Lazarus Group is known for some of the biggest cyber thefts in Web3, including the Bybit $1.4 billion hack and the $600 million Ronin network hack. The group exploits legal loopholes to bypass sanctions and target digital assets with malware. This is a rare example of North Korean hackers managing to set up legal corporate entities in the United States to create corporate fronts used to distribute malware. The hackers use GitHub, job listings, and freelancer websites to look for victims. The use of AI-generated images and stolen images of real people adds a layer of sophistication to their operations, making it difficult for unsuspecting users to detect the scam. The campaign highlights the evolving tactics used by North Korean hackers to target the crypto community and the need for increased vigilance and security measures.

Comments

﻿

Add a public comment...

No comments yet

Disclaimer: The news articles available on this platform are generated in whole or in part by artificial intelligence and may not have been reviewed or fact checked by human editors. While we make reasonable efforts to ensure the quality and accuracy of the content, we make no representations or warranties, express or implied, as to the truthfulness, reliability, completeness, or timeliness of any information provided. It is your sole responsibility to independently verify any facts, statements, or claims prior to acting upon them. Ainvest Fintech Inc expressly disclaims all liability for any loss, damage, or harm arising from the use of or reliance on AI-generated content, including but not limited to direct, indirect, incidental, or consequential damages.