{ "id": "0f06c799-3e58-4093-a3d5-b717031e53b0", "created_at": "2026-04-06T00:11:32.292907Z", "updated_at": "2026-04-10T13:11:59.65045Z", "deleted_at": null, "sha1_hash": "45cad591c62109dea74dce0969524441cb740c9a", "title": "Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6804194, "plain_text": "Lazarus ‘Operation In(ter)ception’ Targets macOS Users\r\nDreaming of Jobs in Crypto\r\nBy Dinesh Devadoss \u0026 Phil Stokes\r\nPublished: 2022-09-26 · Archived: 2026-04-05 18:34:50 UTC\r\nBack in August, researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies\r\nat cryptocurrency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne\r\nhas seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com. In\r\nthis post, we review the details of this ongoing campaign and publish the latest indicators of compromise.\r\nCoinbase Campaign Turns to Crypto.com\r\nNorth-Korean linked APT threat actor Lazarus has been using lures for attractive job offers in a number of\r\ncampaigns since at least 2020, including targeting aerospace and defense contractors in a campaign dubbed\r\n‘Operation Dream Job’.\r\nWhile those campaigns distributed Windows malware, macOS malware has been discovered using a similar tactic.\r\nDecoy PDF documents advertising positions on crypto exchange platform Coinbase were discovered by our\r\nfriends at ESET back in August 2022, with indications that the campaign dated back at least a year. Last week,\r\nSentinelOne observed variants of the malware using new lures for vacancies at Crypto.com.\r\nhttps://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nPage 1 of 6\n\nDecoy document advertising positions on crypto.com\r\nFirst Stage and Persistence\r\nAlthough it is not clear at this stage how the malware is being distributed, earlier reports suggested that threat\r\nactors were attracting victims via targeted messaging on LinkedIn.\r\nThe first stage dropper is a Mach-O binary that is a similar template to the safarifontsagent binary used in the\r\nCoinbase variant. The first stage creates a folder in the user’s Library called “WifiPreference” and drops a\r\npersistence agent at ~/Library/LaunchAgents/com.wifianalyticsagent.plist , targeting an executable in the\r\nWifiPreferences folder called wifianalyticsagent .\r\nhttps://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nPage 2 of 6\n\nPersistence agent com.wifianalyticsagent\r\nThe LaunchAgent uses the same label as in the Coinbase variant, namely iTunes_trush , but changes the target\r\nexecutable location and the agent file name. Analysis of the binary shows that these details are simply hardcoded\r\nin the startDaemon() function at compile time, and as such there are likely to be further variants extant or\r\nforthcoming.\r\nThe startDaemon() function hardcodes the persistence agent details\r\nThe WifiPreference folder contains several other items, including the decoy document,\r\nCrypto.com_Job_Opportunities_2022_confidential.pdf.\r\nThe PDF is a 26 page dump of all vacancies at Crypto.com. Consistent with observations in the earlier campaign,\r\nthis PDF is created with MS Word 2016, PDF version 1.5. The document author is listed as “UChan”.\r\nhttps://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nPage 3 of 6\n\nThe PDF decoy was created with MS Word 2016\r\nThe first stage malware opens the PDF decoy document and wipes the Terminal’s current savedState.\r\nopen '/Users/tritium/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_confidential.pdf' \u0026\u0026\r\nrm -rf '/Users/tritium/Library/Saved Application State/com.apple.Terminal.savedState'\r\nThe second stage in the Crypto.com variant is a bare-bones application bundle named “WifiAnalyticsServ.app”;\r\nthis mirrors the same architecture seen in the Coinbase variant, which used a second stage called\r\n“FinderFontsUpdater.app”. The application uses the bundle identifier finder.fonts.extractor and has been in\r\nexistence since at least 2021.\r\nThe main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent . This\r\nfunctions as a downloader from a C2 server. The Coinbase variant used the domain concrecapital[.]com . In the\r\nCrypto.com sample, this has changed to market.contradecapital[.]com .\r\nhttps://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nPage 4 of 6\n\nHardcoded C2 in the third-stage downloader\r\nThe payload is written to the WifiPreference folder as WifiCloudWidget . Unfortunately, due to the C2 being\r\noffline when we analysed the sample, we were unable to retrieve the WifiCloudWidget payload.\r\nThe threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term\r\ncampaigns and/or little fear of detection by their targets. The binaries are all universal Mach-Os capable of\r\nrunning on either Intel or M1 Apple silicon machines and signed with an ad hoc signature, meaning that they will\r\npass Apple’s Gatekeeper checks despite not being associated with a recognized developer identity.\r\nThe wifianalyticsagent sample passes Gatekeeper with an ‘ad hoc’ signature\r\nStaying Protected Against Lazarus Malware\r\nSentinelOne customers are protected against the malware variants used in this campaign. For those not currently\r\nprotected by SentinelOne, security teams and administrators are urged to review the indicators of compromise at\r\nthe end of this post.\r\nConclusion\r\nThe Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges.\r\nThis has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018. Operation\r\nhttps://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nPage 5 of 6\n\nIn(ter)ception appears to be extending the targets from users of crypto exchange platforms to their employees in\r\nwhat may be a combined effort to conduct both espionage and cryptocurrency theft.\r\nIndicators of Compromise\r\nSHA 1 Name/Description\r\na57684cc460d4fc202b8a33870630414b3bbfafc 1st Stage, xxx\r\n65b7091af6279cf0e426a7b9bdc4591679420380\r\nCrypto.com_Job_Opportunities_2022_\r\nconfidential.pdf\r\n1f0f9020f72aa5a38a89ffd6cd000ed8a2b49edc 2nd Stage, WifiAnalyticsServ\r\n1b32f332e7fc91252181f0626da05ae989095d71 3rd stage, wifianalyticsagent\r\nCommunications\r\nmarket.contradecapital[.]com\r\nPersistence\r\n~/Library/LaunchAgents/com.wifianalyticsagent.plist\r\nFile paths\r\n~/Library/WifiPreference/WifiAnalyticsServ.app\r\n~/Library/WifiPreference/WifiCloudWidget\r\n~/Library/WifiPreference/wifianalyticsagent\r\n~/Library/WifiPreference/Crypto.com_Job_Opportunities_2022_\r\nconfidential.pdf\r\nLabels and Bundle Identifiers\r\niTunes_trush\r\nfinder.fonts.extractor\r\nSource: https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nhttps://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto" ], "report_names": [ "lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434292, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45cad591c62109dea74dce0969524441cb740c9a.pdf", "text": "https://archive.orkl.eu/45cad591c62109dea74dce0969524441cb740c9a.txt", "img": "https://archive.orkl.eu/45cad591c62109dea74dce0969524441cb740c9a.jpg" } }