{ "id": "d1a5e54d-86e9-407b-b4a7-edbf3887199e", "created_at": "2026-04-06T00:15:11.934862Z", "updated_at": "2026-04-10T03:38:19.838205Z", "deleted_at": null, "sha1_hash": "aaaee8572bd993248435e62244c59ec5bfae3866", "title": "Beyond the Pond Phish: Unraveling Lazarus Group's Evolving Tactics - BitMEX Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67659, "plain_text": "Beyond the Pond Phish: Unraveling Lazarus Group's Evolving\r\nTactics - BitMEX Blog\r\nBy BitMEX\r\nPublished: 2025-05-30 · Archived: 2026-04-05 18:11:37 UTC\r\nThe Lazarus Group is a prominent hacking group associated with the North Korean government with a long\r\nhistory of targeting companies and individuals within the cryptocurrency space. They have been linked to the\r\nbreaches of Phemex, WazirX, Bybit, Stake, among others.\r\nOur security team frequently responds to attempts to attack us, many of which use techniques or infrastructure that\r\nhave been tied to the Lazarus Group by other researchers.\r\nA common pattern in their major operations is the use of relatively unsophisticated methods, often starting with\r\nphishing, to gain a foothold in their target's systems.\r\nFor example, in the Bybit breach, the group tricked a Safe Wallet employee into running malicious code on their\r\ncomputer to establish initial access. Once this foothold was obtained, what looks like a more sophisticated\r\n\"division\" of the group took over and continued post-exploitation, obtaining access to Safe's AWS account and\r\nmodifying the wallet's front-end source code, which resulted in the ultimate theft of their cold wallets.\r\nThroughout the last few years, it appears that the group has divided into multiple subgroups that are not\r\nnecessarily of the same technical sophistication. This can be observed through the many documented examples of\r\nbad practices coming from these \"frontline\" groups that execute social engineering attacks when compared to the\r\nmore sophisticated post-exploitation techniques applied in some of these known hacks.\r\nRecently, a BitMEX employee was contacted through LinkedIn for a potential \"NFT Marketplace\" web3 project\r\ncollaboration. This pretext was similar enough to other attacks common in this industry that the employee\r\nsuspected it was an attempt to trick them into running malicious code on their device. They alerted the security\r\nteam, who investigated with the objective of understanding how this campaign worked and how to protect\r\nourselves from it.\r\nThe interaction is pretty much known if you are familiar with Lazarus' tactics. After some back and forth with the\r\nattacker, our employee was invited to a private GitHub repository which contained code for a Next.js/React\r\nwebsite. The goal was to make the victim run the project, which includes malicious code, on their computer. After\r\na few minutes of inspection of the repository (just grepping for \"eval\", really), we found some very suspicious\r\npieces of code:\r\ncarbon-10\r\nThe first instance of calls to the eval function was commented out, suggesting this code was used in a previous\r\ncampaign or was an older version of the malicious code being distributed. If it was not commented out, it would\r\nhttps://blog.bitmex.com/bitmex-busts-lazarus-group/\r\nPage 1 of 5\n\nsend a HTTP request tohxxp[://]regioncheck[.]net/api/user/thirdcookie/v3/726and execute the response’s “cookie”\r\nvalue. This domain has been previously attributed to the Lazarus Group by Palo Alto’s Unit 42.\r\ncarbon-4\r\nThe second eval call we found was not commented out. The code here sends a HTTP request to\r\nhxxp[://]fashdefi[.]store:6168/defy/v5 and executes the JavaScript code returned by the server.\r\nWe then sent this request out manually and saved its response for further analysis. The JavaScript code returned by\r\nthe server was obfuscated, making it hard to analyse at a glance.\r\nimage14\r\nTo understand what this is really doing, we used webcrack, a JavaScript deobfuscation tool, which yields a slightly\r\nbetter “unminified” version.\r\nThis javascript file looked like a result of joining three different scripts together. We can see multiple code blocks\r\nthat separate the different stages of the malware.\r\nimage5-1\r\nAt first glance, the second part of the script contained strings that were similar to what we would expect from a\r\ncredential stealer: references to Chrome extension IDs and to other Browsers.\r\nimage12\r\nThis “p.zi” string looked familiar to us as well, even without deobfuscating the code - it is similar to other pieces\r\nof malware that have been previously tied to the DPRK and resembles the “BeaverTail” campaign, originally\r\ndescribed by Palo Alto’s Unit 42 in this report. Since Unit 42 has already extensively analysed this second\r\ncomponent, we will not cover it here.\r\nimage3-3\r\nAfter getting confirmation of who we were dealing with, we decided to continue deobfuscating the code in an\r\nattempt to dig some IoCs that could be added to our internal tools.\r\nJavaScript deobfuscation is pretty fun once you know the patterns the obfuscation tools use, and usually boils\r\ndown to finding and replacing references to array strings or calls to “decryption” functions and renaming\r\nvariables. Starting from the first code block, we manually replaced all of the references to a string array with their\r\ncorresponding values and used webcrack’s symbol renaming tool to rename variables based on their context,\r\nwhich results in human-readable code:\r\ncarbon-7\r\nAs this was not our first time reverse engineering malware related to this kind of campaign, we were already\r\nreasonably familiar with the code. However, this initial part of the file was new to us: it connects to a Supabase\r\ninstance and writes metadata (username, hostname, os, ip, geolocation, time) about the computer that has been\r\ninfected.\r\nhttps://blog.bitmex.com/bitmex-busts-lazarus-group/\r\nPage 2 of 5\n\nSupabase is a free managed database service akin to Google’s Firebase. It allows developers to quickly set up\r\ndatabases that have easy-to-use interfaces for applications which, if configured properly, allow you to implement\r\nalmost all functionality that would usually be tied to an API layer (such as authentication, access control, etc)\r\nwithout the need for one.\r\nA common issue with these services is that developers do not take the time to configure permissions properly and\r\nend up leaving significant parts of the database accessible to anyone. With this in mind, it was one of the first\r\nthings we decided to test using this simple script:\r\ncarbon-8\r\nTo our surprise, at the time, this returned 37 records with data from computers that had previously been\r\ncompromised.\r\nimage15\r\nIf we take a closer look at the data, some logs stand out: a lot of username/hostname combinations are repeated,\r\nand some of those have patterns that look like test runs, potentially done by developers. We also see a pattern with\r\nmany hostnames of the form of 3-XXX.\r\nimage10-1\r\nThe IP addresses logged for these entries mostly belong to VPN providers. One of the recurring usernames,\r\n“Victor”, consistently uses IP addresses that appear to be managed by Touch VPN, while “GHOST72” uses IP\r\naddresses that map to Astrill VPN servers (source: spur.us).\r\nBy looking at the logs for “Victor”, we found an entry that stands out: the IP address and location do not match the\r\npreviously observed Touch VPN exit nodes, but rather a residential China Mobile IP address (223.104.144.97)\r\nlocated in Jiaxing, China. We believe that this was an operational security mistake, which ended up leaking the\r\nattacker’s original IP address.\r\nimage13\r\nOnce we had this information, we created a simple program that would query this database on a regular basis and\r\nlog new infections with the goal of understanding the general profile of victims and potentially spotting new\r\nmistakes by the operators. This program has been running since May 14, 2025 and our data has all logs dating\r\nback to March 31st. So far, this amounts to 856 entries with 174 unique user/hostname combinations.\r\nUnique new infections by day (UTC):\r\nimage1-1\r\nBy looking at the username, hostname and IPs of past infections, we were also able to identify other computers\r\nand accounts used to test or develop the malware used in this campaign:\r\nVictor@3-KZH (12x Touch VPN, 2x China Mobile, 1x Unknown/US)\r\nVictor@3-KZH-1 (9x Touch VPN)\r\nhttps://blog.bitmex.com/bitmex-busts-lazarus-group/\r\nPage 3 of 5\n\nGHOST72@3-UJS-2 (3x Astrill VPN, 1x Zoog VPN)\r\nghost@GHOST-3 (3x Astrill VPN, 1x Hotspot VPN)\r\nSuper@3-AHR-2 (1x Astrill VPN, 1x Touch VPN)\r\nAdmin@3-HIJ (2x Astrill VPN)\r\nLenovo@3-RKS (1x Astrill VPN)\r\nfirebird@3-KJH (1x Touch VPN)\r\ndegen@Alli (1x Astrill VPN)\r\nGoldRock@DESKTOP-N4VEL23 (1x Astrill VPN)\r\nMuddy@DESKTOP-MK87CBC (1x Astrill VPN)\r\nWith these hostnames in mind, we can also plot a chart that shows active hours for the operators behind this\r\ncampaign:\r\nimage2-2\r\nInterestingly, we identified a consistent period of downtime for the operators from ~8am to ~1pm UTC (5pm to\r\n10pm Pyongyang time), which suggests that they do have a structured schedule or consistent “working hours”,\r\nwith activity occurring throughout the rest of the 24-hour cycle.\r\nimage4-1\r\nConclusion\r\nInvestigating this Lazarus Group campaign shows a stark contrast between their entry-level phishing strategies\r\nand advanced post-exploitation techniques. The accidental exposure of the Supabase database revealed not only\r\ntheir tracking methods but also significant lapses in operational security, such as the leakage of Chinese IP\r\naddresses, offering interesting insights about the inner workings of the group.\r\nContact\r\nIf you want to get in touch with us regarding this topic, or the idea of working in an organisation that investigates\r\nthese kinds of attacks interests you, contactsecurity-research atbitmex dot com.\r\nIndicators Of Compromise (IoCs)\r\nSupabase URL https://mkswbddldpyiqkyu.supabase.co/\r\nC2 URL http://144.172.96.35/\r\nhttps://blog.bitmex.com/bitmex-busts-lazarus-group/\r\nPage 4 of 5\n\nThreat Actor: Victor@3-\r\nKZH\r\n107.182.231.193, 107.182.231.196, 120.226.22.28, 184.174.5.149,\r\n223.104.144.97, 31.13.189.10, 31.13.189.178, 37.120.216.226,\r\n38.134.148.94, 45.141.153.154, 89.116.158.156, 89.116.158.164,\r\n89.116.158.188, 89.116.158.228, 89.116.158.68\r\nThreat Actor: Victor@3-\r\nKZH-1\r\n107.182.231.196, 31.13.189.10, 31.13.189.26, 38.132.106.130,\r\n45.141.153.130, 89.116.158.156, 89.116.158.228, 89.116.158.68,\r\n89.116.158.84\r\nThreat Actor:\r\nGHOST72@3-UJS-2\r\n108.181.57.127, 195.146.5.31, 199.168.113.31, 89.187.185.11\r\nThreat Actor:\r\nghost@GHOST-3\r\n129.232.193.253, 195.146.5.31, 209.127.117.234, 45.56.197.79\r\nThreat Actor:\r\nGoldRock@DESKTOP-N4VEL2338.170.181.10\r\nThreat Actor: Lenovo@3-\r\nRKS\r\n38.170.181.10\r\nThreat Actor: Super@3-\r\nAHR-2\r\n217.138.198.34, 89.187.161.220\r\nThreat Actor: degen@Alli 167.88.61.148\r\nThreat Actor: firebird@3-\r\nKJH\r\n146.70.63.2\r\nSource: https://blog.bitmex.com/bitmex-busts-lazarus-group/\r\nhttps://blog.bitmex.com/bitmex-busts-lazarus-group/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.bitmex.com/bitmex-busts-lazarus-group/" ], "report_names": [ "bitmex-busts-lazarus-group" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434511, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aaaee8572bd993248435e62244c59ec5bfae3866.pdf", "text": "https://archive.orkl.eu/aaaee8572bd993248435e62244c59ec5bfae3866.txt", "img": "https://archive.orkl.eu/aaaee8572bd993248435e62244c59ec5bfae3866.jpg" } }