{
	"id": "daf502cf-1d2e-437a-88a4-f288eef9117b",
	"created_at": "2026-05-01T03:10:44.554778Z",
	"updated_at": "2026-05-01T03:10:50.599508Z",
	"deleted_at": null,
	"sha1_hash": "c26628bae4d007fdef38b80701010a1d2e91981a",
	"title": "Inside Lazarus: How North Korea uses AI to industrialize attacks on developers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1788341,
	"plain_text": "Inside Lazarus: How North Korea uses AI to industrialize attacks\r\non developers\r\nBy Marcus Hutchins\r\nPublished: 2026-04-22 · Archived: 2026-05-01 02:14:13 UTC\r\nThis research was also highlighted in WIRED. You can read the full article from Andy Greenberg and Matt\r\nBurgess here. \r\nTL;DR\r\nExpel is actively tracking an APT group that we assess with high confidence to be North Korean (DPRK)\r\nstate-sponsored. We suspect that the threat actor is a subgroup or spin-off of a larger organization,\r\npotentially starting out as fraudulent IT workers before pivoting to malware.\r\nThe group is extremely active in targeting Web3 developers and is primarily focused on stealing high-value\r\ndigital assets such as cryptocurrency and NFTs.\r\nAs much as $12M worth of cryptocurrency wallets were exfiltrated by the threat actor in 3 months, though\r\nhardware security tokens may limit damage.\r\nWhilst this specific group is financially motivated, many of their techniques overlap with other DPRK\r\nAPTs, including those engaged in espionage.\r\nThe group makes heavy use of Generative AI, often abusing tools like Cursor and ChatGPT.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 1 of 18\n\nIntroducing Expel-TA-0001 (AKA HexagonalRodent)\r\nWhy yet another threat actor name?\r\nLike many of you, we’re also frustrated with the endless creation of new names for threat actors. With that said,\r\nwe did find it necessary on this occasion. Vendors name threat actors based on their own internal intelligence, but\r\nthe less of that intelligence that gets published, the harder it is for us to know if what we’re seeing maps perfectly\r\nto activity named by another vendor.\r\nHexagonalRodent is an active user of three pieces of malware known as BeaverTail, OtterCookie, and\r\nInvisibleFerret. BeaverTail and OtterCookie are both multi-functional malware toolkits written in NodeJS. They\r\npossess a wide array of features from password stealers to reverse shell capabilities. InvisibleFerret, on the other\r\nhand, is written in Python and acts purely as a reverse shell.\r\nFrom the outside, we cannot assess the internal team structures of DPRK’s military and intelligence groups.\r\nWithin the threat intelligence community, we divide groups based on distinctions in motivations, techniques, and\r\ntooling. While all of these tools have been widely attributed to DPRK, they aren’t exclusive to just one group\r\nwithin DPRK. There are multiple different variants of each piece of malware, which we believe are operated by\r\ndifferent groups.\r\nFor the most part, all of the groups have typically been lumped together under a single name, or referred to by the\r\nmalware they use.\r\nBelow is a non-comprehensive list of vendor names for groups seen using this malware:\r\nFamous Chollima\r\nPurpleBravo\r\nUNC5342\r\nDEV#POPPER\r\nDeceptiveDevelopment\r\nContagious Interview\r\nWithout access to the internal intelligence vendors use to make their group determinations, we cannot reliably\r\nknow how or if the activity we’re tracking overlaps with any specific name. Additionally, we believe this group to\r\nbe a subset of a larger group. Therefore, it made sense to name this specific activity cluster.\r\nWe do, however, assess with medium-high confidence that this group is a subset of what CrowdStrike refers to as\r\nFamous Chollima. Although this name encompasses both DPRK-sponsored fraudulent IT workers and several\r\nmalware-based crypto theft groups, we’ve seen no evidence to suggest that this specific subgroup engages in\r\nfraudulent IT work.\r\nTargeting and modus operandi\r\nHexagonalRodent primarily targets Web3 developers with the goal of stealing crypto assets. They achieve this via\r\nsocial engineering developers with the promise of high-paying tech jobs, a technique that has likely become more\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 2 of 18\n\nsuccessful as a result of consistent mass layoffs in the industry and the resulting hiring glut. The threat actors may\r\nreach out to targets directly via platforms like LinkedIn, or publish fake job openings to popular career portals.\r\nOnce the threat actors have lured in a developer with a fake job offer, they then request that the developer undergo\r\na coding skills assessment. For software engineering jobs, it’s not unusual for companies to test developers’ skills\r\nby providing them with a ‘take home assessment’ (a coding project that the developer must debug, add features to,\r\nor audit, and turn in for review at a later date).\r\nHexagonalRodent’s skills assessments are subtly backdoored with malware. One technique often leveraged is the\r\ntasks.json feature in VSCode (an extremely popular code editor). The config file enables developers to configure\r\nautomated tasks to be run by VSCode when certain events occur. The threat actors abuse this by shipping their\r\nown tasks.json with a malicious runOn:”folderOpen”command configured. This causes VSCode to execute\r\nmalware simply as a result of the target opening the source code folder with VSCode.\r\nAdditionally, the skills assessments have backdoors in the actual code, which are designed to be executed when\r\nthe code is run. This serves as a primary infection vector for targets who are not using VSCode, as well as a\r\nfallback in cases where the user opens the project in safe mode, or has VSCode tasks disabled.\r\nDifference in TTPs between HexagonalRodent and other DPRK-aligned actors\r\nGroups like Stardust Chollima (AKA Sapphire Sleet), and Pressure Chollima (AKA JadeSleet/TraderTraitor)\r\nconduct sophisticated, highly targeted intrusions into the networks of large crypto exchanges. HexagonalRodent,\r\nin comparison, is much more opportunistic. The group may capitalize on credentials they stumble across, but tend\r\nto stick to exfiltrating crypto wallets and passwords directly from individual systems. We have not seen any\r\nevidence of attempts to move laterally within corporate networks.\r\nDespite their relatively untargeted and unsophisticated nature, HexagonalRodent have found plenty of success in\r\noperating high-volume malware campaigns. While cryptocurrency exchanges tend to have the largest holdings,\r\nthey also have the most security. On the other hand, there are plenty of small Web3 projects and crypto investors\r\nwho hold significant funds, but lack the appropriate means to secure them.\r\nA rare supply chain attack\r\nRecently, HexagonalRodent appears to have successfully pulled off a supply chain attack. This is not something\r\nwe’ve seen from this group before. On March 18, it was revealed that the  ‘fast-draft’ VSX extension had been\r\ncompromised and used to install malware. \r\nThe malware command-and-control server (C2) listed in the blog is 195.201.104[.]53, which belongs to the\r\nOtterCookie malware family. This specific server and OtterCookie variant is one we’d already attributed to\r\nHexagonalRodent and were tracking prior to the fast-draft attack.\r\nWhile it’s possible the developer was deliberately targeted, this is the first time we’ve seen HexagonalRodent\r\nconduct a supply chain attack. It may simply be the case that they went digging through their exfiltrated\r\ncredentials for any access to repositories that they could use to help spread their malware. \r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 3 of 18\n\nWe can confirm that a user matching the full name of the fast-draft extension’s developer was infected by\r\nOtterCookie on March 9, 2026.\r\nGenerative AI use\r\nHexagonalRodent makes significant use of generative AI in their campaigns. Through our telemetry, we were able\r\nto identify the use of ChatGPT and Cursor. We reached out to both the companies who operate both these products\r\nand notified them of the threat actor’s abuse of their services.\r\nCursor’s team got back to us within one business day and let us know they were investigating the accounts\r\nprovided, and provided the following statement: \r\n“Cursor was recently made aware of the issue and has blocked both the user and the IP addresses used in the\r\nattack per our Terms of Service. We are investigating further and are in communication with other model\r\nproviders on the incident.”\r\nThe company behind ChatGPT, OpenAI, provided the following statement: \r\n“Based on our visibility, a small number of accounts associated with this activity sought assistance from our\r\nmodels on dual use cyber topics that have legitimate security, software development, and administrative use cases,\r\nbut that can also be misused—e.g. password recovery and credential-security workflows, server and infrastructure\r\nsecurity, developer troubleshooting, and crypto wallet recovery processes.\r\n“This was limited ChatGPT usage rather than sustained or broad malware development activity. Where our safety\r\nsystems detected more overtly malicious intent, our models refused or redirected those requests toward safer, dual-use responses. We did not identify any novel capabilities in these interactions.\r\n“We’d like to thank Expel for contacting us and sharing their findings, and we encourage others to do so as well.\r\nCollaboration with external researchers and industry partners helps surface abuse faster and improve collective\r\ndefense.”\r\nAI-Powered malware development\r\nIdentifying use of malware in AI development\r\nCode written using generative AI often contains verbose comments written using very formal language in perfect\r\nEnglish. Handwritten malware, on the other hand, rarely ever has comments. When it does, they’re typically very\r\nshort and to the point, using slang terms and abbreviations.\r\nOne strange artifact of code generated with certain AI tools is the presence of emojis in both the code and code\r\ncomments. This is highly unusual, since it’s not prevalent in real world code, including the code that AI models\r\nwere trained on. To type emojis on most desktop systems, developers would either need to memorize emoji\r\nkeyboard shortcuts, or bring up the emoji panel and pick one by hand. These are both time-consuming practices,\r\nwhich interfere with most developer’s desire to write code efficiently.\r\nEvidence of AI use in threat actor tooling development\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 4 of 18\n\nUnfortunately, both the BeaverTail and OtterCookie tooling has been around for some time, so we don’t have any\r\ninsights into the initial development of this code. The malware is also obfuscated with the commercial JavaScript\r\nobfuscator obfuscator.io. Obfuscation strips original code structure and comments, which makes it much harder to\r\nidentify telltale signs of AI use.\r\nHowever, the initial loader for the BeaverTail and OtterCookie malware did, at one point, contain artifacts\r\nconsistent with AI-generated code. The comments are overly verbose, including literal step-by-step explanations\r\nof what each fragment does, as well as a slew of emojis.\r\nA small snippet of the malware loader showing the verbose comments and emoji use.\r\nWhile not a smoking gun, these kinds of artifacts are well known signs of AI-generated code, but extremely rare to\r\nsee in handwritten code.\r\nAdditionally, according to a threat intelligence report published by Anthropic in 2025, several DPRK-sponsored\r\nthreat actors registered accounts for Claude. The report claims that the users likely intended to, among other\r\nthings, refine the BeaverTail, OtterCookie, and InvisibleFerret malware. What’s notable about this specific\r\ninstance, is that Anthropic states that they were aware of the threat actors prior to them registering accounts, and\r\nwere able to ban them before they were able to send even a single prompt.\r\nMore conclusively, we did find two new in-development tools being tested in the wild. Both of these tools are\r\nentirely ‘vibe coded’, which we were able to confirm as a result of the threat actor accidentally leaking some of\r\nthe prompts used to generate the malware. Additionally, the code wasn’t obfuscated, revealing extensive debug\r\ncode littered with emojis.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 5 of 18\n\nA snippet of one tool (a web-based keylogger panel) which contains egregious emoji use.\r\nWe also saw evidence of several of the threat actors prompting various US-owned AI models to audit their skills\r\nassessments’ code for malware. We believe this was likely part of an attempt to AI-proof their backdoors. \r\nPreviously, several of the threat actor’s campaigns had been burned as a result of their targets using AI to audit the\r\nskills assessment’s source code. Frontier AI models could often find the backdoors with ease, resulting in several\r\ntargets publicly outing the threat actor’s personas.\r\nElaborate phishing schemes\r\nHexagonalRodent’s abuse of front companies and fake websites\r\nAlthough the threat actors appear to have a strong preference for reaching out to targets directly (posing as tech\r\nrecruiters), we have seen some far more elaborate schemes. In several cases, the group set up fake company\r\nwebsites, along with associated LinkedIn accounts and employee profiles. In one case, they even registered a\r\ncorporate entity in Mexico.\r\nThrough their fake companies, the threat actors would list job openings on a multitude of Web3-focused career\r\nplatforms. The job postings would direct applicants to submit their resumes via the fake company website.\r\nFollowing receipt of a job application, one of the group’s members would then reach out to the applicant via an\r\nofficial company email and ask them to complete a skill assessment.\r\nWe suspect that these campaigns likely have a much higher success rate compared to cold calling targets via\r\nLinkedIn. However, it took significant time and resources to establish these front companies, which could be\r\nburned by even a single applicant realizing they’ve been targeted with malware.\r\nGenerative AI use in the construction of front companies\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 6 of 18\n\nThroughout the process of setting up front companies, the threat actors make heavy use of generative AI. Some of\r\nthe more elaborate operations create entire fake leadership teams. Each persona would get its own LinkedIn\r\naccount. The fake C-suites would be listed on the company’s LinkedIn page, and often its website too. Many of\r\nthe headshots used were AI-generated, but in some cases they’d steal photos of real people from social media\r\nposts.\r\nThe websites themselves are also built with AI. One such example is aihealthchains[.]com. Although we were\r\nunable to confirm that this specific site belongs to Expel-TA-0001, it was involved in the distribution of\r\nBeaverTail and OtterCookie malware. We personally reverse engineered several malicious skills-assessments\r\npublished by the company’s GitHub account and confirmed this. However, the GitHub account has since been\r\ntaken down.\r\nThe homepage of AI Health Chains, which features an AI-generated video of lab workers as the\r\nwebsite background.\r\nWhen we inspected the source code of the website, we could see that all the assets are hosted via c.animaapp.com.\r\nThis url is the default CDN used by websites built with Anima, an online AI-powered website design and\r\ndevelopment platform.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 7 of 18\n\nOn this specific website, none of the assets are hosted locally, they’re all downloaded from the\r\nanimaapp CDN.\r\nWhile we do not believe that Anima is at any fault, as it would have been impossible to know whether such a\r\nwebsite was being designed for a legitimate web3 project or a front company, the Anima CEO was very proactive\r\nin reaching out and working with us to investigate the threat actor’s use of their product. The abuse of AI web\r\ndesign tools in this way was also not limited to Anima, simply, this was the only website active at the time of\r\npublication.\r\nAnother example, which is no longer online, was codepointlab[.]com. We were able to tie this campaign back to\r\nExpel-TA-0001 because the threat actors hosted their malware control infrastructure on the same server as the\r\ncompany website. While one could argue that this may be a legitimate website that the actors simply\r\ncompromised, it is hosted via one of the bulletproof hosting providers they use for their malware infrastructure.\r\nHow a single thread lead to us uncovering a vast hacking operation\r\nIn October 2025, following an incident involving a BeaverTail malware infection on a customer network, we\r\nbegan investigating the threat actor’s command-and-control (C2) infrastructure. During our research, we stumbled\r\nacross a trove of C2 panels. The panels, which were written in ReactJS, provided several key insights into the\r\ninner workings of the group.\r\nReactJS web applications, or WebApps, consist of two parts: a frontend and a backend. The frontend code is what\r\ngets loaded into the user’s web browser when they visit the website. Meanwhile, the backend code runs on the\r\nweb server and does most of the data processing. The frontend and backend talk to each other via an API.\r\nSince the design and layout of the WebApp is embedded in the frontend code, we don’t need to be able to log into\r\nthe threat actor’s server to see what the user interface looks like. Instead, we reverse engineered the frontend code,\r\nthen built our own backend to recreate the panel with synthetic data. This allows us to show you what it looks like.\r\nThe first WebApp, which we found on an exposed FTP server, is a prototypical infostealer panel. It allows the\r\nthreat actors to search, view, and download credentials stolen from victim systems by their malware.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 8 of 18\n\nThe infostealer panel displaying our synthetic data from a fake system named ‘TEST-PC’.\r\nBased on analysis of the panel’s communication protocol, we believe this is for the BeaverTail malware,\r\nspecifically its infostealer component. The malware has the ability to exfiltrate credentials from most web\r\nbrowsers’ built-in password manager, the macOS Keychain, Linux’s Keyring, and 1Password.\r\nPivoting off the threat actor’s infrastructure\r\nOnce we’d gained an understanding of how the threat actors operate, we built custom tooling to identify more of\r\ntheir infrastructure. We spent several weeks cataloging servers related to BeaverTail, OtterCookie, and\r\nInvisibleFerret. With this information, we were able to derive many high-confidence detections to help strengthen\r\nour customer’s security.\r\nVia reverse engineering and careful analysis, we then identified which systems were involved in campaigns\r\nspecific to HexagonalRodent, and excluded those belonging to other DPRK-sponsored activity clusters. While all\r\nthe servers we found proved valuable for detection engineering, they weren’t all relevant to this investigation.\r\nDuring our triaging of DPRK-associated malware infrastructure, we found several new panels. However, they\r\ncontained different backend server IPs embedded within the code, and at first appeared to have no obvious links to\r\nHexagonalRodent.\r\nA whole host of new panels is uncovered\r\nThe next panel we found was a browser-based remote control utility. It provided the threat actor with VNC-like\r\ncapabilities (the ability to view the victim’s screen, as well as control their keyboard, mouse, and clipboard). All of\r\nthis could be done directly from the attacker’s web browser.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 9 of 18\n\nThe remote control panel, presenting a stock image of a desktop for illustrative purposes.\r\nThe third panel we found was even more interesting. It had two separate components. The first, a remote file\r\nmanager, allowed the threat actors to browse through the victim’s filesystem. This feature—again, entirely\r\nbrowser-based—felt completely seamless.\r\nThe panel communicates with the malware on the victim’s system in real time. Clicking into a directory sends a\r\ncommand to the victim’s system to list said directory, then the results are sent back to the WebApp. The panel\r\nupdates the displayed directories and files dynamically, so it feels almost like you’re browsing files on your own\r\ncomputer. \r\nThe second feature is a ‘reverse shell’ controller. It provided the threat actor with the ability to run arbitrary\r\ncommands on the victim’s system. This is facilitated via cmd.exe on Windows, sh on Linux, and zsh on Mac. The\r\nresults are then dynamically displayed on the righthand side of the panel.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 10 of 18\n\nThe file explorer/reverse shell panel interacting with our test system. To simulate the panel, we built\r\na backend server from scratch by reverse engineering the WebApp’s communication protocol.\r\nIn the left-most column is the ‘Client List’ and ‘Controller List’ segment. The Client List displays currently\r\nconnected victim machines, showing their IP address, hostname, and operating system. The target of the file\r\nexplorer window and reverse shell is set by simply clicking on one of the systems in the list.\r\nThe ‘Controller List’, on the other hand, seems to just list the IP addresses of anyone currently logged into the\r\npanel (i.e., the threat actors). It doesn’t seem to serve any purpose other than just showing who’s currently\r\nconnected.\r\nBoth the file explorer and reverse shell functionality is implemented via WebSocket, a protocol that enables\r\nrealtime streaming communication between a website and WebSocket server. Both the threat actor’s web browser\r\nand the malware on the victim’s system maintain persistent connections to a custom WebSocket server. This server\r\nis responsible for relaying commands between the threat actor’s panel and the victim system.\r\nEssentially, the panel facilitates real-time communication between the threat actors and the victim’s system, rather\r\nthan relying on having to constantly send web requests to poll for updates. This does, however, mean that the\r\nmalware can be easily identified by checking for NodeJS processes which maintain a persistent TCP connection to\r\none of the threat actor’s servers.\r\nBelow are some example commands to check if a system is connected to the C2 server used in the fast-draft\r\nsupply-chain breach:\r\nMacOS/Linux: netstat -an | grep 195.201.104.53\r\nWindows: netstat -an | findstr 195.201.104.53\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 11 of 18\n\nKnow your animals: Beavers vs. otters\r\nWhile reversing the file explorer panel’s communication protocol, we realized something. It doesn’t match up\r\nwith the protocol used by the BeaverTail malware. It does, however, match the protocol used by OtterCookie.\r\nPreviously, we’d seen a malicious skills assessment that was backdoored with both BeaverTail and OtterCookie at\r\nthe same time. This seemed unusual, since BeaverTail and OtterCookie are both pieces of NodeJS malware and\r\nhave an almost 100% overlap in features. Why deploy two near identical pieces of malware?\r\nInitially, we’d chalked it up to an operator error. We’d been assuming that different teams were sharing skills\r\nassessment templates with each other, and one had forgotten to remove their backdoor before passing it over to\r\nanother team.\r\nHowever, after obtaining credible intelligence from a third-party source, we confirmed with high certainty that this\r\npanel, along with others on the server, are utilized by HexagonalRodent. This still doesn’t answer the question as\r\nto why they’re co-deploying two extremely similar pieces of malware, but it could be for redundancy in case one\r\ninfection gets detected.\r\nOur first real insight into the group’s inner workings\r\nThe final panel we found and reverse engineered was by far the most fascinating, but also equal parts confusing. It\r\nlists cryptocurrency wallets, along with their balance, but doesn’t appear to contain any features to do anything\r\nwith them.\r\nThe panel’s ‘Addresses’ page, filled with our backend’s placeholder addresses.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 12 of 18\n\nThe panel ‘Teams’ page (populated with synthetic data).\r\nThe panel’s hardcoded hierarchy provides some unique insight. There is a ‘Members’ and a ‘Teams’ page. The\r\nmain page subdivides data by team, and then again by member. It implies that HexagonalRodent consists of\r\nmultiple teams, each composed of multiple members.\r\nThe OtterCookie malware provides further evidence of this. Each sample contains two hardcoded values: ‘t‘ and\r\n‘userKey’. The former maps to a value in the front end code which is also named ‘t’. This value is then used to\r\nbuild the “Teams” list. The second value, userKey, is not directly referenced in the code, but we believe it likely\r\nmaps to a Member ID.\r\nWe’ve also been tracking malicious skills assessments in the wild, cataloging which t and userKey values they\r\ncontain. The variations and volumes of these campaigns supports our theory that HexagonalRodent consists of\r\nmultiple teams, each composed of several members.\r\nThe panel’s ‘workflow’ page.\r\nThe frontend code also has a page presenting a ‘Workflow’ for each ‘Member’. The workflow page lists\r\ncryptocurrency addresses grouped by system hostname (likely the specific system they were exfiltrated from). If\r\n\u003cuserKey is indeed the member ID, then this page would list all the cryptocurrency wallets exfiltrated by a\r\nspecific team member.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 13 of 18\n\nWhat’s notable is the fact panel does not appear to contain any pages to display private keys, nor features for\r\ninteracting with the wallets outside of just simply viewing their ‘initial’ and ‘current’ balance. We believe the\r\n‘initial’ balance pertains to either the balance of the wallet when it was exfiltrated from the victim system, or when\r\nit was first ingested into this panel.\r\nAdditionally, part of each user’s username is hardcoded. The panel’s code removes the word team from the user’s\r\nusername, then sets a variable named userTeam to whatever is left. This means that the username can only contain\r\nthe word team and the team number. In essence, there can only be one username per team.\r\nThe main page as viewed by a user with admin privileges.\r\nAlso embedded in the panel’s code is a function checking if the current user’s name is “admin”. If so, then the\r\nuser is granted the ability to view all members across all teams. Regular users are limited to viewing only\r\nmembers within their team.\r\nThe read-only nature of the panel, limitation of one account per team, and ranking-system like interface leads us to\r\nbelieve that this is a workforce tracker rather than a command-and-control server. This is also consistent with\r\nother reports pertaining to DPRK’s fraudulent IT worker operations, where threat intelligence companies have\r\ndiscovered the actor’s timesheet and daily status update tracking systems.\r\nThe panel seems intended for team leaders to view their team member’s performance, as well as a global manager\r\nto view the performance of all members and all teams.\r\nThe final score\r\nAt one point during the course of our investigation, a misconfiguration exposed the workflow tracker’s backend\r\ndatabase, allowing us to obtain the raw data from it. With this data, we were able to gain a much deeper insight\r\ninto the threat actor’s operations.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 14 of 18\n\nThe data contained a t and id value for each wallet entry. These match up with the t and userKey variables we’ve\r\nobserved across the threat actor’s malware campaigns. With this, we can infer HexagonalRodent’s internal\r\nstructure. \r\nThere are 31 unique campaign IDs and 6 unique team numbers. The teams are named 6team, 7team, 8team,\r\n9team, 10team, and 101team. While we’re not certain there is a 1:1 map between campaign IDs and team\r\nmembers, if there is, that would imply that HexagonalRodent consists of 31 operators split across 6 teams.\r\nCuriously, there is a hardcoded reference to a ‘team 4′ in the panel’s source code, but we found no data relating to\r\na team 4 in either the workflow data or any of the HexagonalRodent campaigns we analyzed. We did, however,\r\nconfirm the existence of a Team 2 and Team 3, though both teams operate their own separate infrastructure\r\nentirely disconnected from any belonging to HexagonalRodent.\r\nOur leading theory is that some of the earlier teams may have spun off and started their own independent\r\noperations. One of these teams, we believe, is behind a more sophisticated version of BeaverTail, which stores\r\npayloads via the Blockchain (a technique known as EtherHiding).\r\nFrom victim IP addresses and system hostnames contained within the data, we are able to deduce that the threat\r\nactor’s campaigns exfiltrated a total of 26,584 cryptocurrency wallets from 2,726 infected developer’s systems.\r\nBelow is a graph of the total USD value of wallets ingested into the threat actor’s system between January 1 and\r\nMarch 31 of 2026.\r\nTotal value of all wallets ingested each month broken down by team.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 15 of 18\n\nTotal value of all wallets ingested monthly by all teams.\r\nIn total, it appears that public keys for wallets holding a total of up to $12 million dollars worth of crypto assets\r\nwere exfiltrated from victim systems in the first 3 months of 2026.\r\nLimitations in assessing actual losses\r\nWhile we did attempt to evaluate the total value of assets successfully stolen, this task proved essentially\r\nimpossible. The exfiltrated wallets held thousands of tokens across a multitude of different blockchains, which\r\nmade tracking transactions extremely difficult. Furthermore, for most transactions, the threat actors used entirely\r\nnew wallets.\r\nAdditionally, since the workflow tracker does not contain any private keys, we’re unable to confirm which wallets\r\nthe threat actors were successfully able to exfiltrate full, unencrypted, private keys from. The data lists many of\r\nthe wallets as being protected by hardware tokens, which means that even with persistent access to the owner’s\r\nsystem, the threat actors would be unlikely able to drain those wallets.\r\nWe were able to confirm that the funds from at least 13 of the wallets eventually made their way to a known\r\nDPRK-operated Ethereum address. The wallet, which was created in 2023, has received over $1.1 million in\r\nfunds, with around $500k of that in a single month. Though it’s unknown if this wallet is specific to this\r\ncampaign.\r\nConclusion and after thought\r\nIt’s important to note how successful HexagonalRodent’s campaigns have been in terms of the number of infected\r\nsystems, despite the lack of sophisticated tooling. Their AI-generated malware is neither novel nor particularly\r\nevasive, but it is effective.\r\nA self-refutation\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 16 of 18\n\nAdmittedly, this article refutes a theory of mine; well at least partially, at least. I had proposed that generative AI is\r\nunlikely to significantly lower the bar for malware development. This was predicated on the fundamentals of how\r\nLLMs work. They predict likely text based on patterns in their training data.\r\nSince writing evasive malware typically requires coming up with novel techniques, LLMs should, in theory, do\r\nthe opposite. The more widely documented a malware technique is, the more prevalent it is likely to be in an\r\nLLM’s training data. But the more documented a malware technique, the more detected it is going to be, so LLMs\r\nshould skew towards writing highly detectable malware. Unless, of course, they are being guided by a skilled\r\nmalware developer who is familiar with which techniques to avoid.\r\nHowever, HexagonalRodent makes for an important edge case. Unlike most modern financially motivated threat\r\nactors, they target individuals rather than corporate networks. Thus, they don’t have to contend with high end\r\ncybersecurity products such as EDRs and NDRs. In fact, most personal computers don’t run any antimalware\r\nproducts at all. Which makes AI-generated malware’s lack of evasiveness somewhat irrelevant here.\r\nVibe coded malware vs. high-end EDR product\r\nWhat came as a shock to us is what happened in the few cases we encountered where targets opened the malicious\r\nskills assessments on their work machine. Despite the customers’ networks running flagship EDR products, the\r\nmalware did not immediately trigger any detections. Alerts came much later, after the EDR vendors deployed\r\nrules to flag connections to the attacker’s C2 IP addresses. This was what motivated us to build our own in-house\r\ndetection.\r\nWe theorize that the lack of detections may be due to the accidental novelty of HexagonalRodent’s malware. The\r\nprogramming languages they chose to develop their malware in are NodeJS and Python. Neither language is\r\nparticularly common for writing malware, since neither the Python or NodeJS interpreter is installed by default on\r\nthe average operating system.\r\nBecause the threat actors target software developers, and often those who develop applications in NodeJS and\r\nPython, they can afford to use those languages for their malware. Not only is the presence of both interpreters on a\r\ndeveloper’s system more likely, it’s highly inconspicuous. Essentially, the malware inadvertently blends in with\r\nnormal developer activity. NodeJS code doing things on a NodeJS developer’s system is expected behavior.\r\nAdditionally, the group makes use of the commercial JavaScript obfuscator obfuscator.io, which is used by\r\nlegitimate developers to protect their source code from reverse engineering and/or theft. This makes it extremely\r\ndifficult to write antimalware signatures for, since the obfuscated JS malware just looks like any other JS\r\nobfuscated code.\r\nThe combination of NodeJS malware naturally blending in with developer behavior, and the use of languages for\r\nwhich security products appear not to have good visibility into, HexagonalRodent appears to have stumbled into\r\ncreating a perfect storm of low-effort/high-impact malware. They’ve essentially inadvertently built a living-off-the-land attack which weaponizes software developer’s tooling against them.\r\nHexagonalRodent appears to have stumbled into creating a perfect storm of low-effort/high-impact malware.\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 17 of 18\n\nThis might only be the beginning\r\nFor the past 4 years, the tech industry has been flooded with mass-layoff after mass-layoff. This has likely heavily\r\nimpacted DPRK’s fraudulent IT worker scheme, forcing them to reallocate resources towards other means of\r\ngenerating revenue. With so many software engineers out of work, and so few job opportunities available, it\r\nmakes it all the more easier for North Korean state-sponsored hackers to ensnare targets. With developers\r\napplying to hundreds or thousands of jobs without receiving a call back, they’re likely to have their guard down\r\nwhen that one job offer finally comes in.\r\nIn addition, DPRK is known to exploit foreign workers to enable their operations. With IT worker schemes, they’d\r\noften need people to take delivery of company-issue mobile devices. Since many of these devices had GPS\r\ntrackers, they could not simply ship them out of the country. Instead, they’d recruit people within the country to\r\nhost the laptops from their houses. To the companies, it’d appear that the laptop was being operated from within\r\nthe country. In reality, it was being remotely controlled by a North Korean operative using tools like IP KVMs.\r\nSome of these operations were rather elaborate, with participants hosting 10s of laptops at a time, all from their\r\npersonal residence. Since payment amounts were often relative to how many operations the subject helped\r\nfacilitate, many were willing to look the other way and not ask questions if it meant a stable paycheck. \r\nAs economic uncertainty increases, so do the number of people willing to turn a blind eye to questionable remote\r\njobs that help facilitate foreign adversaries. This opens the door for many opportunities that go beyond fraudulent\r\nIT work and cryptocurrency stealing malware. \r\nWhilst financially motivated cybercrime is highly unappealing to almost every nation-state, since the monetary\r\nloss from the resulting sanctions would far outweigh any financial gain, this is not the case for North Korea. The\r\nheavy sanctions already levied against the country mean there is little more that can be done to deter them, but a\r\nlot to be gained for a nation whose economic activity is severely constrained. It’s estimated that revenue from\r\ncybercrime makes up between 3 and 7 percent of North Korea’s GDP, which is not insignificant.\r\nSource: https://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nhttps://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/"
	],
	"report_names": [
		"inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers"
	],
	"threat_actors": [],
	"ts_created_at": 1777605044,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c26628bae4d007fdef38b80701010a1d2e91981a.pdf",
		"text": "https://archive.orkl.eu/c26628bae4d007fdef38b80701010a1d2e91981a.txt",
		"img": "https://archive.orkl.eu/c26628bae4d007fdef38b80701010a1d2e91981a.jpg"
	}
}