### Operation Marstech Mayhem # Lazarus Group’s Open-Source Trap: ## North Korea’s New Malware Tactic Targeting Developers and Crypto Wallets ----- **In the wake of Operation99 and Operation Phantom Circuit, STRIKE uncovered that the Lazarus Group had** **engineered an advanced implant, codenamed "marstech1." This state-of-the-art tool marks a significant** **evolution from earlier iterations deployed in global campaigns against developers, featuring unique functional** **enhancements that distinctly set it apart.** #### Key Findings **•** **A new implant, Marstech1, was developed and deployed by the threat actor, showing significant differences** **from previous versions.** **•** **The implant Marstech seems to be used in limited targeted attacks on the supply; it has not surfaced** **elsewhere, since its two occurrences in late 2024 and Jan 2025.** **•** **STRIKE also identified a GitHub profile associated with the Lazarus Group operator behind this campaign,** **who has been actively developing implants since November 2024.** #### Analysis **STRIKE uncovered an additional command and control** **server hosted on Stark Industries LLC that exhibited a pattern** **reminiscent of Operation 99 and Phantom Circuit. However, this** **server appears to employ entirely different tactics from what** **we've seen before. While recent C2s have communicated over** **ports 1224 and 1245, this one is operating on port 3000 and** **lacks the React web admin panel observed in Phantom Circuit—** **though it clearly runs Node.js Express on the backend. This** **setup is markedly different from those seen in previous operations.** **NMAP Scan** **The C2 is delivering an obfuscated Java Script implant known as Marstech1, which we cover later on what** **it exactly does. In addition, it serves similar implants that were observed in Operation99, but they have also** **evolved. Two implants known as pay_marstech1 and brow_marstech1 are similar, but different.ions, specifically** **on December 30, January 6, and January 10, maintaining an RDP session for 10 days. In the context of** **Operation99, which involved the C2 server 5[.]253[.]43[.]122, the adversary logged in via RDP more than a** **dozen times between December 26 and January 15.** ----- #### Obfuscation Techniques **The Marstech implants utilize different obfuscation techniques than previously seen. The JS implant that was** **observed utilizes;** **•** **Control flow flattening & self-invoking functions** **•** **Random variable and function names** **•** **Base64 string encoding** **•** **Anti-debugging (anti-tamporing checks)** **•** **Splitting and recombining strings** **This ensures that if the threat actor embedded the JS into a software project it would go unnoticed.** **The other components, namely pay_marstech1 and brow_marstech1, employ an alternative method to obscure** **their actual purpose. Their obfuscation process consists of two steps:** **•** **Base85 Encoding:** **The long string (assigned to pq) is divided into two segments. The first 8 characters serve as a key** **(stored in wq), while the remainder (from index 9 onward) is Base85 encoded. The code utilizes Python’s** **b85decode to decode this segment.** **•** **XOR Decryption:** **Following the Base85 decoding, the code iterates over each byte of the decoded data, applying an XOR** **operation with a corresponding byte from the key. The key repeats every 8 bytes, achieved using the** **modulo operation (l0 & 7). This process effectively reverses a simple repeating-key XOR cipher.** #### Operation **The GJS Marstech implant is engineered to** **collect system details from the target machine,** **including the hostname, platform, and home** **directory—a standard reconnaissance** **tactic in Lazarus implants to assess the host** **environment. When accessed directly from the** **C2 server at hxxp://74.119.194.129:3000/j/** **marstech1, the JS script appears completely** **unreadable and obfuscated. The adversary can** **embed this implant into legitimate websites,** **software packages, and other parts of the supply** **chain, and it may even be included in genuine** **NPM packages aimed at the cryptocurrency/** **web3 sector.** **Latest Marstech Victims from Jan 2025** ----- ##### Have we seen this before? **The Marstech implant appears to have first emerged in late** **December 2024, linked to a command and control server** **at 95.164.45.239, which the threat actor also hosted within** **Stark Industries. It followed similar patterns to recent C2** **infrastructure, establishing connections over port 3000. The** **implant was embedded within the code of a GitHub repository** **associated with SuccessFriend, which STRIKE suspects to be** **the Lazarus threat actor’s GitHub profile. Notably, the Marstech** **operation seems to be distinct from other campaigns targeting** **developers.** ##### Lazarus in Github **Profile for Success Friend** **STRIKE discovered this profile connected to several C2s dating back to 2024 for the Marstech implant. The** **profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus. The** **threat actor was committing both pre-obfuscated and obfuscated payloads to various github repositories.** **The SuccessFriend github profile has been active since July 2024, with the most recent activity 2 weeks ago.** **The profile contains a history of legitimate code committed to a number of projects, most recently starting in** **November 2024 malware related repos started to appear.** **The threat actor published several repositories that** **contained code related to this recent operation, such** **as test0122 which contains the implant code pre-** **obfuscation.** **Malware Repo time-line** **This repository contained the 1[st] and 2[nd ]stage implants** **involved in the Marstech operation, including pre-** **obfuscated 2[nd] stage and obfuscated 1[st] stage implants.** **Malware Repo time-line** ----- **Marstech1 1[st] stage Implant to download** **from URL (hxxp://95.164.45.239:3001/** **client/marstech1)** **The actor published the 1[st] stage implant (origin.** **js) known as Marstech1 in this repository. The** **full functionality of Marstech is described in later** **sections. This implant sent exfiltrated data to the** **URL path hxxp://95.164.45.239:3001/uploads** **and retrieved 2[nd] stage implants from the URL path** **hxxp://95.164.45.239:3001/client/marstech1.** ##### Analysis of code from test0122 **The implants in the Github repository are remarkably different from what is being served from the command** **and control. In the repository test0122 it contains an implant named mc_cur.py that was created two weeks ago.** **The purpose of this implant is to search across Chromium-based browser directories, across multiple operating** **systems in order to modify specific browser configuration files. It focuses on tampering with extension related** **settings, most notably for the MetaMask extension (a popular cryptocurrency wallet extension). Further, the** **implant will report status and download payloads from the C2 URL 74.119.194.129 on port 3001. The implant** **will inject into the browser, but first it must gather a unique identifier from the system (Windows it locates SID** **and macOS the hardware UUID).** **The implant will then specify what browser extensions** **it will target for injection. The example below shows** **the extension ID for MetaMask. The next step** **afterwards is to iterate over target browsers and** **their profiles, followed by looking for the extensions** **settings folder and preparing for injection.** **Function to obtain a unique ID from target system** **The implant will download and extract a remote payload** **from the C2 and extract it in the destination extensions** **folder. Once the payload is present in the directory, the** **implant will modify the browsers preferences file to** **integrate remote config data from the C2 server.** **Function to specify what target extension to inject** **Remote payload downloading** ----- **Remote payload downloading** #### Marstech Implant Capabilities **The following is the analysis of the obfuscated JavaScript file found being served by the C2 and within the code** **repositories.** ##### Crypto Currency Targeting **This JS implant is targeting Exodus and Atomic Crypto currency wallets on Linux, MacOS and Windows. The** **implant will scan the system looking for cryptocurrency wallets in an effort to scan and read the file contents or** **extract metadata.** **The code begins by verifying that a specified** **target directory exists and is accessible. It then** **creates a temporary workspace by appending** **a fixed suffix (in this case, a '9') to the original** **directory path. This temporary directory is used** **to recursively copy or enumerate all files and** **subdirectories. For each file discovered, the script** **constructs its full path using Node’s path-joining** **methods and reads the file's contents using a** **helper function, effectively gathering data from** **every file in the target directory.** **Obfuscated Code for Crypto Wallet Scanning** ----- **Once the file data is collected, each file’s content is packaged along with a unique identifier—which combines a** **provided label and the filename—into an object. These objects are aggregated into an array that represents all** **of the extracted data. Finally, this array is passed to an exfiltration function, which is responsible for sending the** **data to a remote server via an HTTP POST request. This entire mechanism is part of a larger operation aimed at** **stealing sensitive information from the scanned directory.** **Function for scanning and data extraction** ----- ##### Data Exfiltration **Once the file data is packaged into an array of objects (each containing the file’s content along with its** **corresponding identifier and metadata), the script calls a dedicated exfiltration function—commonly referenced** **as aW. This function builds a payload that includes not only the aggregated file data but also additional** **metadata such as a timestamp (derived from Date.now()), a fixed type identifier (e.g., "marstech1"), and a host** **identifier. The payload is structured into an object where different keys (decoded from Base64 strings) are used** **to label the data and metadata.** **Functionality to exfiltrate data to C2** **In this code, ak decodes the Base64** **string "NzQuMTE5LjaHR0cDovLwE5NC4** **xMjk6MzAwMA==" to produce** **"74.119.194.129: 3000", and the decoded** **fragment from "L3VwbG9hZHM"** **is "/uploads". When concatenated,** **they yield the full C2 endpoint:** **hxxp://74.119.194.129:3000/uploads.** **The constructed payload is then sent to the** **command-and-control (C2) server using the** **Node.js HTTP request library. Specifically, the** **function makes an HTTP POST request by calling** **a method on the imported request module (after** **decoding, this corresponds to request.post).** **The target URL for the POST is also dynamically** **constructed from Base64-encoded fragments,** **making it harder to detect. This POST request** **delivers the packaged data over the network,** **effectively exfiltrating the sensitive information to** **the remote C2 server controlled by the attacker.** **Specific function to send data via HTTPs post to /uploads** **Decoding C2 URL from JS code** ----- ##### Anti-Analysis **The anti-analysis code employs one-time execution wrappers and console hijacking techniques to complicate** **both static and dynamic analysis. The one-time wrappers (functions like a6 and a8) allow critical functions to** **run only once, immediately nulling the callback afterward so that subsequent calls yield no effect. This prevents** **analysts from repeatedly invoking or modifying key functions during debugging or automated analysis.** **Additionally, a self-referential check (in a7) examines the function's own string representation, a tactic intended** **to detect tampering or reverse engineering attempts.** **In parallel, the script modifies standard console methods (via the function wrapped in a9) by replacing them** **with custom bound functions. This console hijacking obscures debug output and interferes with traditional** **logging, making it harder to trace internal operations during runtime. Together, these techniques hinder the** **analyst’s ability to fully understand or debug the malware, thus enhancing its resistance against analysis and** **reverse engineering.** **Anti Analysis one-time execution wrapper** **Modifying Console functions** ----- #### Conclusion **Operation Marstech Mayhem exposes a critical evolution in the Lazarus Group's supply chain attacks,** **demonstrating not only their commitment to operational stealth but also significant adaptability in implant** **development. The introduction of the Marstech1 implant, with its layered obfuscation techniques—from** **control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python—** **underscores the threat actor’s sophisticated approach to evading both static and dynamic analysis.** **The discovery of novel command-and-control infrastructure operating on unconventional ports and hosting** **unique Node.js Express backends highlights a deliberate shift from previous tactics seen in Operations 99** **and Phantom Circuit. This divergence in operational methodology not only complicates detection but also** **suggests that the Lazarus Group is continuously refining their techniques to exploit vulnerabilities in modern** **software supply chains, including the targeting of cryptocurrency wallets and tampering with browser extension** **configurations.** **Furthermore, the integration of these implants within legitimate repositories on GitHub, and their subsequent** **embedding in trusted software packages, poses a significant risk to both developers and end-users alike. The** **use of advanced anti-debugging measures and self-modifying code further exacerbates the challenge of real-** **time threat analysis, emphasizing the need for heightened vigilance and a robust security framework in supply** **chain management.** **In summary, the findings of Operation Marstech Mayhem serve as a stark reminder that the landscape of** **cyber threats is rapidly evolving. It is imperative for organizations and developers to adopt proactive security** **measures, continuously monitor supply chain activities, and integrate advanced threat intelligence solutions to** **mitigate the risk of sophisticated implant-based attacks orchestrated by threat actors like the Lazarus Group.** #### Contact STRIKE for Incident Response **SecurityScorecard’s STRIKE Team has access to one of the world’s largest databases of cybersecurity signals,** **dedicated to identifying threats that evade conventional defenses. With proactive risk management and a rapid** **response approach, SecurityScorecard offers companies protection against third-party risks and the ability to** **counter active threats like Operation Marstech Mayhem.** **Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security. For STRIKE** **[media inquiries, contact us here.](mailto:securityscorecard%4010fold.com?subject=Hello)** -----