Lazarus Group Escalates Cyber Attacks on Crypto Browser Extensions

The Lazarus Group, a notorious North Korean hacking syndicate, has intensified its cyberattacks on the cryptocurrency industry, with a sharp focus on professionals and developers in the space. According to a recent report from cybersecurity firm Group-IB, the group has evolved its attack methods, introducing sophisticated malware variants and extending its targeting to browser extensions and video conferencing apps.

Lazarus Group’s Expanding Arsenal

In a continued effort to exploit vulnerabilities within the crypto market, the Lazarus Group has launched the “Contagious Interview” campaign, aimed at job seekers. This campaign lures unsuspecting victims into downloading malware disguised as job-related tasks. A fake video conferencing application, dubbed “FCCCall,” is now being used to deploy the BeaverTail malware, which extracts sensitive credentials and data from cryptocurrency wallet browser extensions.

Group-IB researchers highlighted that Lazarus has significantly expanded its attack surface. The group’s latest toolkit includes a new suite of Python scripts, named “CivetQ,” as well as advanced techniques for data exfiltration through platforms like Telegram. Their tactics have also moved into gaming-related repositories and Node.js-based projects, which are trojanized to spread their malicious code further.

Targeting Crypto Wallet Extensions

A major focus of Lazarus’s recent attacks is on browser extensions linked to crypto wallets. Popular extensions such as MetaMask, Coinbase Wallet, BNB Chain Wallet, and Exodus Web3 have been key targets. The group has developed new methods to disguise their malicious code, making detection increasingly difficult. By leveraging social engineering tactics, hackers pose as potential employers and lure victims into downloading infected applications under the guise of technical interview tasks.

These developments reflect the broader threat landscape, with the FBI warning that North Korean cyber actors are increasingly using tailored social engineering campaigns to infiltrate organizations involved in decentralized finance and cryptocurrency. The Lazarus Group’s growing capabilities present a significant risk to both individuals and institutions with substantial crypto holdings.

Lazarus Group’s Shift in Strategy

The Lazarus Group’s latest campaign showcases its strategic pivot toward more specialized attacks on the crypto industry. By exploiting browser vulnerabilities and leveraging social engineering, they are able to penetrate systems that were once considered secure. Their malware, such as BeaverTail and InvisibleFerret, has been instrumental in exfiltrating credentials and compromising cryptocurrency assets. The Group-IB report emphasizes that this new phase of cyberattacks highlights the increasing complexity and sophistication of Lazarus’s operations.