Lazarus Group intensifies attacks on crypto browser extensions: Group-IB

Lazarus Group is intensifying its cyberattacks on the cryptocurrency market by distributing advanced malware through fake video apps and expanding its targeting of browser extensions.

The Lazarus Group, the notorious North Korean hacker gang known for its sophisticated cyber campaigns against the crypto industry, is increasing its efforts to target crypto professionals and developers. The group has introduced new malware variants and expanded its focus to include video conferencing applications, according to a recent research report from cybersecurity firm Group-IB.

In 2024, Lazarus expanded its attacks with its “Infectious Conversation” campaign, which tricked job seekers into downloading malware under the guise of job-related tasks. The scheme now includes a fake video conferencing app called “FCCCall” that mimics real software and installs the BeaverTail malware, which then deploys the Python-based backdoor “InvisibleFerret.”

“BeaverTail’s core functionality remains unchanged: it exfiltrates credentials from browsers and data from the browser extension of cryptocurrency wallets.”

Group-IB

Group-IB researchers also identified a new Python script package called “CivetQ” as part of Lazarus’ evolving toolset. The group’s tactics now include using Telegram for data exfiltration and expanding their access to gaming-related repositories, trojanizing Node.js-based projects to spread their malware.

“After making initial contact, they would often try to move the conversation to Telegram, where [hackers] “We will then ask potential interview candidates to download a video conferencing app or a Node.js project to perform a technical task as part of the interview process.”

Group-IB

Group-IB analysts highlighted that Lazarus’ latest campaign has increasingly focused on crypto wallet browser extensions, adding that malicious actors are now targeting a growing number of applications such as MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3.

The group has also developed more advanced methods to hide its malicious code, making it even harder to detect.

This escalation reflects broader trends highlighted by the FBI, which recently warned that North Korean cyber actors are targeting employees in the decentralized finance and cryptocurrency sectors with highly specialized social engineering campaigns. According to the FBI, these sophisticated tactics are designed to penetrate even the most secure systems, posing an ongoing threat to organizations holding significant crypto assets.