Catenaa, Wednesday, January 22, 2025 – A new cyber attack campaign linked to the North Korean Lazarus Group is exploiting the growing Web3 and cryptocurrency sectors, targeting freelance software developers with fake LinkedIn profiles to distribute malware.
Known as Operation 99, the campaign begins with deceptive recruiters posing as potential employers on Social Media platforms, luring developers into testing projects and code reviews.
Once a victim engages, they are directed to clone a seemingly harmless GitLab repository.
However, the cloned code contains malware that connects to command-and-control servers, infiltrating the victim’s environment.
Global victims have been identified, with a notable concentration in Italy.
Other impacted countries include Argentina, Brazil, Egypt, and the US.
The attackers use “pay99” labels in their malicious files, suggesting a well-organized scheme to steal sensitive data.
Cybersecurity firm SecurityScorecard revealed that the operation targets developers to extract source code, secrets, and cryptocurrency wallet keys.
The malware architecture is flexible, capable of affecting Windows, macOS, and Linux systems. It includes tools to steal data from web browsers and monitor keystrokes, potentially leading to significant financial theft.
This latest tactic builds on the Lazarus Group’s evolving methods, previously observed in earlier job-themed attacks like Operation Dream Job.
By leveraging AI-generated profiles and realistic communication, the attackers create highly convincing ruses to exploit human trust and curiosity, fueling North Korea’s financial goals through cryptocurrency theft.
