{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lazarus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Claude Mythos","Safe{Wallet}"],"_cs_severities":["high"],"_cs_tags":["lazarus","cryptocurrency","ai","supply-chain","north-korea"],"_cs_type":"threat","_cs_vendors":["Anthropic","GitHub","LinkedIn","Bybit"],"content_html":"\u003cp\u003eRecorded Future reported in April 2026 that the Lazarus Group and other DPRK-linked actors are actively targeting AI models, such as Anthropic\u0026rsquo;s Claude Mythos, to enhance their cryptocurrency theft operations. The group employs various methods, including exploiting vulnerabilities in third-party contractor environments, fraudulent hiring schemes using fake developer personas on GitHub and LinkedIn, and supply chain attacks like the March 2026 LiteLLM compromise. These efforts aim to improve the efficiency of reconnaissance, social engineering, credential harvesting, and lateral movement during crypto exchange intrusions. The ultimate goal is to increase the amount of cryptocurrency stolen, which is then used to fund North Korea\u0026rsquo;s weapons programs. This poses a significant threat because even a modest productivity gain in these operations can lead to substantially higher revenues for the DPRK regime.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Reconnaissance:\u003c/strong\u003e The attacker performs reconnaissance on targeted crypto exchanges and AI model providers using open-source intelligence and social media platforms like GitHub and LinkedIn to identify potential targets, including system administrators and developers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSocial Engineering \u0026amp; Phishing:\u003c/strong\u003e The attacker crafts spear-phishing emails or fraudulent job offers, impersonating legitimate companies, to target employees at third-party vendors or crypto exchanges, aiming to harvest credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The attacker uses phishing campaigns and social engineering to harvest credentials, potentially employing AI tools to create more convincing fake personas or phishing emails.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Using stolen or synthetic credentials, the attacker gains initial access to a third-party vendor\u0026rsquo;s system or directly into the target crypto exchange\u0026rsquo;s network. This could involve accessing a cloud-based AI model like Claude Mythos via a compromised contractor account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Once inside the network, the attacker performs lateral movement, leveraging compromised accounts and exploiting internal vulnerabilities to gain access to sensitive systems, such as Safe{Wallet} systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKey Extraction:\u003c/strong\u003e The attacker focuses on extracting private keys and other sensitive information necessary to access and transfer cryptocurrency.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCryptocurrency Theft:\u003c/strong\u003e Using the stolen keys, the attacker initiates unauthorized cryptocurrency transfers from the exchange\u0026rsquo;s wallets to attacker-controlled accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMoney Laundering:\u003c/strong\u003e The stolen cryptocurrency is laundered through various mixing services and exchanges to obfuscate the source of funds and convert it into usable currency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Lazarus Group\u0026rsquo;s successful cryptocurrency heists have resulted in billions of dollars stolen, with estimates reaching over $2 billion in 2025 alone. These funds are directly used to finance North Korea\u0026rsquo;s WMD and ballistic missile programs, undermining international sanctions and posing a significant national security threat. The attacks targeting AI models could lead to more efficient and sophisticated cyberattacks, further exacerbating the problem and increasing the financial resources available for weapons development. Bybit was one victim of these attacks, losing approximately $1.5 billion in virtual assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement behavioral monitoring and least-privilege access controls for third-party vendors to mitigate the risk of contractor misuse, as highlighted in the Mythos incident.\u003c/li\u003e\n\u003cli\u003eEnhance identity verification processes during hiring, including in-person interviews, to prevent fraudulent hiring schemes, as detailed in the \u003cem\u003eInside the Scam\u003c/em\u003e report.\u003c/li\u003e\n\u003cli\u003eMonitor build-pipeline integrity and dependencies to defend against supply chain compromises, referencing the TeamPCP LiteLLM compromise.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Bybit Activity\u0026rdquo; to monitor for potential malicious activity targeting the Bybit exchange.\u003c/li\u003e\n\u003cli\u003eImplement telemetry and canaries within AI preview infrastructure to detect unauthorized access attempts, as recommended by Recorded Future.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:00:00Z","date_published":"2026-05-02T12:00:00Z","id":"/briefs/2026-05-lazarus-ai-targeting/","summary":"The Lazarus Group is targeting AI models through supply chain attacks, contractor misuse, and fraudulent hiring to improve their ability to steal cryptocurrency and fund weapons programs.","title":"Lazarus Group Targeting AI Models to Enhance Cryptocurrency Theft","url":"https://feed.craftedsignal.io/briefs/2026-05-lazarus-ai-targeting/"},{"_cs_actors":["Lazarus Group","HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet","Zinc"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macos"],"_cs_severities":["high"],"_cs_tags":["lazarus","fileless","macos","trojan"],"_cs_type":"threat","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe Lazarus Group, known for targeting cryptocurrency exchanges, continues to evolve its macOS capabilities. This campaign, observed in late 2019, involves a trojanized application named UnionCryptoTrader.dmg, masquerading as a legitimate cryptocurrency trading platform. The application, hosted on the domain unioncrypto.vip (104.168.167.16), is delivered to victims via an assumed download link. Once executed, the application installs a persistent launch daemon and then downloads and executes further payloads directly in memory, minimizing its footprint on the compromised system. This \u0026lsquo;fileless\u0026rsquo; approach, combined with targeting of cryptocurrency platforms, demonstrates Lazarus Group\u0026rsquo;s ongoing interest in financial gain and their increasing sophistication in macOS malware development.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim downloads a disk image (UnionCryptoTrader.dmg) from unioncrypto.vip.\u003c/li\u003e\n\u003cli\u003eThe victim mounts the DMG, revealing an unsigned package installer (UnionCryptoTrader.pkg).\u003c/li\u003e\n\u003cli\u003eThe victim executes the package, which prompts for administrator credentials due to the installation of a launch daemon.\u003c/li\u003e\n\u003cli\u003eThe postinstall script within the package moves a hidden plist file (.vip.unioncrypto.plist) to \u003ccode\u003e/Library/LaunchDaemons/vip.unioncrypto.plist\u003c/code\u003e for persistence.\u003c/li\u003e\n\u003cli\u003eThe script also moves a hidden executable (.unioncryptoupdater) to \u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e and sets its permissions to executable.\u003c/li\u003e\n\u003cli\u003eThe launch daemon (\u003ccode\u003e/Library/UnionCrypto/unioncryptoupdater\u003c/code\u003e) is executed and configured to run on each system reboot.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunioncryptoupdater\u003c/code\u003e binary gathers system information, including the serial number using IOKit (\u003ccode\u003eIOPlatformSerialNumber\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunioncryptoupdater\u003c/code\u003e binary connects to the C2 server \u003ccode\u003eunioncrypto.vip/update\u003c/code\u003e to download and execute payloads in memory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack targets employees of cryptocurrency exchanges. Successful infection allows the Lazarus Group to gain persistent access to systems within these organizations, potentially leading to theft of cryptocurrency, sensitive financial data, or disruption of trading operations. The fileless nature of the secondary payload execution makes detection more difficult, increasing the attacker\u0026rsquo;s dwell time and potential for damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of launch daemons by unsigned installers, specifically those moving plist files to \u003ccode\u003e/Library/LaunchDaemons\u003c/code\u003e (see attack chain steps 4-5).\u003c/li\u003e\n\u003cli\u003eMonitor network connections to \u003ccode\u003eunioncrypto.vip\u003c/code\u003e from unusual processes or those located in \u003ccode\u003e/Library/UnionCrypto\u003c/code\u003e using the provided IOCs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect UnionCryptoTrader Package Installation\u0026rdquo; to identify the execution of the malicious installer.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003eunioncrypto.vip\u003c/code\u003e at the network perimeter (DNS or firewall) to prevent initial infection and C2 communication using the provided IOC.\u003c/li\u003e\n\u003cli\u003eEnable endpoint detection and response (EDR) systems to detect and block the execution of unsigned binaries from \u003ccode\u003e/Library/UnionCrypto\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-lazarus-fileless-macos/","summary":"The Lazarus APT group is distributing a trojanized macOS application named UnionCryptoTrader.dmg that installs a launch daemon for persistence, downloads and executes secondary payloads in-memory, and communicates with the command and control server unioncrypto.vip.","title":"Lazarus Group's macOS 'Fileless' Implant","url":"https://feed.craftedsignal.io/briefs/2024-01-lazarus-fileless-macos/"}],"language":"en","title":"CraftedSignal Threat Feed — Lazarus","version":"https://jsonfeed.org/version/1.1"}