Cybersecurity firm SecurityScorecard has identified a new threat campaign linked to North Korea’s Lazarus Group, aimed at freelance software developers. This operation, named Operation 99, focuses on compromising the software supply chain by targeting developers working in Web3 and cryptocurrency sectors.
The attack is an evolution of the previously observed Operation Dream Job, wherein attackers lure developers with fake offers of project tests and code reviews. These engagements eventually lead developers to clone a malicious GitLab repository. Once cloned, the code connects to the attackers’ command-and-control (C&C) servers, which are registered under the name ‘Stark Industries LLC’. The compromised systems then receive Python-based malware that is heavily obfuscated to avoid detection.
The malware used in this campaign operates on Windows, macOS, and Linux systems, embedding itself into developer workflows. The threat actors deploy a modular malware framework that includes the Main99 and Main5346 downloaders, which then install various payloads such as Payload99/73, Brow99/73, and MCLIP. These payloads enable the hackers to steal files, monitor user activity, and capture sensitive data like credentials and clipboard contents.
Key capabilities of the malware include:
- Payload99/73: Collects system data, exfiltrates files, and executes arbitrary code.
- Brow99/73: Steals browser credentials and cryptographic keys from Windows, Linux, and macOS systems.
- MCLIP: Monitors keystrokes and clipboard data, sending it to the C&C in real time.
The overarching goal of Operation 99 is to compromise technology developers and integrate malware into their systems as part of a broader supply chain attack. This attack aims to steal intellectual property, sensitive data, and cryptocurrency wallet keys.
North Korea’s Lazarus Group has long been known for using cybercrime as a financial lifeline for the regime, with cryptocurrency theft being a central tactic. In 2024 alone, North Korean hackers reportedly stole $660 million in cryptocurrency. A report from Chainalysis revealed that in 2023, Lazarus Group-affiliated hackers stole $1.34 billion in 47 cryptocurrency-related attacks.
This latest campaign illustrates the increasing sophistication of North Korea’s cyber operations and the ongoing threats faced by developers in high-demand sectors such as Web3 and cryptocurrency. The cyber group’s ability to exploit trust through deceptive tactics, including fake recruiter profiles on platforms like LinkedIn, highlights the vulnerability of developers to targeted social engineering attacks.
For more details, refer to the SecurityScorecard report on Operation 99.
