
SecurityScorecard has uncovered a sophisticated cyber attack campaign, dubbed Operation 99, orchestrated by the North Korea-linked Lazarus Group. The operation specifically targets software developers seeking freelance opportunities in Web3 and cryptocurrency sectors.
The attack methodology involves:
– Fake recruiters using LinkedIn to approach developers
– Directing victims to malicious GitLab repositories
– Deploying sophisticated malware through seemingly legitimate code reviews
The campaign, discovered on January 9, 2025, has affected victims globally, with significant impact in Italy and presence across multiple countries including the UK, US, India, and others.
Key Malware Components:
1. Main5346/Main99: Primary downloader
2. Payload99/73: System data collector and browser process controller
3. Brow99/73: Browser data and credential thief
4. MCLIP: Real-time keyboard and clipboard monitor
The malware’s capabilities include:
– Cross-platform functionality (Windows, macOS, Linux)
– Source code theft
– Cryptocurrency wallet key extraction
– Credential harvesting
– Real-time system monitoring
According to Ryan Sherstobitoff, SVP of Threat Research at SecurityScorecard, this campaign represents an evolution in North Korean cyber operations, leveraging AI-generated profiles and sophisticated communication techniques to create convincing recruitment schemes. The primary objective appears to be financial gain through cryptocurrency theft and intellectual property exploitation.
The operation’s success stems from its highly convincing social engineering tactics and modular malware architecture, highlighting the growing sophistication of state-sponsored cyber threats.