North Korean Lazarus Group Launches Advanced Crypto-Stealing Malware Campaign

Overview of Operation Marstech Mayhem

Researchers have uncovered a highly sophisticated cyber campaign believed to be orchestrated by the notorious North Korean hacker group, the Lazarus Group. In a blog post published this morning, SecurityScorecard revealed details about this covert operation, named ‘Operation Marstech Mayhem,’ which has already targeted over 230 victims across the United States, Europe, and Asia.

Malware Distribution via Open Source

The campaign utilizes open source components, taking advantage of popular programming repositories to distribute crypto-stealing malware without detection. SecurityScorecard traced the malware, dubbed ‘Marstech1,’ back to a GitHub profile known as ‘SuccessFriend,’ which has been actively committing both harmful and legitimate software since July 2024.

Additionally, the researchers found that the same malicious actor is also distributing the malware through npm packages—software packages that are widely used among developers engaging in cryptocurrency and Web3 projects.

Targeting Crypto Wallets

The Marstech1 malware is designed to scan systems for popular cryptocurrency wallets, including MetaMask, Exodus, and Atomic Wallet. Once detected, it modifies browser configuration files to inject stealthy payloads capable of intercepting cryptocurrency transactions. This poses a significant risk, particularly as developers might unknowingly integrate the stealthy malware into legitimate software, potentially exposing millions of end-users worldwide.

Evasion Techniques Employed

To enhance its stealth and evade detection, the Lazarus Group has implemented several sophisticated techniques within the Marstech1 malware. These include:

Control flow flattening and self-invoking functions
Random variable and function names
Base64 string encoding
Anti-debugging checks (anti-tampering)
Splitting and recombining strings

These methods represent an evolution from earlier versions of the malware, observed in attacks from late 2024 and January 2025, which had utilized different evasion strategies.

Adapting Command-and-Control Infrastructure

In a notable shift, the Lazarus Group appears to be adapting its infrastructure to confuse security researchers further. The group has changed its command-and-control (C2) communication port from 1224 and 1245 to port 3000. This technique, along with an increased reliance on Node.js Express backends instead of traditional React-based control panels, helps to obscure their activities from cybersecurity experts.

Expert Commentary

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, commented on the implications of Operation Marstech Mayhem. He stated that the operation reflects a critical evolution in the Lazarus Group’s supply chain attacks, underscoring their commitment to operational secrecy and their adaptability in developing implants.

‘This serves as a stark reminder that the landscape of cyber threats is rapidly evolving,’ Sherstobitoff emphasized. ‘It is imperative for organizations and developers to adopt proactive security measures, continuously monitor supply chain activities, and integrate advanced threat intelligence solutions to mitigate the risk of sophisticated implant-based attacks from threat actors like the Lazarus Group.’

Conclusion

As the Lazarus Group continues to refine its tactics and strategies, the need for vigilance in cybersecurity becomes increasingly important. Developers and organizations must remain proactive in their defense mechanisms to protect against the evolving threats posed by this and other malicious groups.