A North Korea-backed hacking group identified as Lazarus launched a covert operation by distributing a counterfeit cryptocurrency trading application, according to NSHC’s Threat Research Lab analysis published in May 2025. The campaign features an installer built with NSIS that embeds an Electron-based app and a JavaScript loader designed to fetch additional malware.
The loader facilitates further payloads, while subsequent Python-based modules perform system control and data exfiltration. The operation culminates in remote access capabilities intended to sustain long-term infiltration.
The attackers abused legitimate services and encrypted communications, delivering commands and files via online note services and concealing traffic through the Tor network, with AnyDesk used to maintain stealthy remote access. The campaign’s exterior resembles legitimate software, making it difficult for users and security systems to distinguish it from authentic programs. NSHC CEO emphasized that the Lazarus Group has evolved into a sustained cyber-operational threat, noting the virtual asset sector’s exposure to nation-scale hacking and the importance of international security collaboration and threat intelligence sharing.
Leave a Reply