03-25-2025 
|
Getting your Trinity Audio player ready...
|
North Korea-linked Lazarus Group is on the prowl again, and this time, it has infected a new batch of JavaScript packages with malware that steals digital assets.
Elsewhere, a Kaspersky report has revealed that a group of cybercriminals have been blackmailing YouTubers into including cryptojacking malware on their video descriptions.
Lazarus targets the JavaScript ecosystem
Lazarus has revamped its attacks on the digital asset sector and is now targeting the JavaScript ecosystem, code security platform Socket reveals.
In a recent report, Socket revealed that the notorious hacker group has deployed six new malicious packages targeting the Node Packaging Manager (npm) ecosystem; npm is used to install and manage JavaScript packages. The malware is designed to steal digital asset data and other credentials, as well as deploy a backdoor for future exploits.
Unsuspecting victims had downloaded the six packages 330 times by last week. Lazarus has designed them to mimic widely trusted libraries that developers have been using for years, aligning with the hacker group’s typosquatting tactic. The group even maintains GitHub repositories for five of the six malicious packages, which enhances their perceived legitimacy; Socket has since petitioned GitHub for their removal.
The Socket team admitted that it’s nearly impossible to attribute the malware to Lazarus “as absolute attribution is inherently difficult.” However, they bear the hallmarks of the group’s tactics and techniques. This includes using similar obfuscation techniques, script functionality, command and control mechanisms, and data theft techniques to other past Lazarus attacks.
The security firm revealed that once installed, the malware goes through browser profiles on Chrome, Firefox and Brave, as well as keychain archives on macOS, to extract sensitive files, such as log-in data. It also extracts digital asset wallets, with Exodus wallet and Solana-based applications being especially vulnerable.
This tactic isn’t new for Lazarus. The group has used it repeatedly to infiltrate both personal and corporate networks and wipe their digital asset wallets clean. In previous attacks, the group posted job vacancies on LinkedIn, luring unsuspecting applicants to click on malicious links.
While the North Korean group has been involved in many high-profile heists, its most recent is the largest and most daring. Lazarus was credited with the $1.4 billion hack of popular exchange Bybit, the largest ever in the digital asset world. Cybersecurity sleuths have since discovered that the group’s entry route was via malware planted in Safe’s online code. Safe is a digital asset wallet provider that Bybit used to secure users’ assets.Cryptojackers blackmailing YouTubers
In a separate report, cybersecurity firm Kaspersky has revealed that cybercriminals have been blackmailing YouTubers for increased exposure.
The criminals are behind malware that’s disguised as a tool to bypass geo-restrictions and other local blocks to access the internet. Such tools have become increasingly popular as some governments, such as Russia’s and China’s, have imposed internet blocks in some regions. In the past six months, Kaspersky has detected over 2.4 million drivers related to bypassing tools.
These drivers have become a malware hotspot. Usually, they require users to disable their PCs’ security solutions, allowing attackers to easily install undetected malware. Popular attack vectors have included cryptojacking software, which mines digital assets without a user’s knowledge, as well as remote access tools (RATs) and other popular credential stealers.
These attackers are now targeting YouTubers to reach a wider target audience, Kaspersky found. In one instance, they targeted a YouTuber with over 60,000 subscribers whose videos centered on bypassing internet blocks. The attackers reported his videos for alleged copyright infringement before reaching out to him and demanding that he include a link to their resources so they could withdraw the copyright claim.
The YouTuber complied, unaware that the link was to a malicious website containing cryptojacking malware and other stealers.
Another YouTuber with 340,000 subscribers was also similarly targeted, as was a popular Telegram channel.
The cryptojacking malware is based on XMRig, an open-source miner that criminals have long used to illegally mine digital assets on victims’ PCs. It can mine Ether, Ethereum Classic, Monero and other smaller digital assets. The malware can switch on and off to avoid detection and be controlled remotely.
While cryptojacking isn’t as widespread as it once was, some criminals are still targeting millions of devices. Two weeks ago, a report by CyberArk revealed that one cryptojacking strain had infected over 750,000 unique digital asset addresses. Another recent report showed that cryptojackers were even targeting federal agencies, infiltrating USAID machines to mine ‘crypto’ last fall.
Watch: Cybersecurity fundamentals in today’s digital age with AI & Web3
Recommended for you
