Time

· Unknown

Targets

· U.S. and Western companies
· Industries affected: Finance, Technology, Cryptocurrency/Web3, FinTech, Healthcare, Engineering, IT

Initial Access

· Mass outreach and messaging via GitHub repository Pull Requests

· Social engineering disguised as a remote IT worker job offer

Exploited Vulnerabilities

· None

Malware and Tools

· AnyDesk: Remote desktop access

· Google Remote Desktop: Persistent remote access

· Astrill VPN: Location obfuscation

· Simplify Copilot: Automated job‑application browser extension

· AIApply: Automated job application tool

· Final Round AI: Real‑time interview assistance AI

· Saved Prompts for GPT: LLM prompt‑management tool

Techniques

· Identity theft and rented/fake identities to obtain employment

· Long‑term trust‑building through social engineering

· Using AI tools to pass job interviews

· Maintaining 24/7 access via remote desktop tools

· Location masking through VPN

· System reconnaissance (dxdiag, systeminfo, whoami)

Impact

· Attempts to gain access to internal corporate systems

· Requests for victims’ personal identity information (SSN, ID documents, bank details)

· Corporate espionage and financial operations supporting the North Korean regime

Description

· The attackers posed as remote IT workers seeking legitimate employment with U.S. companies.

· Victims were asked to provide laptop access credentials and personal identity documents.

· The actors maintained remote access using AnyDesk and Google Remote Desktop.

· The campaign focused heavily on remote‑work infrastructure abuse and identity theft.

· Researchers monitored and recorded the threat actors’ activities in real time using the ANY.RUN sandbox.

Source

· Smile, You’re on Camera: A Live Stream from Inside Lazarus Group’s IT Workers Scheme[1]

Time

· Unknown

Target

· Corporate environments

· Organizations operating remote work hiring processes

· Customer environments investigated by Microsoft Incident Response (DART)

Initial Access

· Successfully obtained employment by impersonating a legitimate remote worker

Exploited Vulnerabilities

· None

Malware and Tools

· PiKVM: Hardware‑based remote‑control device enabling full system control as if physically present

· Cosmic: Azure analysis tool

· Arctic: Azure and Active Directory analysis tool

· Fennec: Multi-OS forensic evidence collection tool

· Microsoft Defender for Endpoint: Endpoint detection and response

· Microsoft Defender for Identity: Identity-based threat detection

· Microsoft Entra ID Protection: Identity security telemetry collection

Techniques

· Impersonation of a remote employee

· Bypassing HR and onboarding verification procedures

· EDR evasion through hardware‑based remote access (PiKVM)

· Maintaining persistent and covert external access

· Direct access to internal network data

Impact

· Potential access to and theft of sensitive corporate data

· Persistent unauthorized access tocorporate networks

· Long‑term unauthorized access to corporate networks

Description

· The attackers successfully obtained legitimate corporate accounts by posing as remote employees.

· A PiKVM device was physically attached to the assigned work workstation.

· Through hardware‑level remote control, the attackers operated the system as though they were physically in front of it.

· This method allowed the attacker to bypass EDR controls and carry out unauthorized, stealthy data access operations.

· Forensic efforts by Microsoft Incident Response (DART) confirmed a link between the operation and the Jasper Sleet threat cluster.

Source

· Imposter for hire: How fake people can gain very real access[2]

Time

· Unknown

Target

· Cryptocurrency users

· Virtual asset developers

· DeFi practitioners

· Users of Chromium‑based browsers

Initial Access

· Distribution of a malicious RAR archive containing embedded scripts

· Luring victims into downloading “Pharos.rar” disguised as a legitimate tool

· Exploiting the WinRAR vulnerability upon extraction

Exploited Vulnerabilities

· CVE‑2025‑8088: WinRAR ADS path validation flaw enabling path traversal and arbitrary file creation

Malware and Tools

· Pharos .rar: Malicious RAR archive

· 1 .bat: Executable script masquerading as a Windows Defender update

· stub .pyw: Multi‑layer‑obfuscated Python loader

· Tsunami Injector: Persistence mechanism and loader for additional payloads

· Blank Grabber: Infostealer

· PowerShell: Used to show decoy security warnings

· Dropbox: Hosting for downloaded malicious scripts

· Pastebin: Provides URLs for additional payloads

· Telegram: C2 communication channel

Techniques

· Social engineering via malicious RAR archive

· Exploitation of WinRAR ADS path traversal vulnerability

· Automatic execution via Startup folder persistence

· Multi‑stage obfuscation and dynamic payload loading

· Automatic installation of Python environment

· Theft of account credentials and cryptocurrency wallet data

· Telegram‑based C2 and data exfiltration

Impact

· Theft of saved browser passwords

· Theft of cookies and autocomplete data

· Compromise of Telegram session data

· Theft of Discord tokens and account information

· Theft of seed phrases and private keys from over 20 cryptocurrency wallets, including MetaMask, Exodus, and Electrum

· Potential takeover of virtual asset accounts and fund outflows

Description

· Lazarus distributed a malicious RAR file disguised as “Pharos-Automation-Bot”.

· The WinRAR vulnerability allowed creation of a malicious BAT file in the Startup directory.

· The BAT script downloaded and executed a Python loader.

· The loader then deployed the Blank Grabber infostealer.

· The malware targeted browsers, messaging platforms, and cryptocurrency wallets for credential theft.

· The attack chain and obfuscation design match known Lazarus tradecraft, attributing the activity to APT‑C‑26.

Source

· APT-C-26（Lazarus）组织利用WinRAR漏洞部署Blank Grabber木马的技术分析 [3]