- North Korean threat actor Lazarus Group linked to Marstech1, a JavaScript implant.
- Targeted attacks against software developers.
- Campaign named Marstech Mayhem by SecurityScorecard.
- Malware distributed via an open-source repository on GitHub.
- Malicious repository associated with GitHub profile SuccessFriend (now removed).
- Active since July 2024.
- Malware embedded in websites and NPM packages, posing a supply chain risk.
- First detected in late December 2024.
- 233 confirmed victims across the U.S., Europe, and Asia.
- Collects system information.
- Alters settings of Chromium-based browser extensions, especially MetaMask.
- Targets cryptocurrency wallets (Exodus and Atomic) across Windows, Linux, and macOS.
- Two implant variations found: one from GitHub, another from a C2 server (74.119.194[.]129:3000/j/marstech1).
- Can download additional payloads from port 3001.
- Data exfiltrated to 74.119.194[.]129:3000/uploads.
- Control Flow Flattening: Obfuscates execution logic.
- Dynamic Variable Renaming: Constantly changes variable names.
- Multi-Stage XOR Decryption: Used in Python components to obfuscate payloads.
- Marstech1 emergence aligns with Contagious Interview campaign.
- Recorded Future identified attacks on:
- Campaign tracked under PurpleBravo, also known as:
- North Korean IT workers linked to fraudulent employment schemes.
- Poses insider threats: data theft, backdoors, larger cyber operations.
- Hiring such workers can lead to sanctions violations and legal risks.
- Lazarus Group continues to refine cyber threats.
- Marstech1 poses major risks to developers and financial institutions.
- Urgent need for enhanced security protocols to counter emerging threats.
