The latest investigation by Microsoft revealed that a threat actor leveraged Telegram chat groups to target the crypto investment industry. Tracked as DEV-0139 by the tech giant, the group communicates with the targets’ VIP clients. 

Modus operandi

DEV-0139 joined multiple Telegram groups used to facilitate communication between the cryptocurrency exchanges and VIP clients and found the target from the members.
  • Once trust is gained, the attacker pretends to be representative of another cryptocurrency exchange and asks for feedback on the fee structure.
  • The payload is delivered via a weaponized crypto-exchange fee comparison Excel file, containing malicious macro for code obfuscation and data retrieval.
  • The threat actor also deploys a second payload - an MSI package for some CryptoDashboardV2 app. This is an indication that DEV-0139 is behind other attacks leveraging the same technique to deliver custom payloads.


While Microsoft has not attributed the attacks to a certain group and instead linked it to the DEV-0139 threat cluster, Volexity researchers connected the campaign to the North Korean state-sponsored Lazarus APT group.
  • Lazarus used the Excel file to drop the AppleJeus malware that has been used by Lazarus in previous campaigns.
  • The APT group was, furthermore, found propagating its fake cryptocurrency apps under the made-up brand name, BloxHolder, a few days back. These apps ultimately delivered AppleJeus.

Latest cryptocurrency threats

  • Hackers were found abusing the “Invisible Challenge” on TikTok to deploy WASP Stealer on thousands of devices. WASP Stealer can pilfer cryptocurrency wallets, credit card details, Discord accounts, and passwords. 
  • In November, a lesser-known malware, dubbed ViperSoftX, reemerged to drop a malicious Google Chrome extension and steal cryptocurrency.

The bottom line

With the expansion of the cryptocurrency market, threat actors have been extremely invested in exploiting it. This latest campaign by DEV-0139 or Lazarus against cryptocurrency exchanges highlights threats against the not-so-thriving (at present) crypto landscape. The attacker appears to be quite knowledgeable about the crypto industry, as displayed by the sophistication of the attack.
Cyware Publisher