The North Korean Lazarus Group is active again and has been linked with a financially motivated campaign. The attackers are using trojanized Decentralized Finance (DeFi) wallet apps to spread a backdoor into Windows systems.

What happened?

According to researchers, the rogue wallet application was first identified in mid-December 2021.
  • The app is equipped with functionalities to save and manage a cryptocurrency wallet and trigger the launch of the implant that can take control of the infected host. 
  • The infection of the app results in the deployment of the installer for a legitimate application, which is eventually overwritten with a trojanized version to avoid raising suspicions. 

Its initial access avenue inside of targeted networks is not known, however, it could be social engineering, as believed by the experts.

About the malware

The spawned malware, masquerading as the Google Chrome web browser, launches a wallet app built for DeFiChain while making connections to a remote domain and awaits further instructions.
  • Based on the response received from the C2 server, the trojan executes a wide range of commands, collects system information, enumerates/terminates processes, deletes files, and performs other actions.
  • The attackers configured this infrastructure with servers set up at multiple stages.
  • The C2 infrastructure exclusively included previously compromised web servers from South Korea.


Researchers associated the online campaign with Lazarus as they identified similar malware in the CookieTime cluster called LCPDot by JPCERT.

Bottom line

Lazarus is a financially motivated actor that seems to be focusing on the cryptocurrency business. The increase in cryptocurrency prices and the popularity of DeFi businesses are strong drivers behind such malicious campaigns and thus, can be expected to rise in the near future.
Cyware Publisher