A subgroup of the organization of pirates linked to North Korea Lazarus has set up three Shell companies, two in the United States, to deliver malicious software to without distrust users.
The three advisory companies in Crypto Sham – Blocknovas, Angeloper Agency and Softglide – are used by the contagious interview of the North Korean pirate group to distribute malicious software thanks to false job interviews, said Silent Push threatening analysts in a 24 April report.
The main threats of Silent Push, Zach Edwards, told a declaration of April 24 to X that two screens companies are recorded as legitimate business in the United States.
“These websites and a huge network of accounts on job / recruitment websites are used to encourage people to apply for jobs,” he said.
“During the job request process, an error message is displayed while someone is trying to record an introductory video. The solution is an easy tip to copy and stick, which leads to malware if the developer without distrust ends the process.”
Three strains of malicious software – Beavertail, Invisibleferret and Otter Cookie – are used according to the silent thrust.
Beavertail is malicious software mainly designed for an information flight and to load other stages of malicious software. Ottercookie and Invisibleferret mainly target sensitive information, including cryptographic wallet keys and clipboard data.
Push Silent analysts said in the report that hackers use GitHub, listing and freelancer websites to seek victims.
AI used to create false employees
The cunning also involves pirates who use images generated by AI to create employee profiles for the three crypto companies before and theft of images of real people.
“There are many false employees and stolen images of real people used through this network. We have documented some of the counterfeits and stolen images, but it is very important to assess that the identity efforts of this campaign are different,” said Edwards.
“In one of the examples, the threat actors took a real photo of a real person, then seemed to have executed it via an AI image modifier tool to create a subtly different version of this same image.”
In relation: Fake zoom malware steals crypto while it is “stuck”, warns the user
This malware campaign has been underway since 2024. Edwards says that there are known public victims.
Silent Push identified two developers targeted by the campaign; One of them would have compromised their Metamask portfolio.
The FBI has since closed at least one of the companies.
“The Federal Bureau of Investigation (FBI) has acquired the Blocknovas estate, but Softglide is still live, with some of their other infrastructure,” said Edwards.
At least three Crypto founders reported in March that they had thwarted an attempt at alleged North Korean pirates to steal sensitive data thanks to false zoom calls.
Groups such as the Lazare group are the main suspects of some of the largest Cyber Flights on Web3, including the $ 1.4 billion hack and the $ 600 million hack Ronin Network.
Review: The favorite feat of the revealed Lazarus group – Analysis of cryptographic hacks
