VERY IMPORTANT

A North Korean malware was discovered in an Upwork cryptocurrency project, leading to a five-day investigation into active Lazarus Group infrastructure. The malware utilized three infection mechanisms: VSCode auto-execution, backend RCE via Function Constructor, and cookie payload delivery. The infrastructure included Vercel-hosted Stage 1 C2 servers and dedicated Stage 2 C2 servers. A timing oracle allowed for token enumeration, revealing three active campaigns. The payload chain consisted of various modules for data extraction, RAT functionality, and cryptocurrency mining. The investigation uncovered sophisticated persistence mechanisms, masquerading techniques, and a custom binary protocol. Real-time defensive responses from the operators were observed during reconnaissance. The infrastructure blended legitimate-looking development projects with malicious activities for cover.