Cybersecurity researchers have successfully observed and recorded a live, multi-stage attack executed by the Lazarus Group, a North Korea-linked Advanced Persistent Threat (APT). The operation documented a detailed scheme aimed at compromising individuals in the cryptocurrency industry through deceptive remote job offers.

The investigation, conducted by researchers at WithSecure, captured the entire attack chain from initial contact to the deployment of custom malware. The incident provides direct insight into the tactics, techniques, and procedures (TTPs) employed by one of the world’s most prolific state-sponsored hacking syndicates.

Anatomy of a Social Engineering Attack

The attack began when the threat actors, posing as recruiters, contacted a target on the professional networking platform LinkedIn. The target, a professional in the cryptocurrency sector, was presented with a fraudulent job opportunity for a role at a legitimate U.S.-based crypto company. The initial bait was a document presented as a job description.

This document was not a standard PDF but a malicious LNK file disguised with a PDF icon. Once opened, the file executed a PowerShell script. This script initiated a connection to a remote command-and-control (C2) server, downloading the next stage of the malware payload and establishing an initial foothold on the compromised system.

Observing Attacker Tactics in Real-Time

The researchers monitored the attacker’s activities within a controlled environment, recording their every move over several days. This direct observation revealed the deployment of several malicious tools. The attackers used a custom backdoor known as LPEClient, which functioned as a privilege escalation tool. Following this, they installed a persistent remote access trojan (RAT), identified as a variant of BLINDINGCAN, to maintain long-term access to the infected machine.

The live surveillance also exposed operational security (OpSec) failures by the Lazarus operator. During the intrusion, the attacker inadvertently revealed their own operational IP address while downloading hacking tools from their public infrastructure. The ultimate objective of the observed campaign was the theft of cryptocurrency by compromising the target’s digital assets.

Source: https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html