SecurityScorecard has revealed a newly identified malware campaign by North Korea's Lazarus Group, called "Marstech Mayhem," which targets cryptocurrency wallets and the software supply chain. The campaign has deployed an advanced malware implant "marstech1," showcasing an evolution in tactics. It features unique capabilities compared to previous efforts, including a command and control server on port 3000 and a Node.js Express backend. A GitHub profile associated with Lazarus further indicates legitimacy before introducing malware code, illustrating a sophisticated strategy and limited operational visibility.
The implant Marstech seems to be used in limited targeted attacks on the supply chain; it has not surfaced elsewhere, since its two occurrences in late 2024.
This sophisticated tool marks a significant evolution in the group's tactical approach, introducing unique functional enhancements that set it apart from previous campaigns.
Collection
[
|
...
]