Wanna Collab? Download this Malware

12167935268?profile=RESIZE_400xThe Lazarus Group is North Korean state sponsored cybercrime group and they have been credited, in one way or another, with a recent social engineering campaign targeting developers on GitHub.  They are said to have been created by the North Korean government as early as 2007 and they are a part of the RGB, which is North Korea’s primary foreign intelligence agency.  “Lazarus Group” would appear to be the primary identity of the group, but they do have several aliases such as Appleworm, Group 77, Guardians of Peace, Hidden Cobra, Jade Sleet, among several others.

They target institutions in many areas, such as government, military, finance, manufacturing, publishing, among many others.  Their typical tactics include cyber espionage, data theft, heists, destructive malware, and as we’ll see shortly, social engineering.  They have been involved in a variety of malicious activities, such as the WannaCry 2.0 ransomware, which affected approximately 300,000 computers in at least 150 different countries, the 2014 attacks on Sony Pictures, and the theft of $81 million dollars from Bangladesh Bank in 2016.

The social engineering campaign we’re focusing on here is like another Lazarus campaign that took place in January of 2021, where cybersecurity researchers were targeted for collaborations on vulnerability exploit research and took advantage of malicious Visual Studio projects.  Social engineering can be thought of as the process of manipulating, influencing, or deceiving someone to obtain something like private information, restricted access, or valuables.  As they will generally require some form of communication between attacker and victim, social engineering attacks are built around how people typically think and behave. 

The goals of social engineering attacks will typically be either sabotage or theft.  Common types of social engineering attacks found in the digital world can include things like phishing, baiting, physical breaches like tailgating, or scareware like a malicious antivirus ad giving a false report.

The attack cycle of a social engineering attack will generally have four stages.  First is preparation where information is gathered on an individual target or a target group.  Next is infiltration, which is where communication is started and trust is built, Exploitation occurs when the target’s weaknesses and trust align in such a way that allows for an advancement of the attack.  Then, the attacker will disengage once all of the required actions have been taken by the target.

GitHub released a security alert detailing the specifics of this campaign and its attack chain on July 18th.  The threat actors begin by impersonating either developers or recruiters by utilizing accounts on GitHub and other social media sites.  In some cases, the accounts were fake and in other cases the accounts were compromised.  Fake accounts linked to this campaign have been found on LinkedIn, Slack, and Telegram

Developers are being targeted in blockchain, cryptocurrency, online gambling, and cyber security.  After contact has been established, targets are invited into collaboration projects, which contain malicious NPM package dependencies.  These packages act as first-stage downloaders, which download and execute secondary malware.  The projects themselves seem to mostly involve either media players or cryptocurrency trading tools.

The first instances of the NPM usage pattern exhibited by this campaign were first discovered by Phylum research in June of 2023.  They noted the sophistication of the technique as the execution order of the packages used is crucial to the success of the infection.  The attack is spread across of pair of ordered NPM packages.  The first package will fetch and store a token from a remote server, which is then used by a second package to obtain malicious code from a remote server.

In terms of mitigation, we can begin by noting that GitHub has listed a few indicators like domain names, malicious NPM packages, and malicious NPM accounts on their blog.  The link to the mitigation blog post is here:


Anyone who was solicited by known malicious accounts are likely a target of this campaign.  Repository invites can be reviewed in the GitHub security log.  The events to look for are action:repo.add_member events, which indicate that you have accepted an invite to a repository.  Think twice before accepting solicitations to collaborate on or install projects with NPM dependencies.  Extra scrutiny should be given to new or recently published NPM dependencies or scripts that make network connections during installation.  Anyone affected by these projects should inform their employers cybersecurity department, and it may also be prudent to reset or wipe affected devices, change account passwords, and rotate tokens stored on the affected devices.

In summary, the Lazarus Group is a North Korean state sponsored cyber crime group said to have been operating as early as 2007.  They have several aliases like Jade Sleet and Guardians of Peace, and they operate in many areas like government, military, finance, among others.

Social engineering attacks aim to deceive someone in such a way that an attacker can obtain things like information or restricted access.  Attacks like phishing or baiting are under the umbrella of social engineering, and a social engineering attack’s cycle will normally have four stages: preparation, infiltration, exploitation, and disengagement.

Developers on GitHub have been targeted in several different areas including blockchain, cryptocurrency, online gambling, and cyber security, for the purposes of collaborating on projects like media players or cryptocurrency trading tools.  These can contain malicious NPM package dependencies, which act as first stage downloaders for additional malware.

Finally, we covered a few mitigation tips for this attack that were distributed by GitHub.  They have a list of known malicious accounts listed on their blog, and anyone who has collaborated with these accounts is likely a target.  Users can review their security logs on GitHub to see if they have been added to any suspicious projects.  Users should also take extra care when examining the package dependencies and installation scripts of a project, particularly if newer NPM packages are involved.


[1]: https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hackers-targeting-devs-with-malicious-projects/

[2]: https://home.treasury.gov/news/press-releases/sm774

[3]: https://ofac.treasury.gov/recent-actions/20190913

[4]: https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

[5]: https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering

[6]: https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html

[7]: https://www.imperva.com/learn/application-security/social-engineering-attack/

[8]: https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/#domains

[9]: https://blog.phylum.io/sophisticated-ongoing-attack-discovered-on-npm/


Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!