Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

Feb 14, 2025Ravie LakshmananBrowser Security / Cryptocurrency

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.

The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that’s associated with a profile named “SuccessFriend.” The profile, active since July 2024, is no longer accessible on the code hosting platform.

The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia.

“The profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus,” SecurityScorecard said. “The threat actor was committing both pre-obfuscated and obfuscated payloads to various GitHub repositories.”

In an interesting twist, the implant present in the GitHub repository has been found to be different from the version served directly from the command-and-control (C2) server at 74.119.194[.]129:3000/j/marstech1, indicating that it may be under active development.

Its chief responsibility is to search across Chromium-based browser directories in various operating systems and alter extension-related settings, particularly those related to the MetaMask cryptocurrency wallet. It’s also capable of downloading additional payloads from the same server on port 3001.

Some of the other wallets targeted by the malware include Exodus and Atomic on Windows, Linux, and macOS. The captured data is then exfiltrated to the C2 endpoint “74.119.194[.]129:3000/uploads.”

“The introduction of the Marstech1 implant, with its layered obfuscation techniques — from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python — underscores the threat actor’s sophisticated approach to evading both static and dynamic analysis,” the company said.

The disclosure comes as Recorded Future revealed that at least three organizations in the broader cryptocurrency space, a market-making company, an online casino, and a software development company, were targeted as part of the Contagious Interview campaign between October and November 2024.

The cybersecurity firm is tracking the cluster under the name PurpleBravo, stating the North Korean IT workers behind the fraudulent employment scheme are behind the cyber espionage threat. It’s also tracked under the names CL-STA-0240, Famous Chollima, and Tenacious Pungsan.

“Organizations that unknowingly hire North Korean IT workers may be in violation of international sanctions, exposing themselves to legal and financial repercussions,” the company said. “More critically, these workers almost certainly act as insider threats, stealing proprietary information, introducing backdoors, or facilitating larger cyber operations.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!