Silent Push, a prominent cybersecurity firm, has uncovered sensitive infrastructure linked to the infamous Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT) actor.
This discovery sheds light on the group’s involvement in the historic $1.4 billion cryptocurrency heist targeting ByBit, one of the largest thefts in crypto history.
The Lazarus Group, known for its sophisticated cyber operations, registered the domain “bybit-assessment[.]com” mere hours before the attack.
Silent Push analysts traced this domain to an email address, trevorgreer9312@gmail[.]com, which has been associated with previous Lazarus campaigns.
This email address and its related infrastructure were identified in earlier attacks attributed to a Lazarus subgroup known as BlueNoroff.
Investigative Breakthroughs
Silent Push’s investigation revealed that Lazarus extensively tests its phishing configurations before deploying them.
Logs from December 2024 showed test submissions using fake credentials, such as “Josep@gmail[.]com,” and even included a test entry labeled “Lazaro,” a clear nod to the group’s name.
Analysts also identified 27 unique Astrill VPN IP addresses used by the group during their setup processes, further confirming their operational patterns.
The firm highlighted that Lazarus continues to use fake job interviews as a primary tactic to lure victims into downloading malware.
These phishing campaigns often target cryptocurrency users through platforms like LinkedIn, employing malicious domains such as “Blockchainjobhub[.]com” and “nvidia-release[.]org.”
Victims are tricked into executing malware under the guise of updating drivers or solving technical issues during staged interviews.
Technical Insights and Infrastructure
Silent Push analysts successfully infiltrated portions of Lazarus’s infrastructure, gaining access to critical operational data.
While specific details remain classified for security reasons, it was confirmed that Lazarus employs advanced techniques to refine its credential-stealing methods.
The group’s infrastructure includes domains and IP addresses linked to phishing scams and crypto-related fraud.
One key finding was the domain “bybit-assessment[.]com,” which was mapped to IP address 91.222.173[.]30 shortly after its registration.
This IP was also tied to other malicious domains used in employment scams and crypto frauds.
Silent Push is actively collaborating with law enforcement and intelligence partners to analyze this data and mitigate further threats.
This investigation underscores the evolving tactics of North Korean cyber actors in targeting financial systems globally.
Silent Push has shared a sample list of Indicators of Future Attacks (IOFAs) with the cybersecurity community to aid in proactive defense measures.
The firm plans to release a comprehensive report for enterprise clients detailing their findings and methodologies.
As Lazarus continues to adapt its strategies, organizations are urged to remain vigilant against phishing campaigns and employment scams leveraging fake domains and social engineering techniques.
