Researchers have identified a link between the North Korean threat actor known as the Lazarus Group and a previously undocumented JavaScript implant, dubbed Marstech1, which has been used in targeted attacks against developers.
The operation, referred to as Marstech Mayhem by SecurityScorecard, involves the delivery of malware through an open-source repository on GitHub associated with a profile named “SuccessFriend.” This profile, which was active from July 2024, is no longer accessible on the platform.
The Marstech1 implant is designed to collect system information and can be embedded in websites and NPM packages, posing a significant supply chain risk. Evidence suggests that the malware first emerged in late December 2024, and the attack has resulted in 233 confirmed victims across the United States, Europe, and Asia.
According to SecurityScorecard, “The profile mentioned web dev skills and learning blockchain, which is consistent with the interests of Lazarus. The threat actor committed both pre-obfuscated and obfuscated payloads to various GitHub repositories.”
Interestingly, the implant found in the GitHub repository differs from the version served directly from the command-and-control (C2) server at 74.119.194[.]129:3000/j/marstech1, suggesting that it may be under active development.
The primary function of the implant is to search for Chromium-based browser directories across various operating systems and alter extension-related settings, particularly those related to the MetaMask cryptocurrency wallet. It is also capable of downloading additional payloads from the same server on port 3001.
Other wallets targeted by the malware include Exodus and Atomic on Windows, Linux, and macOS. The captured data is exfiltrated to the C2 endpoint “74.119.194[.]129:3000/uploads.”
SecurityScorecard notes, “The introduction of the Marstech1 implant, with its layered obfuscation techniques — from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python — highlights the threat actor’s sophisticated approach to evading both static and dynamic analysis.”
The disclosure comes as Recorded Future revealed that at least three organizations in the broader cryptocurrency space, including a market-making company, an online casino, and a software development company, were targeted as part of the Contagious Interview campaign between October and November 2024.
The cybersecurity firm is tracking the cluster under the name PurpleBravo, stating that North Korean IT workers behind the fraudulent employment scheme are behind the cyber espionage threat, also tracked under the names CL-STA-0240, Famous Chollima, and Tenacious Pungsan.
Recorded Future warns, “Organizations that unknowingly hire North Korean IT workers may be in violation of international sanctions, exposing themselves to legal and financial repercussions. Moreover, these workers likely act as insider threats, stealing proprietary information, introducing backdoors, or facilitating larger cyber operations.”
