.png){kind=logo}
LazarOps: APT Tactics Targeting the Developers Supply Chain [PART 1]
- Security Joes
- 19 hours ago
- 6 min read
In July 2025, Security Joes investigated a sophisticated intrusion targeting a macOS developer workstation. The compromise stemmed from a deceptive GitHub repository, part of a broader social engineering campaign.
The malware—linked to North Korea’s notorious Lazarus Group—was distributed through a fake hiring campaign that specifically targeted developers on LinkedIn. As part of the scam, the threat actors presented the victim with a Node.js web application disguised as a technical challenge to assess programming skills during the simulated recruitment process. Unaware of the malicious payload embedded within, the victim downloaded and executed the fraudulent Github repository, thereby triggering the infection.
What began as a single endpoint alert quickly unraveled into evidence of a much broader attack specially crafted to infect developers through multiple deceptive techniques carefully designed to evade detection and maximize the number of victims, said Principal Incident Response Lead, Felipe Duarte.
Our investigation uncovered what we have named LazarOps—the latest Lazarus APT operation specifically targeting the developers supply chain. This operation leverages fake interviews to compromise individuals, while at the same time infiltrates development environments through malicious packages impersonating legitimate utilities, often with subtle typographical errors in their names. It employs stealthy yet highly dangerous attack chains capable of directly compromising development environments across all major operating systems—Linux, Windows, and macOS. The operation’s ultimate objective appears to be gaining access to high-privilege corporate environments and infecting Github users to distribute malicious artifacts within developers communities.
This blog post is the first of a two-part series, outlining the early stages of the LazarOps operation—from the victim’s initial interaction with the threat actors, to the GitHub compromise, infrastructure patterns, campaign-level analysis, and the techniques used to execute the malware silently. All findings presented here are based on direct forensic evidence and extensive threat hunting efforts. The second part will provide a full malware analysis and examine the tooling weaponization linked to APT38 as well as the additional techniques identified to spread the threat.
The full details were shared both with Github and NCSC-UK, to increase the efforts of taking down the infrastructure and related accounts, posing as legitimate while delivering links to weaponized projects.
The article in a nutshell:
[+] LazarOps – a Lazarus Group campaign targeting the developer supply chain via fake hiring scams, malicious GitHub repositories, and typosquatted packages.
[+] Social engineering and cross-platform attack chains to compromise macOS, Windows, and Linux development environments, aiming for high-privilege corporate access.
[+] Findings were shared with GitHub and NCSC-UK to support infrastructure takedowns and account suspensions.Security Joes is a multi-layered incident response company strategically located in nine different time-zones worldwide, providing a follow-the-sun methodology to respond to any incident remotely. Security Joes' clients are protected against this threat.
Contact us at response@securityjoes.com for more information about our services and technologies and get additional recommendations to protect yourself against this kind of attack vector.
The Setup: A Social Engineering Trap Disguised as Opportunity
The attack began with a senior full-stack developer, received a message from a LinkedIn profile under the name “Wilker Cuenun Buitrago.” Claiming to be a recruiter, the sender invited the victim to collaborate on a GitHub project titled AI-healthcare. The developer was instructed to test the repository using local tools on a macOS workstation.
Unbeknownst to the victim, the repository contained embedded malicious code. A concealed .npl Python script, triggered during build, initiated an outbound connection to download further payloads. This script marked the beginning of a modular, three-stage malware chain.
Inside the Malware: Three Stages of Compromise
Stage 1: InvisibleFerret Loader
The first stage was a 3KB Python stub, obfuscated under 64 layers of Base64 and zlib encoding. It assembled a C2 URL using hardcoded parameters and attempted to download the second stage from hxxp://144[.]172[.]104[.]113:1224/payload/3/726. If unreachable, it rotated through a list of 1,000 Pastebin URLs, eventually pointing to hxxp://fashdefi[.]store:6168.
Stage 2: Recon Module (brow3_726.py)
This stage retrieved system metadata, Git configuration, browser profiles, and IDE data. The exfiltration strings were masked with Base64 encoding and XORed using the key !!!HappyPenguin1950!!!
Stage 3: Tsunami-Based Backdoor (pay3_726.py and any3.py)
The final stage deployed persistence via a LaunchAgent named com.apple.service.plist and searched for files like .env, config.js, and robots.txt. It scraped clipboard and keyboard events and uploaded collected data via HTTP POST to the attacker’s server.
The Persona Behind the Campaign
The LinkedIn recruiter persona “Wilker Cuenun Buitrago” was entirely fabricated.
A reverse image search revealed the photo was stolen from Florent Champigny, a real developer affiliated with BeReal. Public records and published content confirmed that the identity was misappropriated for malicious purposes.
Methodology: How We Traced the Campaign
Security Joes employed a combination of GitHub code search, contributor analysis, and commit timeline forensics to uncover additional weaponized repositories. The investigative process included:
Searching for Base64-encoded domain tokens such as aHR0cDovL2Zhc2hkZWZpLnN0b3Jl
Pivoting on commit authors, timestamps, and injection patterns
Cross-referencing LinkedIn profiles and GitHub activity to identify throwaway or hijacked accounts
Classifying each repository as Rogue, Compromised Legitimate, or Victim Cleanup Observed
GitHub as an Attack Surface
The AI-healthcare repository was not an isolated case. At least nine other public repositories were found referencing the same hxxp://*[.]store:6168/defy/v* C2 paths. These repositories often mirrored common themes such as NFT marketplaces, AI health apps, or Web3 backends, suggesting strategic targeting.
Each infected repository aligned to one of three categories:
Rogue: Created and fully controlled by threat actors
Compromised Legitimate: Previously genuine projects poisoned via malicious commits
Victim Cleanup Observed: Maintainers attempted to remove the malicious code after infection
The version numbers in the C2 paths (such as v3, v6, v11) corresponded directly to parameters used in Stage 1. This confirmed that a shared builder was used across all variants.
Campaign Patterns and Observations
From attacker infrastructure to token reuse, the campaign left behind several forensic fingerprints:
Shared infrastructure: Domains like fashdefi[.]store and bujey[.]store were used across all repositories
Port behavior: Use of port 1224 for HTTP fetches and port 6168 for malware delivery
Token reuse: Identical MongoDB strings and API keys were embedded across multiple payloads
Disposable identities: Most commits came from accounts that were either newly created or later deleted
Victim themes: Projects focused on AI, NFT, AR fashion, and crypto-backed platforms
Recruitment lure scale: LinkedIn messages and InMails suggested that over 200 developers were targeted across EMEA and APAC regions
Infrastructure and Tooling
The attack infrastructure was engineered for resilience and reach:
Primary C2 domains: fashdefi[.]store, bujey[.]store
Ports: 1224 for initial fetch, 6168 for deeper stage navigation
Fallback: Pastebin URL lists embedded in Stage 1
Delivery platforms: LinkedIn recruiter profiles and disposable GitHub accounts
All payloads used consistent sType and qType values, revealing a pattern that defenders can use to identify or block future variants.
Threat Actor Accounts: Notable Examples
Several GitHub accounts were instrumental in staging the attack:
github[.]com/quyctd/nft: Contained a single malicious commit during repository initialization
github[.]com/code-top-star/NFT-MVP: Two commits, both embedding C2 tokens
github[.]com/ChethaniSaumya/mvp: Obfuscated C2 added in .env
github[.]com/dressx-company/MVP: Infected by users like yesiviola, izoriianika66, Pandsdev
github[.]com/superdev2693/real-estate, github[.]com/MADHURANGA-SKP/Demo-project-FVR: Stage 1 injected and later cleaned up
github[.]com/zinping/Healthcare: Theme overlap with AI-healthcare lure
github[.]com/Dev-Oud/BackendPolygon-Project: Compromised legitimate project
MITRE ATT&CK Techniques Observed
Tactic | Technique | ID |
Initial Access | Spearphishing via Social Media | T1566.004 |
Execution | User-Executed Malware triggered via build tools | T1204.002 |
Persistence | macOS Launch Agent | T1543.001 |
Credential Access | Dumping Git credentials and browser stores | T1003 |
Command and Control | HTTP traffic over non-standard ports | T1071.001 |
C2 Channel Staging | Multi-Stage Malware | T1104 |
Exfiltration | Data transfer via HTTP POST | T1041 |
Indicators of Compromise
IP Addresses
144[.]172[.]104[.]113
95[.]164[.]17[.]24
Domains and URLs
fashdefi[.]store:6168/defy/v3
fashdefi[.]store:6168/defy/v6
fashdefi[.]store:6168/defy/v7
fashdefi[.]store:6168/defy/v9
fashdefi[.]store:6168/defy/v11
bujey[.]store:6168/defy/v7
File Hashes (SHA256)
Stage 1: a67d395649202fe3149df6c7e37762426dd5c040ece02a0a9350e7b805460e23
Stage 2: c7b94abad45944a642d8bc674e8ce8cd768f30bb6e306c2534a9d9e76d1eae4f
Stage 3: c40d758857fe8b3e266d4c823689020b046b8a153a7f2d92581569bae8ceddcf
Auxiliary: ffed818b35b249db723741d3ec1cb7bc5a8e3e47821feb030d4a424717cd670e
Strategic Implications
The Lazarus Group continues to evolve its access strategies. By blending social engineering with GitHub-based malware delivery, they are directly targeting the software supply chain and the developers who power it. This campaign demonstrates that developer trust workflows are increasingly being abused by state-backed actors pursuing financial and espionage goals.
Conclusion
Operation Silent Recruiter exposed a focused effort by Lazarus to compromise Web3 developers through weaponized GitHub repositories. Their methods combined social engineering, multi-stage malware, and disposable infrastructure. The breadth and automation of the campaign indicate a highly scalable model that could evolve quickly.
Security Joes continues to work with victims, platform providers, and law enforcement to support mitigation, attribution, and infrastructure takedown. If your organization was affected or you would like access to the full evidence bundle, contact our incident response team directly.