North Korea’s notorious Lazarus Group is using an advanced malicious implant to target cryptocurrency wallets and spreading it via legitimate GitHub profile and possibly through npm packages.

The ongoing campaign, dubbed Operation Marstech Mayhem, is the example of a threat group using open-source code repositories like GitHub, npm, and Python Package Index (PyPI) in software supply chain attacks to spread their malicious code, hoping that developers will inadvertently include it in their software and spread it to downstream users.

It also “exposes a critical evolution in the Lazarus Group’s supply chain attacks, demonstrating not only their commitment to operational stealth but also significant adaptability in implant development,” according to researchers with SecurityScorecard, who have been tracking the campaign over the past few months.

The JavaScript malware includes multiple obfuscation techniques and a novel command-and-control (C2) that operates on unusual ports and is hosting unique Node.js Express backends, which is a break from previous similar Lazarus campaigns like Operation 99 and Phantom Circuit.

An Evolutionary Step for Lazarus

SecurityScorecard researchers last month wrote about Operation 99, a fake recruitment scheme aimed at developers looking for freelance jobs in the crypto and Web3 sector. Operation Marsetch Mayhem is a step beyond, they wrote in a report.

“This divergence in operational methodology not only complicates detection but also suggests that the Lazarus Group is continuously refining their techniques to exploit vulnerabilities in modern software supply chains, including the targeting of cryptocurrency wallets and tampering with browser extension configurations,” they wrote.

The latest version of the implant is Marstech1, which the researchers wrote was embedded in the code of a GitHub repository associated with a profile called “SuccessFriend,” which they believe is Lazarus Group’s profile and is known to create both legitimate and malicious software.

At the same time, they suspect the threat group also is spreading the malware through genuine npm packages that are aimed, again, at project developers in the crypto and Web3 sector.

A New, Ongoing Threat

The Marstech1 implant first emerged in late December 2024 from a C2 server hosted in Stark Industries. It also cropped again last month, with SecurityScorecard calling “limited targeted attacks on the supply; it has not surfaced elsewhere” since the two occurrences. It has claimed almost 240 victims in the United States and elsewhere.

Marstech1 searches Chromium-based browser directories and multiple operating systems to modify browser configuration files, most importantly the MetaMask extension that is popular for crypto wallets. It then looks for Exodus and Atomic Crypto wallets on Linux, macOS, and Windows systems. The implant will steal sensitive data from target directories and crypto.

Such campaigns are common with Lazarus Group and other threats actors backed by the North Korean government, which uses the month to bypass international sanctions and finance its nuclear and other weapons programs. According to blockchain analysis company Chainalysis, North Korea-based threat groups stole $1.34 billion in crypto last year.

Obfuscation and Evasion

To evade detection when embedded into a software project, Marstech1 includes a number of obfuscation techniques, including Base64 string encoding, random variable and function names, control flow flattening and self-invoking functions, and splitting and recombining strings.

To further avoid static and dynamic analysis, Marstech1 uses a two-step process that includes Base85 encoding and XOR decryption.

The researchers also wrote about anti-analysis code that “employs one-time execution wrappers and console hijacking techniques to complicate both static and dynamic analysis. The one-time wrappers allow critical functions to run only once, immediately nulling the callback afterward so that subsequent calls yield no effect. This prevents analysts from repeatedly invoking or modifying key functions during debugging or automated analysis. Additionally, a self-referential check examines the function’s own string representation, a tactic intended to detect tampering or reverse engineering attempts.”

Operation Marstech Mayhem should serve as a “stark reminder that the landscape of cyber threats is rapidly evolving,” they wrote, adding that the integration of the implant in legitimate GitHub repositories and their “subsequent embedding in trusted software packages [pose] a significant risk to both developers and end-users alike.”

Given the advanced anti-bugging defense and self-modifying code used with Marstech1 that looks to thwart real-time analysis, developers and organizations need to become even more vigilant against malicious behaviors and develop security frameworks for supply chain management, the researchers wrote.