Researchers have uncovered a highly sophisticated North Korean campaign to covertly distribute crypto-stealing malware via open source components.
SecurityScorecard said in a blog post published this morning that it suspects the infamous Lazarus Group of being behind the live campaign, dubbed Operation Marstech Mayhem. It has already claimed over 230 victims in the US, Europe and Asia.
It traced a new “Marstech1” implant back to the “SuccessFriend” GitHub profile, which has been committing malicious as well as genuine software to the developer platform since July 2024.
However, SecurityScorecard claimed the same actor is also spreading the malware via npm packages, which are popular among crypto and Web3 project developers.
Read more on Lazarus Group: Lazarus Group Targets Bitdefender Researcher with LinkedIn Recruiting Scam
Marstech1 scans systems for MetaMask, Exodus and Atomic wallets, modifying browser configuration files to inject silent payloads that can intercept transactions, SecurityScorecard said.
The risk is that developers may include it in legitimate software, thereby posing a risk to potentially millions of downstream users.
This is made more likely by the various efforts Lazarus has gone to in order to avoid static and dynamic analysis of Marstech1, including Base85 encoding and XOR decryption.
These techniques are slightly different to a previous iteration of the malicious JavaScript, which were observed in two attacks in late 2024 and Jan 2025.
This latest iteration used other techniques to ensure the malware would go unnoticed and slip into the software supply chain, including:
- Control flow flattening and self-invoking functions
- Random variable and function names
- Base64 string encoding
- Anti-debugging (anti-tampering checks)
- Splitting and recombining strings
Lazarus Adapts Operations
In a sign of its growing sophistication, Lazarus Group is also adapting its infrastructure to throw security researchers off the scent.
The group is now using port 3000 for command-and-control (C2) communications, instead of ports 1224 and 1245, and is using Node.js Express backends instead of React-based control panels to, the report noted.
“Operation Marstech Mayhem exposes a critical evolution in the Lazarus Group’s supply chain attacks, demonstrating not only their commitment to operational stealth but also significant adaptability in implant development,” said SecurityScorecard SVP of threat research and intelligence, Ryan Sherstobitoff.
“It serves as a stark reminder that the landscape of cyber-threats is rapidly evolving. It is imperative for organizations and developers to adopt proactive security measures, continuously monitor supply chain activities and integrate advanced threat intelligence solutions to mitigate the risk of sophisticated implant-based attacks orchestrated by threat actors like the Lazarus Group.”