Introduction
The Lazarus Group [1] [2] [3] [4] [5] [6] [7] [9] [10] [11] [12] [13], a North Korean state-sponsored hacking organization [2], has launched a sophisticated cyber attack campaign known as “Operation 99.” This campaign specifically targets software developers through fraudulent job postings on platforms like LinkedIn, aiming to exploit high-growth sectors within the Web3 and cryptocurrency industries.
Description
The Lazarus Group [1] [2] [3] [4] [5] [6] [7] [9] [10] [11] [12] [13], a North Korean state-sponsored hacking organization [2], is executing a sophisticated cyber attack campaign known as ‘Operation 99,’ specifically targeting software developers through fraudulent job postings on platforms like LinkedIn. By posing as recruiters offering enticing freelance opportunities [6], they deceive developers into downloading malicious content [6], often utilizing fake profiles. Discovered on January 9, 2025 [9], this initiative aims to exploit high-growth sectors within the booming Web3 and cryptocurrency industries by enticing developers to clone a malicious GitHub repository named “coin promoting Webapp.” Executing the code from this repository connects the victim’s machine to command-and-control (C2) servers operated by Stark Industries Solutions Ltd., initiating data-stealing activities across various operating systems [6], including Windows [4] [6] [7], macOS [1] [3] [4] [5] [6] [7] [8], and Linux [1] [3] [4] [5] [6] [7] [8].
Operation 99 employs a modular framework with various payloads, including Main99, which functions as a downloader for additional harmful software [9], and Main5346 [7] [8], which collects system data and maintains persistent connections to C2 servers [7]. Notable payloads such as Brow99 are specifically designed to steal web browser credentials, including passwords [2] [13], while MCLIP focuses on monitoring and exfiltrating keyboard and clipboard data, indicating a financial theft motive to support the Democratic People’s Republic of Korea (DPRK) regime. The malware utilizes heavily obfuscated Python scripts and advanced encryption techniques, making detection by security systems particularly challenging [9]. Unlike previous attacks [9], Operation 99 does not self-delete after infection [9], allowing the attackers to maintain control for extended periods [9].
This campaign marks a significant evolution in the Lazarus Group’s tactics, shifting from broad phishing to targeted attacks on developers within the tech supply chain [2] [10] [13]. It builds on earlier efforts like Operation Dream Job in 2021 and DEV#POPPER, which also targeted software developers through fake job offers that delivered Trojan malware. The group’s consistent targeting of the technology job market demonstrates their understanding of the industry and their ability to adapt strategies over time [6]. Enhanced malware capabilities [10], such as improved obfuscation and the use of AI-generated profiles that appear credible, indicate a more sophisticated approach. By compromising developer accounts [1] [5] [8], the attackers exfiltrate valuable intellectual property and gain access to cryptocurrency wallets [1] [5] [8], facilitating direct financial theft through the targeted acquisition of private and secret keys [1] [5]. The operation has reportedly resulted in thefts of $1.34 billion in cryptocurrency in 2023 and $660 million in 2024, underscoring its financial impact.
Victims have been identified globally [10], with a notable concentration in Italy, as well as in countries such as Argentina [7], Brazil [7], France [7], Germany [7], and the US [7], highlighting the extensive reach of the operation [10]. The attack poses significant risks [9], as it targets developers and has the potential to disrupt entire projects and organizations. This initiative represents a highly effective method of supply chain attack, indirectly threatening the projects and enterprises that technology creators support.
To mitigate risks associated with Operation 99, developers are advised to verify the legitimacy of LinkedIn profiles and job offers [9], scrutinize Git repositories before cloning [9] [13], deploy advanced endpoint security solutions to detect unusual activity [13], educate themselves on social engineering tactics [9], and segregate development environments from production systems [9]. The severity of this attack is classified as medium, with various attack surfaces including email [9], messaging [9], and supply chain vulnerabilities [9]. Techniques employed include phishing, user execution [1] [8] [9], system process modification [9], obfuscated files [9], input capture [9], data extraction from local systems [9], exfiltration over command and control channels [9], and data manipulation [9]. Overall, Operation 99 serves as a critical reminder of the need for proactive cybersecurity measures within the global developer community [13].
Conclusion
Operation 99 represents a significant threat to the global technology sector, particularly within the Web3 and cryptocurrency industries [5] [7]. The campaign’s sophisticated tactics and extensive reach underscore the importance of robust cybersecurity measures. Developers and organizations must remain vigilant, employing advanced security solutions and maintaining awareness of social engineering tactics to mitigate potential risks. As cyber threats continue to evolve, proactive and adaptive security strategies will be essential in safeguarding valuable intellectual property and financial assets.
References
[1] https://www.msspalert.com/brief/campaign-by-north-koreas-lazarus-group-targets-freelance-software-developers
[2] https://ciso2ciso.com/lazarus-group-targets-developers-in-new-data-theft-campaign-source-www-infosecurity-magazine-com/
[3] https://www.cybaverse.co.uk/resources/lazarus-apt-north-koreas-evolving-developer-recruitment-tactics
[4] https://thecyberwire.com/podcasts/daily-podcast/2226/transcript
[5] https://lifeboat.com/blog/2025/01/lazarus-group-targets-web3-developers-with-fake-linkedin-profiles-in-operation-99
[6] https://b2bdaily.com/it/lazarus-group-exploits-linkedin-to-target-software-developers-in-malware-attack/
[7] https://cybermaterial.com/lazarus-lures-developers-to-deploy-malware/
[8] https://www.scworld.com/brief/new-lazarus-group-attack-campaign-sets-sights-on-freelance-software-developers
[9] https://provintell.com/2025/01/17/operation-99-lazarus-group-targets-developers-with-sophisticated-cyberattack/
[10] https://www.infosecurity-magazine.com/news/lazarus-developers-data-theft/
[11] https://osintcorp.net/lazarus-group-targets-web3-developers-with-fake-linkedin-profiles-in-operation-99/
[12] https://www.the420.in/top-10-daily-cybercrime-brief-by-fcrf-click-here-to-know-more-156/
[13] https://undercodenews.com/lazarus-groups-operation-99-a-targeted-campaign-against-software-developers/
