Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

February 15, 2025

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.

The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." The profile, active since July 2024, is no longer accessible on the code hosting platform.

The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia.

"The profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus," SecurityScorecard said. "The threat actor was committing both pre-obfuscated and obfuscated payloads to various GitHub repositories."

In an interesting twist, the implant present in the GitHub repository has been found to be different from the version served directly from the command-and-control (C2) server at 74.119.194[.]129:3000/j/marstech1, indicating that it may be under active development.

Its chief responsibility is to search across Chromium-based browser directories in various operating systems and alter extension-related settings, particularly those related to the MetaMask cryptocurrency wallet. It's also capable of downloading additional payloads from the same server on port 3001.

Some of the other wallets targeted by the malware include Exodus and Atomic on Windows, Linux, and macOS. The captured data is then exfiltrated to the C2 endpoint "74.119.194[.]129:3000/uploads."

"The introduction of the Marstech1 implant, with its layered obfuscation techniques — from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python — underscores the threat actor's sophisticated approach to evading both static and dynamic analysis," the company said.

The disclosure comes as Recorded Future revealed that at least three organizations in the broader cryptocurrency space, a market-making company, an online casino, and a software development company, were targeted as part of the Contagious Interview campaign between October and November 2024.

The cybersecurity firm is tracking the cluster under the name PurpleBravo, stating the North Korean IT workers behind the fraudulent employment scheme are behind the cyber espionage threat. It's also tracked under the names CL-STA-0240, Famous Chollima, and Tenacious Pungsan.

"Organizations that unknowingly hire North Korean IT workers may be in violation of international sanctions, exposing themselves to legal and financial repercussions," the company said. "More critically, these workers almost certainly act as insider threats, stealing proprietary information, introducing backdoors, or facilitating larger cyber operations."