Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks
The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers.
The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." The profile, active since July 2024, is no longer accessible on the code hosting platform.
The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia.
"The profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus," SecurityScorecard said. "The threat actor was committing both pre-obfuscated and obfuscated payloads to various GitHub repositories."
In an interesting twist, the implant present in the GitHub repository has been found to be different from the version served directly from the command-and-control (C2) server at 74.119.194[.]129:3000/j/marstech1, indicating that it may be under active development.
Its chief responsibility is to search across Chromium-based browser directories in various operating systems and alter extension-related settings, particularly those related to the MetaMask cryptocurrency wallet. It's also capable of downloading additional payloads from the same server on port 3001.
Some of the other wallets targeted by the malware include Exodus and Atomic on Windows, Linux, and macOS. The captured data is then exfiltrated to the C2 endpoint "74.119.194[.]129:3000/uploads."
"The introduction of the Marstech1 implant, with its layered obfuscation techniques — from control flow flattening and dynamic variable renaming in JavaScript to multi-stage XOR decryption in Python — underscores the threat actor's sophisticated approach to evading both static and dynamic analysis," the company said.
The disclosure comes as Recorded Future revealed that at least three organizations in the broader cryptocurrency space, a market-making company, an online casino, and a software development company, were targeted as part of the Contagious Interview campaign between October and November 2024.
The cybersecurity firm is tracking the cluster under the name PurpleBravo, stating the North Korean IT workers behind the fraudulent employment scheme are behind the cyber espionage threat. It's also tracked under the names CL-STA-0240, Famous Chollima, and Tenacious Pungsan.
"Organizations that unknowingly hire North Korean IT workers may be in violation of international sanctions, exposing themselves to legal and financial repercussions," the company said. "More critically, these workers almost certainly act as insider threats, stealing proprietary information, introducing backdoors, or facilitating larger cyber operations."
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-146 Improper Neutralization of Expression/Command Delimiters
CWE-1092 Use of Same Invokable Control Element in Multiple Architectural Layers
CWE-72 Improper Handling of Apple HFS+ Alternate Data Stream Path
CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context
CWE-163 Improper Neutralization of Multiple Trailing Special Elements
Free online web security scanner