Lazarus enhances capabilities in AppleJeus cryptocurrency attack - The Asian Age

Lazarus enhances capabilities in AppleJeus cryptocurrency attack - The Asian Age

Kaspersky researchers identified significant changes to the group’s attack tactics in the ‘sequel’ operation.


In 2018 Kaspersky’s Global Research and Analysis Team (GReAT) published findings on AppleJeus – an operation aimed at stealing cryptocurrency carried out by prolific threat actor the Lazarus group. Now, new findings show that the operation continues with more careful steps from the infamous threat actor, improved tactics and procedures and the use of Telegram as one of its new attack vectors. Victims in the UK, Poland, Russia and China, including several connected to cryptocurrency business entities, were affected during the operation.


The Lazarus group is one of the most active and prolific advanced persistent threat (APT) actors, which carried out a number of campaigns targeting cryptocurrency-related organizations. During its initial 2018 AppleJeus operation, the threat actor created a fake cryptocurrency company in order to deliver their manipulated application and exploit a high level of trust among potential victims. This operation was marked by Lazarus building its first macOS malware. The application was downloaded by users from third-party websites and the malicious payload was delivered via what was disguised as a regular application update. The payload enabled the attacker to gain full control of the users’ device and steal cryptocurrency.

Kaspersky researchers identified significant changes to the group’s attack tactics in the ‘sequel’ operation. The attack vector in the 2019 attack mimicked the one from the previous year, but with some improvements. This time, Lazarus created fake cryptocurrency-related websites, which hosted links to fake organization Telegram channels and delivered malware via the messenger.


Just as in the initial AppleJeus operation, the attack consisted of two phases. Users would first download an application, and the associated downloader would fetch the next payload from a r ..

Support the originator by clicking the read the rest link below.