Silent Push analysts uncovered critical infrastructure used by the Lazarus APT Group, linking them to the historic .4 billion Bybit crypto heist through a recently registered domain. They identified an email connected to past attacks and noted the group’s preference for particular VPN IP addresses while exploiting fake job interviews on LinkedIn to deploy malware. Affected: Bybit, Lazarus APT Group, cryptocurrency sector, LinkedIn users
Keypoints :
- Lazarus APT Group registered the domain bybit-assessment[.]com shortly before the Bybit crypto heist.
- The email address trevorgreer9312@gmail[.]com was linked to this domain and past Lazarus Group activities.
- 27 unique Astrill VPN IP addresses were identified in the logs of Lazarus Group.
- Lazarus Group uses fake job interviews on LinkedIn to lure victims into downloading malware.
- The domain registration and associated activities indicate sophisticated pre-attack planning.
- Silent Push continues to collaborate with law enforcement to track and mitigate threats posed by Lazarus.
MITRE Techniques :
- Credential Dumping (T1003) – Lazarus refines its methods for collecting and transmitting stolen credentials.
- Phishing (T1566) – Fake job interviews are used as a method to compromise victims and execute malware.
- Account Manipulation (T1070.003) – Use of domains related to the job scams to facilitate entry into victims’ accounts.
- Command and Control (T1071) – Use of Astrill VPN for maintaining secure communication with compromised assets.
Indicator of Compromise :
- [Domain] bybit-assessment[.]com
- [Email Address] trevorgreer9312@gmail[.]com
- [Domain] blockchainjobhub[.]com
- [Domain] nvidia-release[.]org
- [IP Address] 91.222.173[.]30
Full Story: https://www.silentpush.com/blog/lazarus-bybit/
Views: 27