Lazarus Group Is Exploiting CVE-2025-48384 in New Phishing Campaign

KuCoin’s security team has identified fresh phishing campaigns orchestrated by the Lazarus Group (APT38), a North Korean state-sponsored threat actor infamous for targeting financial institutions and cryptocurrency businesses. The latest operations blend fake job interviews, poisoned code repositories, and newly disclosed vulnerabilities into one of the group’s most complex campaigns to date.

Historically, Lazarus has focused on banks and crypto exchanges, but recent attacks show a refined strategy: “Over the past decade, Lazarus Group has heavily focused on financial institutions and cryptocurrency-related businesses, employing a hybrid attack strategy—casting a wide net before zeroing in on high-value targets.”

The latest campaign often begins on platforms like LinkedIn, Telegram, or Twitter (X), where attackers masquerade as recruiters. “Their goal? To trick targets into participating in a fake interview process, ultimately leading to malware installation—stealing credentials/passwords from victims’ devices and browsers, then draining their crypto wallets.”

For non-technical victims, Lazarus actors claim a “camera driver is missing” during a supposed video interview and instruct targets to run malicious commands. KuCoin observed macOS victims being pushed to download a cdrivMac.sh script from technudge[.]pro, which installs persistence tools, harvests data, and launches disguised malware such as ChAudioFixer.app.

On Windows, victims were directed to download cdrivWin.zip, which unpacked into files including update.vbs and a disguised Python interpreter (csshost.exe) executing nvidia.py for cookie, password, and crypto theft. The malware ensured persistence by adding registry startup keys.

For technical professionals, Lazarus escalates its tactics. KuCoin’s team reports: “In attacks targeting technical personnel, the attackers employ multiple sophisticated vectors: poisoned npm open-source supply chains, compromised private GitHub repositories, and malicious code zip packages.”

In one incident, Lazarus weaponized Git features with symbolic links and malicious hooks. Victims who cloned a GitLab repository unwittingly executed mongodb.hook.js, which established a backdoor and exfiltrated data. To hide traces, the attackers replaced the repository contents with a clean project after execution.

The report adds that Lazarus has already exploited CVE-2025-48384, a newly disclosed vulnerability, to enhance these supply chain and developer-targeted attacks.

KuCoin’s analysis tied the new phishing kit to past Lazarus activity. “The attack kit remains consistent with historical samples, including: the same domain (api.jz-aws[.]info) as npm poisoning incidents, continued use of dropbox[.]com for mac system password exfiltration, and standard IP checks via api.ipify[.]org.”

This shows that while Lazarus continually innovates, they reuse trusted infrastructure components to streamline operations.

The Lazarus Group remains one of the most dangerous APTs in the crypto and financial space. KuCoin’s security team stresses that both technical and non-technical employees are at risk: from LinkedIn “recruiters” pushing fake interviews to poisoned open-source packages targeting developers.

As the report concludes, “This campaign follows their well-established playbook: fake job postings → multi-stage ‘interviews’ → malware deployment.”

With Lazarus now leveraging both CVE-2025-48384 and open-source poisoning, crypto firms and fintech organizations must treat hiring outreach and code supply chains as critical attack surfaces requiring strict defenses.

Related Posts:

• Hackers make poisoned Final Cut Pro specifically to target Mac users
• Temptation from Money: Lazarus APT extended to cryptocurrencies
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• North Korean Hackers Gleaming Pisces Poisoned Python Packages Target Linux & macOS
• Russian IP Networks Fuel North Korea’s Global Cybercrime and Espionage Campaigns