Security researchers have uncovered a new malicious campaign orchestrated by the notorious Lazarus Group, a North Korean state-sponsored hacking collective known for its global cyber-espionage operations. The campaign, dubbed 'Operation 99,' was first spotted on January 9 and is currently targeting software developers across the globe.
Operation 99 is designed to infiltrate developer environments and steal highly sensitive information, including source code, configuration files, API keys, and cryptocurrency wallet credentials.
The attacks begins with seemingly innocuous interactions. Fake recruiters, posing as job prospects, contact developers through professional platforms such as LinkedIn. These malicious recruiters offer developers "project tests" or "code reviews" to lure them into a trap. Once a victim agrees, they are directed to clone a GitLab repository containing malware.
Upon cloning the repository, the victim unknowingly establishes a connection to a command-and-control (C2) server. This server then distributes a multi-stage malware payload designed to infiltrate and exfiltrate valuable data from the victim’s development environment.
The modular malware used in Operation 99 works on Windows, macOS, and Linux. Key components of the malware include the downloader called ‘Main99, ’ a suit of implants capable of keylogging, clipboard monitoring, and file exfiltration Payload99/73, and MCLIP, a specialized implant that focuses on monitoring keyboard input and clipboard activity.
The C2 servers for the campaign are hosted by a seemingly legitimate entity, “Stark Industries LLC,” which deploys heavily obfuscated Python scripts. These scripts utilize ZLIB compression and a 65-layer encoding scheme, making it difficult for cybersecurity analysts to spot and reverse-engineer the attack.
Unlike earlier iterations of Lazarus Group malware, the implants used in this campaign lack a self-destruction mechanism. This means that once a victim is infected, the attackers can maintain long-term access to the compromised system, continuously siphoning valuable data without raising suspicion.
While similar attacks were reported in October 2024, the January 2025 campaign demonstrates several significant upgrades, such as the absence of self-destruction mechanism, the introduction of a 65-layer encoding system makes it harder than ever to detect the malicious payloads, and enhanced modularity (new endpoints, such as /payload, /brow, and /mclip, add complexity and versatility to the attack, allowing the malware to adapt and evolve over time).