Lazarus Group Targets Crypto Users with Browser Extension Attacks
Jimmy has nearly 10 years of experience as a journalist and writer in the blockchain industry. He has worked with well-known publications such as Bitcoin Magazine, CCN, and Blockonomi, covering news...
- Bitget Burns 60M $BGB, Price Up 3% - $6 Next?
- Quant ($QNT) Climbs 1.4% as Fusion Devnet and Sibos 2025 Boost Adoption Outlook
- $HYPE Nears All-Time High on Rising Volume and Deep Liquidity
- Will $OKB Hold $184 After Token Burn and X Layer Upgrade Despite Regulatory Challenges?
- $OKB Jumps Over 6% After 65M Token Burn and ‘X Layer’ Launch

The North Korean hacker organization Lazarus Group has intensified its cyber attacks on the cryptocurrency market in September 2024 by introducing new malware strains targeting browser extensions and video conferencing applications, according to a recent report by cybersecurity firm Group-IB.
The #Lazarus Group shows no signs of easing with their campaign targeting #jobseekers extending to the present day. Group-IB researchers found new updates to their tools and tactic – new suite of Python scripts – #CivetQ, a #Windows and #Python version of #BeaverTail pic.twitter.com/IKqU7Mk2dm
— Group-IB Threat Intelligence (@GroupIB_TI) September 4, 2024
The report details how the group expanded its focus to include these platforms, using increasingly sophisticated malware variants.
Lazarus Group’s Browser Extension Attacks
In addition to the ‘Contagious Interview’ campaign, which tricked job seekers into downloading malware disguised as job-related tasks, the Lazarus Group has now broadened its attacks to include fake video conferencing apps.
This scheme has now evolved to include a fake video conferencing app called “FCCCall,” which mimics legitimate software.
Once installed, the app deploys the BeaverTail malware. This malware is designed to exfiltrate credentials from browsers and data from cryptocurrency wallets via browser extensions.
It then installs a Python-based backdoor, dubbed “InvisibleFerret,” further compromising the victim’s system.
This latest campaign highlights their increasing focus on crypto wallet browser extensions, specifically targeting MetaMask, Coinbase, BNB Chain Wallet, TON Wallet, and Exodus Web3.
Analysts at Group-IB note that the group is now targeting a broad range of applications, including MetaMask and Coinbase.
By using malicious JavaScript, they lure victims into downloading software under the pretense of reviews or analysis tasks.
Group-IB researchers identified a new suite of Python scripts, named “CivetQ,” as part of the group’s evolving toolkit.
These scripts indicate a shift in tactics to target blockchain professionals through job search platforms like WWR, Moonlight, and Upwork.
Interesting techniques were added: #AnyDesk unattended access, establishing persistence, and stealing browsers’ extension data such as Authenticator, password managers. #Telegram was also added as an additional data exfiltration method.
— Group-IB Threat Intelligence (@GroupIB_TI) September 4, 2024
After making initial contact, the hackers usually switch the conversation to Telegram. They trick victims into downloading a fake video conferencing app or a Node.js project, claiming it’s for a technical job interview.
Lazarus Group’s Growing Threat to Crypto And Recent Exploitation of Microsoft Windows Vulnerabilities
The Lazarus Group continues to be a concern in the cryptocurrency sector, especially with its recent exploitation of Microsoft Windows vulnerabilities.
The group has improved its methods, making it harder to detect harmful software by hiding its malicious code in newer and more sophisticated ways.
This escalation mirrors broader trends observed by the Federal Bureau of Investigation (FBI), which recently warned that North Korean hackers are targeting employees in decentralized finance and cryptocurrency sectors with highly specialized social engineering campaigns.
These campaigns are designed to penetrate even the most secure systems, posing an ongoing threat to organizations with substantial crypto assets.
In a related development, Lazarus Group allegedly exploited a zero-day Microsoft Windows vulnerability.
#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
— blackorbird (@blackorbird) February 29, 2024
Beyond BYOVD with an Admin-to-Kernel Zero-Dayhttps://t.co/irFNz3Dntt pic.twitter.com/Hfco33UPBm
The vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), was identified as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
Two researchers, Luigino Camastra and Milánek, discovered the security flaw that allowed hackers to access restricted parts of computer systems without being detected.
Microsoft addressed the flaw as part of its monthly Patch Tuesday update in September 2024.
- XRP Price Prediction: Judge in XRP Ruling Delivers Fresh Blow
- Elon Musk Grok AI Predicts XRP Will Explode by End of 2026
- Mark Zuckerberg Meta AI Predicts Gold and Silver Price Will Skyrocket by End of 2026
- Sam Altman ChatGPT AI Predicts Bitcoin Price Will Shock Everyone by End Of 2026
- Ethereum Price Prediction: Tom Lee Predicts $5 Trillion Ethereum
About Us
2M+
250+
8
70
Market Overview
- 7d
- 1m
- 1y
- XRP Price Prediction: Judge in XRP Ruling Delivers Fresh Blow
- Elon Musk Grok AI Predicts XRP Will Explode by End of 2026
- Mark Zuckerberg Meta AI Predicts Gold and Silver Price Will Skyrocket by End of 2026
- Sam Altman ChatGPT AI Predicts Bitcoin Price Will Shock Everyone by End Of 2026
- Ethereum Price Prediction: Tom Lee Predicts $5 Trillion Ethereum
More Articles
Get dialed in every Tuesday & Friday with quick updates on the world of crypto