DPRK hackers go after crypto assets using trojanized DeFi Wallet app


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
Hackers associated with the North Korean government have been distributing a trojanized version of the DeFi Wallet for storing cryptocurrency assets to gain access to the systems of cryptocurrency users and investors.

The threat actor relied in this attack on web servers located in South Korea to push the malware and to communicate with the installed implants.

Researchers at cybersecurity company Kaspersky discovered recently a malicious variant of the DeFi Wallet app, which installed the legitimate application along with a backdoor disguised as the executable for the Google Chrome web browser.

The trojanized DeFi application came with a compilation date from November 2021 and added a full-featured backdoor when executed on the system.
Kaspersky researchers worked with the South Korea CERT (Computer Emergency Response Team) to take down some of the domains used in this campaign and could analyze and compare the C2 scripts.

The findings revealed overlaps with other operations from attackers linked to North Korea, generically referred to as the Lazarus group.

“We believe with high confidence that the Lazarus group is linked to this malware as we identified similar malware in the CookieTime [malware] cluster,” Kaspersky


About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.