Kaspersky: Lazarus Group took control of compromised devices by using a zero-day exploit. The vulnerability in question is CVE-2024-4947, a type confusion bug that Google fixed in the middle of May 2024 in the V8 JavaScript and WebAssembly engine. It is estimated that the campaign started in February

2024.

After a successful exploitation, the threat actor runs a validator, which is a shellcode that collects system data and determines whether the machine is valuable enough to carry out additional post-exploitation actions. It is currently unknown whether it was exploited as an N-day vulnerability or if the attackers found it earlier and weaponized it as azero-day. According to Kaspersky's findings, the precise payload delivered after this stage is currently unknown.

Microsoft has linked another North Korean threat activity cluster known as Moonstone Sleet to the use of a malicious tank game (DeTankWar) as a means of distributing malware. The source code for a game called DeFiTankLand is allegedly stolen by the Lazarus Group. In March 2024, the P2E game experienced its own hack, which resulted in the theft of $20,000 worth of DFTL2 coins.

Kaspersky believes the Lazarus Group was responsible, stealing the game's source code along with the coins and using it to further their objectives. "Lazarus is one of the most active and sophisticated APT actors, and financial gain remains one of their top motivations," the researchers stated. "The attackers are always developing new, sophisticated social engineering schemes and changing their tactics.

They continued, "We anticipate that Lazarus will develop even more complex attacks using generative AI, which they have already successfully begun to use." Requests for comment have not yet received a response from the Lazarus Group.