North Korean hackers are targeting the software supply chain in a new campaign aimed at developers looking for freelance Web3 and cryptocurrency work, cybersecurity firm SecurityScorecard reports.

Dubbed Operation 99 and attributed to the infamous Lazarus Group, the campaign represents an upgrade to previously observed Operation Dream Job attacks, luring developers to clone a malicious GitLab repository and infect their systems.

As part of the attacks, fake profiles on popular platforms such as LinkedIn are used to approach the developers with project tests and code review offers that eventually direct them to clone the malicious repository.

The cloned code connects to the attackers’ command-and-control (C&C) servers, which are hosted by ‘Stark Industries LLC’, to fetch heavily obfuscated Python scripts designed to deploy payloads tailored for each victim.

The multi-stage malware system used in these attacks includes the Main99 and Main5346 downloaders that drop malware such as Payload99/73, Brow99/73, and MCLIP to steal files and monitor user activities.

“This modular framework is as flexible as it is dangerous. It works across platforms—Windows, macOS, and Linux—embedding itself into developer workflows with surgical precision. By adapting malware to each target, the Lazarus Group ensures maximum impact with minimum detection,” SecurityScorecard notes.

The dynamically adjusted malware allows the threat actor to maintain persistent access to the victim’s systems, as the implants do not self-delete after execution and feature a 65-layer encoding scheme to stay hidden.

Payload99/73 can collect system data such as device information, usernames, UUIDs, can exfiltrate files, steal clipboard data, terminate browser processes, and execute arbitrary code.

Brow99/73 can steal credentials from browsers, and extracts AES keys from Windows systems, accesses GNOME keyring for browser decryption on Linux, and retrieves passwords using the Keychain on macOS.

The MCLIP implant monitors and exfiltrates key strokes and clipboard data, which is sent to the C&C in real time.

“Operation 99 thrives on deception. From fake recruiters with polished LinkedIn profiles to malicious repositories masquerading as legitimate projects, every element is designed to exploit trust,” SecurityScorecard says.

The campaign’s objective, the cybersecurity firm notes, is the compromise of technology creators in a supply chain attack that leads to disruption and the theft of intellectual property, sensitive information, and cryptocurrency wallet keys.

“For North Korea, hacking is a revenue generating lifeline. The Lazarus Group has consistently funneled stolen cryptocurrency to fuel the regime’s ambitions, amassing staggering sums,” SecurityScorecard notes.

This week, the US, Japan, and South Korea blamed North Korean hackers for stealing approximately $660 million in cryptocurrency in 2024. According to a December report from Chainalysis, Pyongyang-affiliated threat actors stole $1.34 billion in 47 cryptocurrency-related attacks last year.

A Wednesday report from Secureworks links the North Korean fake IT workers scheme to a 2016 IndieGoGo crowdfunding scam that generated roughly $20,000 for the North Korean regime.

“This 2016 campaign was a low-effort, small monetary-return endeavor compared to the more elaborate North Korean IT worker schemes active as of this publication. However, it showcases an earlier example of North Korean threat actors experimenting with various money-making schemes,” Secureworks notes.

Related: US, Japan, South Korea Blame North Korean Hackers for $660M Crypto Heists

Related: Wallet Drainer Malware Used to Steal $500 Million in Cryptocurrency in 2024

Related: North Korea Deploying Fake IT Workers in China, Russia, Other Countries

Related: North Korean APT Exploited IE Zero-Day in Supply Chain Attack