Lazarus, MassJacker Malware, StilachiRAT & the Rise of Cryptocurrency Scams

The cryptocurrency world suffered from increasing cyberattacks targeting exchanges, users, and wallets. One of the most notable and recent incidents was the Bybit hack, allegedly orchestrated by the infamous Lazarus. As the industry expands, the number of crypto scams increase, with criminals adapting their sophisticated tactics to deceive users and steal funds. From phishing attacks to fake ICOs, Ponzi schemes, and rug pulls, the variety of scams is as diverse.

Threat alert
March 19, 2025

The cryptocurrency world suffered from increasing cyberattacks targeting exchanges, users, and wallets. One of the most notable and recent incidents was the Bybit hack, allegedly orchestrated by the infamous Lazarus. As the industry expands, the number of crypto scams increase, with criminals adapting their sophisticated tactics to deceive users and steal funds. From phishing attacks to fake ICOs, Ponzi schemes, and rug pulls, the variety of scams is as diverse.

Lazarus Threat Actor & ByBit

Lazarus, the North Korean state-sponsored threat group, has as primary objective: espionage, disruption, and financial gain to support North Korea’s military and nuclear programs. Their targets often involve high-value financial institutions, critical infrastructure, and cryptocurrency exchanges. Lazarus is a highly skilled threat actor employing a vast number of tactics and techniques.

The threat actors exploited a routine transfer process within Bybit, targeting the movement of funds from an offline “cold” wallet to a “warm” wallet used for daily trading. The attack involved the compromise of Safe{Wallet}, a third-party company, the developer’s laptop, and the hijacking of AWS session tokens to bypass MFA. It was disclosed that the attack originated from an ExpressVPN IP.  More technical details can be found here.

Lazarus often uses spearphishing emails with malicious attachments to gain access, exploits vulnerabilities in public-facing applications and exploit supply chain software or external service providers. Frequently obfuscate malware, command-and-control (C2) traffic, or scripts to avoid detection while modifying the system processes for persistence.  

Emerging malware & trojans targeting cryptocurrency wallets

MassJacker malware has been observed stealing cryptocurrency wallets by relying on clipboard hijacking. The software monitors the Windows clipboard for copied wallet addresses and replaces them with one of the attackers. Researchers noted that this was distributed via a website hosting pirated software, thus highlighting the importance of installing software only from trusted and legitimate sources.  

Microsoft researchers have discovered a new remote access trojan dubbed StilachiRAT that employs sophisticated techniques to avoid detection and extract sensitive information. Due to its limited usage, no threat actor attribute has been made however it is believed to be used mainly for crypto theft and reconnaissance.  

The malware contains the WWStartupCtrl64.dll module which contains various capabilities to steal data such as browser credentials, crypto wallet information, clipboard and system data. StilachiRAT could also monitor RDP sessions by launching foreground windows, enumerating all other RDP sessions and cloning security tokens to impersonate users.  

Most common crypto scams

  • Phishing Scams: Scammers send emails or messages that lead victims to fake websites where they are prompted to enter private keys or other sensitive information.  
  • Rug Pull Scams: Developers attract investors to a new cryptocurrency project, pump up the value, and then abandon the project, leaving investors with worthless tokens  
  • Ponzi Schemes and Investment Scams: Scammers promise high returns on investments in cryptocurrency projects. These schemes often involve fake investment websites and impersonation of celebrities or financial experts.  
  • Liquidity Mining Scams: Victims are lured into moving cryptocurrency to a platform that promises high returns. The scammers then move all the stored cryptocurrency and investments to their wallets.
  • Crypto Blackmail Scams: Scammers threaten to release compromising information about the victim unless they pay in cryptocurrency

Recommendations

  • Implement MFA: Use phishing-resistant multi-factor authentication (MFA) methods like FIDO tokens or Microsoft Authenticator with passkeys to enhance account security.
  • Regular Security Audits: Exchanges should conduct routine security audits to identify and address infrastructure vulnerabilities.
  • Least Privileged Access: Limit privileged access to infrastructure, ensuring only necessary developers have permissions and maintaining clear separation between development and infrastructure management.
  • DNS Traffic Security: Enforce security controls at the DNS layer to block requests to malicious domains and prevent DNS spoofing.
  • VPN and Software Restrictions: Establish policies regarding commercial VPN usage, enforce necessary blocks, and prevent users from downloading software from untrusted domains. Enable “Potentially Unwanted Application” (PUA) protection in Microsoft Defender to block untrusted apps.

Here at Socura we are focusing on proactive threat hunts and creating rules to detect malicious activities and threat actors’ behaviour.