Volexity researchers warn of a new malware campaign conducted by the North Korea-linked Lazarus APT against cryptocurrency users. The threat actors were observed spreading fake cryptocurrency apps under the fake brand BloxHolder to deliver the AppleJeus malware for initial access to networks and steal crypto assets.
The APT group employed the AppleJeus malware since at least 2018 to steal cryptocurrencies from the victims.
The new campaign observed by Volexity started in June 2022, the APT group registered the domain name bloxholder[.]com, and then set up a website related to automated cryptocurrency trading.
The new campaign attributed to Lazarus started in June 2022 and was active until at least October 2022.
In this campaign, the threat actors used the “bloxholder[.]com” domain, a clone of the HaasOnline automated cryptocurrency trading platform.
The website is a clone of the legitimate website, HaasOnline (haasonline[.]com.)