Lazarus Group: 19-Day A/B Test Campaign Analysis

TLP:CLEAR | Defensive threat intelligence only | No malware, exploits, or PII | Full disclaimer

Deep-dive threat intelligence package on Lazarus Group's three-wave GitHub phishing campaign targeting developers (March -- April 2026). Built by enriching @toxy4ny's original research with VulnGraph, GitHub OSINT, blockchain forensics, and live C2 reconnaissance.

---

Table of Contents

• Campaign at a Glance
• Kill Chain
• Wave Comparison
• C2 Infrastructure
• Attribution
• Key Findings
• Repository Layout
• Intel Reports
• Detection Engineering
• Threat Sharing Formats
• Quick Start
• Sources and Tools
• Built with Vajra
• Credits
• Disclaimer and License

---

Campaign at a Glance

gantt
    title Campaign Timeline (19 Days)
    dateFormat YYYY-MM-DD
    axisFormat %b %d

    section Wave 1
    OpenClaw Airdrop (GREED)        :crit, w1, 2026-03-20, 1d

    section Gap
    7-day pivot                     :done, g1, 2026-03-21, 6d

    section Wave 2
    Fake VS Code CVE (FEAR)         :active, w2, 2026-03-27, 1d

    section Gap
    12-day pivot                    :done, g2, 2026-03-28, 11d

    section Wave 3
    Uniswap Recruitment (AMBITION)  :active, w3, 2026-04-08, 1d

Loading

Three waves. One target pool. Three psychological triggers. Identical delivery each time: GitHub notification pipeline abuse via mass-mention discussions redirected through share.google/ URLs.

	Wave 1	Wave 2	Wave 3
Date	Mar 20	Mar 27	Apr 8
Emotion	Greed	Fear	Ambition
Lure	$5K CLAW token airdrop	Fake critical CVE	$300K -- $450K job offer
Payload	eleven.js wallet drainer	Malware dropper	GolangGhost RAT
Status	Sinkholed	Active	Active

---

Kill Chain

---

Wave Comparison

---

C2 Infrastructure

---

Attribution

---

Key Findings

#	Finding	Detail
1	Fake CVE confirmed fabricated	CVE-2026-40271-64398 absent from VulnGraph (343K CVEs), MITRE, and NVD
2	Attacker wallet dormant	0x6981E9EA... has zero transactions ever -- zero victims lost funds
3	857 developers compromised	Across 90 countries via Contagious Interview; 241,764 credentials stolen
4	C2 infrastructure still live	Most domains and IPs operational; operators actively block researchers
5	$6.75 B stolen all-time	Lazarus is the most profitable state-sponsored cybercrime operation in history
6	AI tools now targeted	OtterCookie npm packages impersonating Gemini, Cursor, Claude
7	217 real CVEs on OpenClaw	11 Critical, 91 High; 42 K+ exposed instances -- high-value impersonation target
8	70 % honeypot probability	Red Asgard assesses some C2 servers may be counter-intelligence traps

---

Repository Layout

vajra-sec-experiment/
│
├── README.md
├── LICENSE                                       MIT
├── DISCLAIMER.md                                 Legal, attribution caveats, responsible use
│
├── diagrams/                                     Generated architecture diagrams
│   ├── generate_all.py                           Python diagrams-as-code source
│   ├── 01_kill_chain.png                         Six-stage attack flow
│   ├── 02_c2_infrastructure.png                  Full C2 topology
│   ├── 03_attribution.png                        DPRK org tree + campaign mapping
│   ├── 04_wave_comparison.png                    Side-by-side wave breakdown
│   └── 05_stix_bundle.png                        STIX object composition
│
├── intel/                                        Intelligence reports
│   ├── dossier.md                                Master campaign analysis
│   ├── strategic-context.md                      DPRK program & $6.75 B context
│   ├── blockchain-forensics.md                   Wallet trace (dormant, 0 victims)
│   ├── c2-infrastructure-status.md               Live recon (857 victims, 241 K creds)
│   └── iocs.json                                 Structured IOCs (machine-readable)
│
├── detection/                                    Detection engineering
│   ├── yara/
│   │   └── lazarus_19day_campaign.yar            9 rules
│   ├── sigma/
│   │   ├── ...notification_phishing.yml          2 rules  (proxy + email)
│   │   └── ...contagious_interview_endpoint.yml  4 rules  (persistence + theft)
│   ├── suricata/
│   │   └── lazarus_network.rules                 23 rules (C2 IPs, ports, protocols)
│   ├── nuclei/
│   │   └── lazarus-c2-infrastructure.yaml        5 scanning templates
│   ├── hunting-queries.md                        Splunk, KQL, EQL, Shodan, Censys, VT
│   └── ioc-blocklist.txt                         Flat blocklist for firewall / DNS / proxy
│
├── sharing/                                      Threat intel exchange
│   ├── attack-navigator/
│   │   └── lazarus-19day-layer.json              72 ATT&CK techniques
│   └── stix/
│       └── lazarus-19day-bundle.json             80 STIX 2.1 objects
│
└── tools/
    └── vajra-skill.md                            Vajra analysis engine reference

---

Intel Reports

Report	What it covers	Headline number
intel/dossier.md	Full campaign analysis, malware teardowns, ATT&CK mapping	3 waves, 15 techniques
intel/strategic-context.md	DPRK cyber program, front companies, campaign genealogy	$6.75 B stolen all-time
intel/blockchain-forensics.md	On-chain wallet trace	0 transactions, 0 victims
intel/c2-infrastructure-status.md	Live C2 recon, victim impact, new infrastructure	857 devs, 241 K creds
intel/iocs.json	Machine-readable structured IOC dataset	JSON for SIEM/SOAR

---

Detection Engineering

YARA -- 9 rules

Rule	Targets
Lazarus_ElevenJS_WalletDrainer	C2 domains, wallet address, nuke() function, obfuscation patterns
Lazarus_FakeCVE_Lure	CVE-2026-40271, fake researcher name, urgency language
Lazarus_GoogleShare_Redirect	All three campaign redirect URLs
Lazarus_PylangGhost_RAT	10-command dictionary, function signatures, C2 domain, artifacts
Lazarus_PylangGhost_Hashes	5 known SHA-256 file hashes
Lazarus_ContagiousInterview_Workspace_Init	Telemetry exfil, tracker URLs, VS Code context
Lazarus_BeaverTail_C2_Ports	Multi-port signature, 6 XOR encryption keys
Lazarus_FakeRecruitment_Lure	Salary outliers, grammar markers, DeFi challenge patterns
Lazarus_Axios_Supply_Chain	plain-crypto-js trojan, malicious axios versions

Sigma -- 6 rules

Rule	Layer	Detects
GitHub Notification Phishing	Proxy	Google Share redirect URLs, C2 domains
Fake CVE Email	Email	CVE-2026-40271, fake researcher attribution
VS Code Workspace Init	Endpoint	Malicious init-workspace scripts, telemetry exfil
PylangGhost Persistence	Registry	NodeHelper, csshost.exe, nvidiaRelease
Scheduled Task Persistence	Endpoint	NodeUpdate, Runtime Broker tasks
Wallet Extension Theft	File access	MetaMask / Phantom / Keplr data accessed by non-browsers

Suricata / Snort -- 23 rules

All known C2 IPs and ports, FTP exfil servers, domain-based detection, Vercel staging, user-agent signatures, and the custom binary protocol on ports 22411-22412.

Nuclei -- 5 templates

Template	Scans for
BeaverTail Port Signature	Port 1244 + 5918 co-occurrence
Z238 Binary Protocol	Custom binary banner on port 22411
OpenClaw Phishing Site	Cloned sites serving eleven.js
PylangGhost C2	python-requests user-agent C2 pattern
Vercel Stage 1	Known Vercel staging domains still live

Hunting Queries

Pre-built queries for Splunk SPL, Microsoft KQL, Elastic EQL, Shodan / Censys, and VirusTotal.

---

Threat Sharing Formats

ATT&CK Navigator

Import sharing/attack-navigator/lazarus-19day-layer.json into the ATT&CK Navigator.

72 technique entries  |  33 unique techniques
Red   = 20 observed in this campaign
Orange = 13 broader Lazarus G0032 arsenal

STIX 2.1 Bundle

Import sharing/stix/lazarus-19day-bundle.json into MISP or OpenCTI.

---

Quick Start

Block IOCs immediately

grep -v '^#' detection/ioc-blocklist.txt | grep -v '^$'

Scan infrastructure with Nuclei

nuclei -t detection/nuclei/lazarus-c2-infrastructure.yaml -l targets.txt

Sweep files with YARA

yara detection/yara/lazarus_19day_campaign.yar /path/to/scan

Convert Sigma to your SIEM

sigma convert -t splunk              detection/sigma/*.yml
sigma convert -t microsoft365defender detection/sigma/*.yml

Import ATT&CK layer

1. Open ATT&CK Navigator
2. Open Existing Layer > Upload from local
3. Select sharing/attack-navigator/lazarus-19day-layer.json

Import STIX into OpenCTI

from pycti import OpenCTIApiClient
api = OpenCTIApiClient("https://your-opencti", "YOUR_TOKEN")
api.stix2.import_bundle_from_file("sharing/stix/lazarus-19day-bundle.json")

Analyze IOCs with Vajra

vajra essence intel/iocs.json --profile fraud --format markdown
vajra invariants intel/iocs.json
vajra fingerprint intel/iocs.json

---

Sources and Tools

Source	What it provided	Freshness
VulnGraph	343 K CVEs, EPSS, KEV, exploits, ATT&CK graph	Live (< 3 h)
GitHub API	User profiles, repos, issues, code search	Live
Web OSINT	30+ publications and researcher blogs	Live
MITRE ATT&CK	Lazarus G0032: 119 relationships	Quarterly
Red Asgard	Contagious Interview C2 mapping	Feb 2026
OX Security	OpenClaw phishing discovery and eleven.js analysis	Mar 2026
ANY.RUN	PylangGhost RAT deep malware analysis	2026
Silent Push	Front company identification	Apr 2025
Etherscan	Blockchain wallet forensics	Live
Vajra	Deterministic structural analysis of IOC data	Local tool

---

Built with Vajra

Vajra is a deterministic semantic reduction engine that analyzes structured data for shape, entropy, anomalies, and cross-field relationships. It was used throughout this investigation to surface findings that traditional tools miss.

What Vajra Found in This Investigation

Malware Obfuscation Fingerprinting -- Vajra parsed the deobfuscated InvisibleFerret source as a 64,462-node AST and discovered that Lazarus obfuscation produces a deterministic structural signature: motif 1c47174c appears at a consistent 2:1 ratio with motif 04898d6f across every nesting layer. This means vajra can identify Lazarus-family malware by structural fingerprint alone, even when code is completely unreadable.

vajra fingerprint invisibleferret.py --input-format source --lang python
# Motif 1c47174c: 28,314 occurrences  (any file >10K = likely Lazarus)
# Motif 04898d6f: 14,576 occurrences  (ratio holds across all layers)

Obfuscation Layer Drift -- Vajra's drift command measured structural evolution across 52 decrypted payload stages, revealing that each layer adds depth but preserves the same motif ratios. Jaccard similarity of 0.41 between stage 2 and stage 52 quantifies how the obfuscation grows.

vajra drift stage2.py stage52.py --input-format source --lang python
# Similarity: 0.41 (Jaccard)  |  95 paths added  |  28 distribution shifts

Campaign Invariant Discovery -- Vajra's invariant analysis proved all three campaign waves share an identical delivery mechanism (conditional entropy H(Y|X) = 0.000), with the only variable being the psychological trigger. The greed vector was sinkholed first; fear and ambition remain active.

vajra invariants intel/iocs.json
# delivery -> * : H(Y|X) = 0.000, strength = 1.000  (invariant)
# status <-> trigger : strength = 0.579  (partial dependency)

Fraud-Profile Essence -- Vajra's fraud profile scored and ranked all IOC fields by investigative relevance, surfacing the delivery mechanism invariance and status correlations as top findings.

vajra essence intel/iocs.json --profile fraud --format markdown

Structural Fingerprinting for Tamper Detection -- Every IOC dataset in this repo has a BLAKE3 fingerprint. The same input always produces byte-identical output, making vajra suitable for evidence chains and audit trails.

vajra fingerprint intel/iocs.json
# Path set:   bab92e58fae01520af8bab684716465ce09d24e7fe4229754f01f4e68771114a
# Typed path: dc8144ca6b3b413aaa7241af8b0572c3e554f24688a1f105ba21c1cc3186da73
# Shape:      a57191d0797f42c553dceec3cac722e6c0095103635f7ebc935637bd69c0f2b2

Install Vajra

cargo install vajra-cli

Or build from source: github.com/copyleftdev/vajra

---

Credits

This package extends the first-hand research of @toxy4ny (KL3FT3Z), Red Team Lead at Hackteam.Red, who was personally targeted in all three waves of this campaign.

Article	Focus
19-Day A/B Test (main)	Three-wave campaign overview
Fake CVE Wave	Wave 2 deep dive
OpenClaw Phishing	Wave 1 deep dive

---

Disclaimer and License

This repository is published exclusively for defensive security purposes. It contains no malware, exploit code, offensive tooling, or PII. Attribution assessments are analytical judgments, not legal conclusions. IOCs have limited shelf life -- verify before blocking. See DISCLAIMER.md for full terms.

Released under the MIT License and TLP:CLEAR for unrestricted defensive use and sharing.