■■■■□ SectorA01 (Lazarus) employed a highly sophisticated, multi-stage attack chain
beginning with social engineering via a fake official Deriv trading platform installer (NSIS-based).
The infection progresses through a polyglot payload sequence (NSIS → Electron/JavaScript → Python → .NET), using dynamic code execution via eval() on remotely fetched JavaScript, Pastebin as a dead-drop mechanism with 1,000 pre-generated XOR-encrypted URLs, and Living-off-the-Land techniques by downloading and installing the legitimate official Python interpreter when absent.
Once inside, the malware conducts broad data theft including browser credentials and credit-card information, keylogging with clipboard monitoring and exfiltration, and keyword-based recursive searches for sensitive files (wallet, mnemonic, .env, etc.).
It establishes strong remote access through an AnyDesk backdoor using a pre-configured fixed password via service.conf overwrite, while achieving multi-layered persistence through the startup folder, scheduled tasks, and AnyDesk auto-start.
Defense evasion is comprehensive: it disables Windows Defender and Firewall while adding exclusions, masquerades as the legitimate system process Runtime Broker.exe, tampers PE timestamps to future dates (2070 and 2093), communicates in the final stage exclusively over Tor via a .onion C2 domain, and incorporates automatic client updates with trace self-deletion to hinder detection and analysis.
https://medium.com/@nshcthreatrecon/a-tsunami-sweeping-the-cyber-battlefield-analysis-of-sectora01s-hacking-activities-e4d006baae2f
https://x.com/blackorbird/status/1994001509944840678