The attack chain has extended from one compromised host to another, deploying various payloads like LPEClient, ServiceChanger, and Charamel Loader between February and June 2024.

The VNC applications used included a trojanized version of TightVNC, referred to as 'AmazonVNC.exe', which was delivered through ISO images and ZIP files.

Additionally, a new plugin-based malware called CookiePlus was disguised as a Notepad++ plugin, capable of retrieving and executing payloads from a command-and-control server.

Kaspersky reported that another malware, CookieTime, was also deployed during these attacks, although the specific delivery method remains unknown.

The MISTPEN backdoor was identified in September 2024, capable of deploying additional payloads, including RollMid and a variant of LPEClient.

A legitimate version of UltraVNC was exploited to sideload a malicious DLL named 'vnclang.dll', which serves as a loader for the MISTPEN backdoor.

The Lazarus Group appears to be enhancing its malware arsenal to evade detection, indicating ongoing development of new malware frameworks.

In 2024, North Korean-linked threat actors stole approximately $1.34 billion across 47 cryptocurrency hacks, a significant increase from $660.50 million in 2023.

The Lazarus Group, linked to North Korea, has been intensifying its cyberattacks, particularly targeting employees in sectors such as defense, aerospace, and cryptocurrency by offering fake job opportunities that lead to malware infections.

These attacks are part of a long-standing campaign known as Operation Dream Job, or NukeSped, which has been active since at least 2020.

Recent operations involved delivering a trojanized VNC utility disguised as a skills assessment for IT positions in aerospace and defense companies.

The frequency of large-scale attacks, particularly those exceeding $50 million, has risen, suggesting an escalation in North Korea's cyber exploitation capabilities.