Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware 
The Lazarus Group, a North Korean-linked cyber threat actor, has conducted a sophisticated attack targeting nuclear-related organizations. Employing a revamped infection chain, the group deployed a modular backdoor dubbed CookiePlus during these attacks, which occurred in January 2024 as part of the long-running Operation Dream Job campaign, also known as NukeSped.
Operation Dream Job, active since at least 2020, exploits social engineering tactics by presenting enticing job opportunities to targets, often in sectors like defense, aerospace, or cryptocurrency. These deceptive lures are used to distribute malware, with recent efforts focusing on trojanized remote tools like TightVNC and UltraVNC. The attackers disguised malicious VNC utilities under names such as "AmazonVNC.exe" and bundled them with harmful payloads to compromise systems.
Kaspersky's analysis highlights that the infection chain begins with distributing archives containing trojanized software. For instance, a malicious DLL called "vnclang.dll" is used to load MISTPEN—a backdoor capable of deploying advanced payloads like RollMid and LPEClient. Additionally, a newer malware module, CookiePlus, was identified. Delivered via tools like Charamel Loader and ServiceChanger, CookiePlus functions as a downloader to retrieve encrypted and encoded payloads from command-and-control (C2) servers. It can gather system data and execute shellcodes while evading detection.
CookiePlus appears to evolve from earlier malware like MISTPEN, sharing notable behavioral similarities. Its design reflects the Lazarus Group’s ongoing efforts to enhance their modular malware frameworks and tactics to bypass countermeasures. For example, CookiePlus is disguised as legitimate software, such as Notepad++ plugins or leveraging frameworks like DirectX-Wrappers.
Lazarus Group’s broader activities extend beyond espionage. According to Chainalysis, North Korean-affiliated threat actors stole $1.34 billion in cryptocurrency in 2024 across 47 hacks, nearly doubling the previous year’s figures. This escalation includes major breaches, such as a $305 million theft from the DMM Bitcoin exchange in Japan. The increasing frequency and scale of these attacks underline the group’s growing capabilities in both monetary theft and cyber-espionage operations.
#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity
— 
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 
