Kaspersky’s Global Research and Analysis Team (GReAT) has discovered that the Lazarus Advanced Persistent Threat (APT) group exploited a Google Chrome zero-day vulnerability in a recent scheme targeting cryptocurrency investors. The attack was launched through a fraudulent cryptogame website designed to steal users’ wallet credentials.
According to cybersecurity solutions company Kaspersky, this campaign began in May 2024 when experts, analyzing incidents in Kaspersky Security Network telemetry, identified a sophisticated attack using Manuscrypt malware. This malware, frequently employed by Lazarus since 2013, has enabled the group to infiltrate a range of industries. However, in this case, the focus was on cryptocurrency investors worldwide.
“Lazarus took things further by using a fully functional game as cover, exploiting a Google Chrome zero-day vulnerability to infect systems,” said Boris Larin, principal security expert at Kaspersky’s GReAT. “With notorious actors like Lazarus, even a simple click can lead to complete compromise of a personal or corporate network.”
Kaspersky’s findings showed that Lazarus exploited a type confusion bug in V8, Google’s open-source JavaScript engine, which allowed them to install spyware, bypass security, and gain unauthorized access. After Kaspersky reported the issue, Google promptly fixed the vulnerability under CVE-2024-4947.
The attackers used AI-generated imagery and social engineering techniques, even creating fake social media profiles to promote the cryptogame. They sought collaboration with cryptocurrency influencers to broaden the campaign’s reach, engaging them to promote the fake game and further compromise targeted accounts.
Kaspersky identified a legitimate game that closely resembled the fake cryptogame, with attackers reportedly stealing its code to mimic the original design. “The extensive effort shows how far Lazarus is willing to go,” Larin noted, “and underscores the increasing sophistication of their operations.”