Lazarus Group rises again, this time with malware-laden fake FOSS

August 4, 2025 TH Author

Infosec In Brief North Korea’s Lazarus Group has changed tactics and is now creating malware-laden open source software.

Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of “shadow downloads” that appear to be popular open source software development tools but are full of malware.

The company says it found 234 unique malware packages built by Lazarus in the first half of 2025 alone.

“Lazarus has increasingly pivoted from disruption to long-term infiltration, using tailored malware, modular payloads, and infrastructure evasion techniques to achieve persistent access to high-value targets — including the open source software ecosystem,” the company’s researchers wrote.

Lazarus Group’s rap sheet includes the 2014 Sony Pictures hack, the 2016 attack on banks in Bangladesh, and 2017’s WannaCry ransomware attack.

Like many other North Korean operatives, Lazarus Group shifted to cryptocurrency theft. Developers who don’t carefully check downloads appear to be the gang’s latest targets. – Simon Sharwood

MFA mess costs Canucks big bucks

Slow rollout of two-factor authentication has cost the Canadian city of Hamilton CAD$5 million ($3.6 m).

In February 2024 the city was crippled for weeks by a ransomware attack that saw criminals demand CAD$18.5 million ($13.4m) in exchange for the decryption keys. The city told them no and then spent CAD$18.4 million ($13.3m) fixing the problem by building a more secure network.

At a town meeting last Wednesday, officials said the city’s insurance company declined to pay out CAD$5 million ($3.6 million) in costs, saying that the city had broken the contract by not installing multi-factor authentication across its entire network. In 2022 the insurers required the city to install MFA and Hamilton commenced a pilot program the following year

Before the city completed its rollout, the ransomware scum attacked.

“This has been a test of our system and a test of our leadership,” said Mayor Andrea Horwath last Wednesday. “We are not sweeping this under the rug. We are owning it, we’re fixing it and we’re learning from it.”

Cyrus Tehrani, acting chief information officer for the city, disputes the claims that a lack of MFA was to blame for the ransomware attack, as the city faced a “highly sophisticated attack on an external, internet-facing server, gaining unauthorized access to the City of Hamilton systems.”

And there are a couple of upsides to the saga. Firstly the criminals lost out on their big payday, and secondly the city’s infrastructure is much more up-to-date, the Mayor said.

“This city needed to change,” she opined. “This city needed to become more modernized. When I got here I felt this was a city time forgot.” We’ll see how the voters agree.

Bug bounties all round!

Fancy becoming an instant millionaire (before tax)? All you’ll need is to find a zero-click flaw in WhatsApp that allows code execution, fly to Dublin on October 21, and demonstrate it at the latest Pwn2Own competition.

WhatsApp is a focus of this year’s competition, which will pay $500,000 for a single click crack of Meta’s messaging tool.

Other big money prizes on offer include winning $300,000 to remotely crack an iPhone 16 or a Pixel 9 handset, $150,000 for no-interaction remote code execution on Meta’s Quest 3 and Ray-Ban headsets, and a host of smaller prizes, with a particular focus this year on smart home devices and printers. As ever, if you hack a device you also get to keep it.

Last year over 70 zero-day flaws were demonstrated and contestants walked away with combined winnings of $1,066,625 in total.

Not to be outdone, this week Microsoft announced increases in the bounties it offers for .NET vulnerabilities. Find something wrong with .NET and ASP.NET Core (including Blazor and Aspire) and you can now win rewards of up to $40,000 for the most serious flaws, up from $30,000 last year.

Redmond was a relative latecomer to the bug bounty crowd, starting its first program in 2013 at the prompting of security maven Katie Moussouris. Microsoft used to be considered one of the worst companies for this sort of thing – making legal threats to researchers and refusing to compensate them for their discoveries. But it began to see the benefits and in 2008 publicly vowed not to resort to legal threats.

Teams touched up

While we’re talking Microsoft, last week it announced that Teams admins will have a slightly easier time of it thanks to some new code.

Teams already has an audit logging system that allows admins to quickly check for suspicious activity such as users who have inappropriate control rights or are sharing material that’s not appropriate given their access privileges.

An improved logging system Microsoft introduced last week added better timestamp monitoring, plus the ability to log screensharing sessions and all who participate in them.

This will be handy for preventing the loss of corporate information, either to competitors, corporate espionage, and – of course – leaky juicy titbits to journalists (hint, hint).

CISA swings hammer of Thorium

The Cybersecurity and Infrastructure Security Agency (CISA) last week released Thorium, a digital forensics tool developed in partnership with Sandia National Laboratories. The tool allows massive scaling up of file analysis and incident response times and can take in and analyze more than 10 million files per hour.

“Thorium enables teams that frequently analyze files to achieve scalable automation and results indexing within a unified platform,” the agency said. “Analysts can integrate command-line tools as Docker images, filter results using tags and full-text search, and manage access with strict group-based permissions.”

Thorium runs at scale on Kubernetes and ScyllaDB systems and has a strict permissions database that controls who can see its output.

CISA says it’ll be particularly useful for running custom commands for inspecting Docker images, as well as commercial, open source, and proprietary code.

Republicans and Democrats agree on banning stingray scanners

The use of stingray cellphone monitoring towers by US law enforcement could be curtailed if bipartisan legislation introduced in the House and Senate passes.

Stingrays are fake cellphone towers that records the IMEI number and location of any handset in the area. They have been used for nearly a decade but the tech has sparked concerns that the devices are used to conduct mass surveillance. There have also been multiple reports that unknown entities are using such kit for espionage purposes.

The Cell Site Simulator Warrant Act, introduced by Senators Ron Wyden (D-OR) and Steve Daines (R-MT), and Representatives Ted Lieu (D-CA), and Tom McClintock, (R-CA) last Thursday, would require police to get a warrant based on probable cause before using the devices, other than in some emergencies.

If the bill passes, an Inspector General would audit all stingray use, and any judge ruling on a case using stingray data should be informed on its potential flaws. Police would also be limited to only collecting directly relevant data.

“Law enforcement agencies need clear and transparent rules about when it’s acceptable to use stingray phone surveillance, so they can properly investigate crimes without endangering Americans’ privacy or violating their constitutional rights,” Wyden said.

“Our bipartisan bill protects Americans against warrantless stingray surveillance while setting clear rules for law enforcement about when and how they can use these devices.”

The proposed law will also include a $250,000 fine for anyone illegally stingray devices to spy. Building your own stingray is relatively simple, all it takes is about $1,000-worth of kit and the right software.

The bill includes exceptions for those using homebrewed kit for teaching or legitimate research. ®