The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Lazarus Group Targets Crypto With TraderTraitor

Apr 25, 2022 11:26:42 AM / by PolySwarm Tech Team



CISA, FBI, and the US Treasury Department recently released a joint advisory on TraderTraitor, a Lazarus group campaign targeting blockchain companies.

What is TraderTraitor?

According to the advisory, North Korean threat actor groups have been targeting cryptocurrency since at least 2020, with most of the activity perpetrated by Lazarus Group. Victims have included cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable NFTs.

Lazarus Group used a trojanized cryptocurrency application, dubbed AppleJeus, in a previous campaign targeting cryptocurrency. In the most recent campaign, TTPs included spearphishing, social engineering the victims, and coaxing them to download trojanized cryptocurrency applications belonging to the TraderTraitor family of malware. TraderTraitor is written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework. In the advisory, the agencies identified multiple trojanized applications used in the campaign. These include DAFOM, TokenAIS, CryptAIS, AlticGo, Esilet, and CreAI Deck. Observed payloads included new Mac and Windows versions of the Manuscrypt RAT. Manuscrypt collects system information and can execute arbitrary commands and download additional payloads.

Most of the victims who were targeted held system administrator or DevOps roles. Following the installation of the malicious program, the threat actors obtained access to the victim’s computer, spread malware across the victim’s network environment, exploited multiple security gaps, and stole information, including credentials. Ultimately the threat actors sought to initiate fraudulent blockchain transactions.

Who is Lazarus Group?

Lazarus group, also known as Dark Seoul, Labyrinth Chollima, and APT 38, is a state-sponsored threat actor group likely affiliated with North Korea’s Reconnaissance General Bureau. The group’s members are reportedly trained in Shenyang, China in malware and espionage operations. Lazarus is known for espionage activity, disruptive activity, and financially motivated attacks. Other known Lazarus TTPs include DDoS attacks, wiper malware, botnets, keyloggers, and RATs.

The group’s first known activity was Operation Troy, an espionage campaign targeting the South Korean government as early as 2009. Lazarus group’s espionage activity is in line with intelligence collection requirements for the North Korean government, targeting South Korea, the US, and other nations. Lazarus is thought to be responsible for the 2014 Sony Pictures attack and the 2017 WannaCry ransomware campaign. Lazarus has also targeted banks in Ecuador, Vietnam, Bangladesh, Mexico, Poland, and Taiwan.


PolySwarm has multiple samples associated with the TraderTraitor campaign.


You can use the following CLI command to search for all TraderTraitor samples in our portal: $ polyswarm link list -f TraderTraitor

Don’t have a PolySwarm account? Go
here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, North Korea, Lazarus Group, TraderTraitor, Cryptocurrency

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts