The first time I briefed an executive team on Lazarus Group, I was asked the obvious question: why does a nation-state sanctions-evasion crew care about your Node.js tooling? The answer, which I have repeated many times since, is that Lazarus does not draw the line between espionage, revenue, and disruption the way Western defenders do. A stolen dollar from a cryptocurrency exchange, a backdoored trading application at a hedge fund, and a poisoned npm package on a developer's laptop are all outputs from the same operational machine. Over the past five years, that machine has shifted noticeably toward the software supply chain, and the reasons are worth unpacking for anyone building or shipping code today.
From Bank Heists to Build Systems
Lazarus Group — tracked under overlapping names like HIDDEN COBRA, APT38, ZINC, and Diamond Sleet — first made the front page with the 2014 Sony Pictures destruction and the 2016 Bangladesh Bank SWIFT theft. Those operations were loud, bespoke, and relied heavily on hands-on-keyboard intrusions into victim networks. By 2020 the tradecraft had matured into something far quieter. Instead of breaking into a target, operators started breaking into whoever built the target's software.
The pivot became undeniable in March 2023 when 3CX, a VoIP vendor used by roughly 600,000 organizations, shipped trojanized desktop clients signed with its own certificate. Mandiant's forensics, published on April 20, 2023, traced the root cause back to a single 3CX employee who had installed a backdoored version of X_TRADER, a Trading Technologies application that had itself been compromised by Lazarus. This was the first publicly documented case of a supply chain attack causing another supply chain attack — a cascade that took the industry months to fully map.
The Operational Clusters
Lazarus is not a monolith. When I read CISA advisory AA23-187A or the U.N. Panel of Experts reports, I pay attention to which sub-cluster is being described because their preferred attack surfaces differ.
AppleJeus is the long-running cryptocurrency-focused cluster. Since 2018, operators have published fake trading applications — Celas Trade Pro, JMT Trading, Union Crypto Trader, Kupay Wallet, CoinGoTrade, Dorusio, Ant2Whale, and more recently BloxHolder — onto legitimate-looking websites with convincing branding. Each variant is effectively the same malware wrapped in a new skin, and each targets macOS and Windows developers and traders who download "professional" charting tools.
TraderTraitor, flagged in CISA's April 2022 advisory, took the AppleJeus playbook upmarket, targeting blockchain engineers with trojanized Electron apps like DAFOM and CryptoAIS. These campaigns produced the March 2022 Ronin Network theft of roughly $620 million in ETH and USDC, a heist that began with a LinkedIn recruiter message to an Axie Infinity engineer and a weaponized PDF.
Operation Dream Job, long documented by ClearSky and ESET, is the social engineering layer that often enables the supply chain layer. Lazarus operators pose as recruiters from Lockheed Martin, Boeing, Coinbase, Crypto.com, or Meta, and send target developers "coding challenges" hosted on GitHub or Bitbucket. The repositories contain malicious Node.js packages, npm post-install scripts, or Visual Studio project files that execute on checkout. I have walked two clients through exactly this scenario in the last eighteen months, and in both cases the developer ran the project before mentioning it to anyone.
The npm Pivot
The most quietly alarming shift is the move into open-source registries. Between 2022 and 2024, Phylum, Checkmarx, and Socket have documented dozens of malicious npm packages traced to Lazarus-aligned operators, including campaigns known as Contagious Interview and the ongoing "DPRK it_jobs" cluster. Typical package names mimic legitimate libraries — js-sha3-lib, node-rtsp-stream-jpeg, npmaudit, ethers-provider2, and obscure variants of web3 utilities. The payloads tend to be small loaders that pull a second stage from a command-and-control domain, often hosted on compromised cPanel installations in Southeast Asia.
What makes these campaigns effective is not technical sophistication — the obfuscation is frequently lazy, with base64-encoded strings and eval calls any junior reviewer would flag. It is targeting. Operators seed the packages through specific GitHub repositories linked to fake recruiter personas, so the malicious dependencies reach only the handful of developers actively interviewing for crypto or blockchain roles. The blast radius looks small because it is designed that way.
Tradecraft Patterns I Watch For
After reviewing several Lazarus-adjacent incidents, a few markers keep reappearing in my notes.
First, abuse of legitimate code-signing certificates, often stolen from smaller Taiwanese or South Korean software vendors. The 3CX binaries were signed with a valid 3CX certificate; earlier AppleJeus samples rode certificates from companies like Sectigo-issued "Celas LLC."
Second, heavy reliance on DLL side-loading using benign host executables — McAfee, SentinelOne, and Microsoft binaries have all been used as launchers for beacons like GoLang's BLINDINGCAN or the more recent COPPERHEDGE variants.
Third, long dwell times in build infrastructure. In the 3CX case, operators sat inside the build pipeline for at least seven months before triggering the trojanized release. Lazarus treats build systems the way most attackers treat domain controllers.
Fourth, a growing comfort with cross-platform targeting. Where older samples were Windows-only, recent Lazarus tooling routinely ships macOS Mach-O and Linux ELF variants in the same campaign, reflecting the reality that modern engineering teams live on all three.
Why Defenders Keep Getting Caught
Part of the problem is perception. Many security teams still classify Lazarus under "APT nation-state" and assume the risk applies to defense contractors. The reality is that any organization shipping software — particularly anything adjacent to cryptocurrency, fintech, blockchain infrastructure, or enterprise communications — is in scope. The 3CX victims included healthcare, manufacturing, and local government bodies who had no business being in a North Korean target deck, except that they used a popular VoIP client.
The other part is toolchain blindness. Most enterprises I work with have excellent endpoint telemetry on production servers and almost none on developer laptops, CI runners, or package caches. That is precisely the surface Lazarus is attacking. CVE-2023-40044, CVE-2024-21412, and the broader pattern of installer-hijack vulnerabilities in update mechanisms all point at the same gap: the software-delivery path is trusted far more than it should be.
How Safeguard Helps
Safeguard catches Lazarus-style supply chain intrusions by treating every dependency, installer, and build artifact as untrusted until proven otherwise. The platform continuously scans npm, PyPI, and container registries against curated IOCs from the 3CX, AppleJeus, TraderTraitor, and Contagious Interview campaigns, and alerts on packages that match typosquat patterns or ship malicious post-install scripts. Build provenance checks flag unsigned or certificate-anomalous artifacts before they reach production, and developer-endpoint integrations surface suspicious project clones from GitHub repositories associated with known DPRK-linked recruiter personas. Teams using Safeguard get a single pane that ties together SBOM drift, code-signing changes, and registry telemetry — the exact signals Lazarus has consistently exploited when defenders were looking elsewhere.