Campaigns
Chollima Synthetic Interview Operation

Chollima Synthetic Interview Operation

LazarusChollimadeepfakeWeb3
Chollima Synthetic Interview Operation used fake resumes and AI face filters that worked in real time to pretend to be job candidates and try to get jobs at crypto and Web3 companies. Operators used VPNs and home IPs to join video calls, which left clear deepfake traces. After the calls ended, they deleted their online profiles. The goal is to get inside information for spying and stealing money.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Lazarus GroupKP

Summary of Actor: Lazarus Group, also known as APT38, is a highly sophisticated, state-sponsored threat actor attributed to North Korea. The group is known for its cyber espionage, financially motivated attacks, and disruptive cyber operations targeting various industries worldwide. Active since at least 2009, Lazarus has been responsible for major financial heists, intellectual property theft, and destructive malware campaigns. General Features: Nation-State Backing: Strongly linked to the North Korean government, likely operating under the Reconnaissance General Bureau (RGB). Advanced Tactics: Utilizes custom malware, zero-day exploits, supply chain attacks, and sophisticated social engineering techniques. Diverse Targeting: Initially focused on government and military espionage, but now predominantly targeting financial institutions, cryptocurrency exchanges, blockchain-related firms, and high-value enterprises. Evasion Capabilities: Employs multi-stage attacks, obfuscation techniques, and legitimate tools to evade detection and persistence. Related Other Groups: Reaper,imsuky (APT37),Andariel,BlueNoroff (APT38) Indicators of Attack (IoA): Spear-Phishing & Social Engineering Custom Malware & Exploits Compromise of Supply Chains & Software Updates Command-and-Control (C2) Infrastructure Cryptocurrency Theft & Laundering Recent Activities and Trends: Latest Campaigns : ByBit Cryptocurrency Exchange Attack Ransomware & Supply Chain Attacks Advanced Blockchain Attacks Emerging Trends : Increased Focus on Financial Cybercrime Use of AI for Social Engineering & Phishing Use of AI for Social Engineering & Phishing Targeting of Cybersecurity & Threat Intelligence Firms

Nickel AcademyCTG-2460Black ArtemisMoonstone SleetStressed PungsanStorm-1789Covellite

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1589-Gather Victim Identity Information


ID

Name

Analytic ID

Analytic Description

DET0841

Detection of Gather Victim Identity Information

AN1973

Monitor for suspicious network traffic that could be indicative of probing for user information, such as large/iterative quantities of authentication requests originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.


T1656-Impersonation


ID

Name

Analytic ID

Analytic Description

DET0286

Detection Strategy for Impersonation

AN0792

Monitor for anomalous email activity originating from Windows-hosted applications (e.g., Outlook) where the sending account name or display name does not match the underlying SMTP address. Detect abnormal volume of outbound messages containing sensitive keywords (e.g., 'payment', 'wire transfer') or anomalous login locations for accounts associated with email sending activity.

AN0793

Monitor mail server logs (Postfix, Sendmail, Exim) for anomalous From headers mismatching authenticated SMTP identities. Detect abnormal relay attempts, spoofed envelope-from values, or large-scale outbound campaigns targeting internal users.

AN0794

Monitor Mail.app activity or unified logs for anomalous SMTP usage, including mismatches between display name and authenticated AppleID or Exchange credentials. Detect use of third-party mail utilities that attempt to send on behalf of corporate identities.

AN0795

Monitor SaaS mail platforms (Google Workspace, M365, Okta-integrated apps) for SendAs/SendOnBehalfOf operations where the delegated permissions are unusual or newly granted. Detect impersonation attempts where adversaries configure rules to auto-forward or auto-reply with impersonated content.

AN0796

Monitor Office Suite applications (Outlook, Word mail merge, Excel macros) for abnormal automated message sending, especially when macros or scripts trigger email delivery. Detect patterns of impersonation language (urgent, payment, executive request) combined with anomalous execution of Office macros.


T1078-Valid Accounts


ID

Name

Analytic ID

Analytic Description

DET0560

Detection of Valid Account Abuse Across Platforms

AN1543

Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.

AN1544

Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.

AN1545

Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.

AN1546

Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.

AN1547

Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.


T1090.001-Internal Proxy


ID

Name

Analytic ID

Analytic Description

DET0075

Internal Proxy Behavior via Lateral Host-to-Host C2 Relay

AN0204

Anomalous process (e.g., rundll32, svchost, cmd) initiates connections to internal peer hosts not seen in typical communication baselines, used to proxy or forward traffic internally, often using SMB, RPC, or high ports.

AN0205

socat, ssh, iptables, or ncat invoked from user space or cron jobs to create port forwarding, reverse shells, or inter-host tunnels between compromised Linux systems. Behavior is typically paired with socket activity and high entropy traffic.

AN0206

Execution of AppleScript or Automator services launching ssh -L, socat, or launchctl items that dynamically reroute traffic from one Mac endpoint to another. LaunchAgents used to establish permanent internal tunnels.

AN0207

ESXi shell execution of tools/scripts (nc, socat, perl) relaying network traffic to other internal hosts, especially when initiated by unauthorized users or VMs.

AN0208

Configuration of internal NAT or proxy rules that redirect traffic between client segments internally (e.g., site-to-site port forwarding). Often used to relay internal beaconing or move traffic laterally through trust zones.


T1036-Masquerading


ID

Name

Analytic ID

Analytic Description

DET0127

Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy

AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.

Reports & References1

Observed Countries250

AD (817)
AE (355)
AF (944)
AG (68)
AI (600)
AL (903)
AM (628)
AO (195)
AQ (607)
AR (761)
AS (928)
AT (237)
AU (923)
AW (416)
AX (476)
AZ (507)
BA (40)
BB (809)
BD (14)
BE (736)
BF (347)
BG (74)
BH (585)
BI (695)
BJ (394)
BL (718)
BM (650)
BN (907)
BO (777)
BQ (152)
BR (766)
BS (208)
BT (435)
BV (800)
BW (432)
BY (531)
BZ (151)
CA (907)
CC (810)
CD (925)
CF (684)
CG (923)
CH (852)
CI (675)
CK (790)
CL (554)
CM (585)
CN (284)
CO (179)
CR (206)
CU (387)
CV (8)
CW (735)
CX (61)
CY (96)
CZ (771)
DE (81)
DJ (211)
DK (223)
DM (442)
DO (531)
DZ (317)
EC (561)
EE (138)
EG (393)
EH (152)
ER (459)
ES (56)
ET (722)
FI (95)
FJ (25)
FK (664)
FM (973)
FO (493)
FR (70)
GA (330)
GB (257)
GD (646)
GE (876)
GF (424)
GG (612)
GH (490)
GI (372)
GL (510)
GM (614)
GN (125)
GP (485)
GQ (725)
GR (141)
GS (650)
GT (848)
GU (276)
GW (428)
GY (815)
HK (946)
HM (604)
HN (166)
HR (672)
HT (786)
HU (693)
ID (171)
IE (261)
IL (471)
IM (703)
IN (296)
IO (495)
IQ (795)
IR (885)
IS (595)
IT (246)
JE (209)
JM (996)
JO (840)
JP (117)
KE (738)
KG (594)
KH (694)
KI (225)
KM (976)
KN (725)
KP (823)
KR (659)
KW (1)
KY (699)
KZ (867)
LA (693)
LB (129)
LC (878)
LI (584)
LK (675)
LR (489)
LS (894)
LT (454)
LU (566)
LV (768)
LY (623)
MA (15)
MC (378)
MD (854)
ME (181)
MF (603)
MG (917)
MH (522)
MK (911)
ML (841)
MM (74)
MN (260)
MO (51)
MP (559)
MQ (726)
MR (530)
MS (966)
MT (183)
MU (557)
MV (966)
MW (850)
MX (1)
MY (977)
MZ (473)
NA (360)
NC (68)
NE (796)
NF (919)
NG (669)
NI (40)
NL (371)
NO (122)
NP (142)
NR (734)
NU (880)
NZ (138)
OM (570)
PA (642)
PE (937)
PF (322)
PG (652)
PH (611)
PK (587)
PL (774)
PM (336)
PN (153)
PR (147)
PS (979)
PT (157)
PW (785)
PY (578)
QA (787)
RE (345)
RO (98)
RS (634)
RU (748)
RW (779)
SA (65)
SB (389)
SC (475)
SD (647)
SE (555)
SG (6)
SH (683)
SI (924)
SJ (582)
SK (76)
SL (877)
SM (805)
SN (227)
SO (65)
SR (780)
SS (742)
ST (885)
SV (949)
SX (142)
SY (612)
SZ (666)
TC (851)
TD (946)
TF (478)
TG (347)
TH (407)
TJ (671)
TK (333)
TL (330)
TM (19)
TN (717)
TO (880)
TR (936)
TT (240)
TV (243)
TW (823)
TZ (491)
UA (623)
UG (935)
UM (509)
US (891)
UY (700)
UZ (724)
VA (988)
VC (174)
VE (269)
VG (600)
VI (283)
VN (910)
VU (329)
WF (415)
WS (402)
XK (211)
YE (871)
YT (328)
ZA (768)
ZM (390)
ZW (790)