A Lazarus Group-affiliated attacker targeted BitMEX in May 2025 by posing as a Web3 collaborator on LinkedIn and reused a malware component known as BeaverTail, a credential-stealing script previously attributed to the group by Palo Alto Networks’ Unit 42.

Quotes that support claims

This ‘p.zi’ string looked familiar to us as well, even without deobfuscating the code – it is similar to other pieces of malware that have been previously tied to the DPRK and resembles the ‘BeaverTail’ campaign, originally described by Palo Alto’s Unit 42 in this report.

According to BitMEX, in this instance, the attacker attempted to reuse malicious code called ‘BeaverTail’ previously attributed to the Lazarus Group by Palo Alto’s Unit 42.