This initial part of the file was new to us: it connects to a Supabase instance and writes metadata (username, hostname, os, ip, geolocation, time) about the computer that has been infected.
Quote
Sources
Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
Referenced by
BitMEX’s investigation into a May 2025 phishing attempt where a Lazarus Group attacker posed as a Web3 collaborator and shared a malicious NFT project uncovered a misconfigured Supabase database used to track infected devices, revealing over 850 entries and suggesting a structured work schedule aligned with Pyongyang time.
Crypto news
Claim
