“Lazarus APT: The Crypto Showdown Between Investors and Zero-Day Exploits”

hendryadrian.com

hendryadrian.com

Kaspersky has long tracked Lazarus APT and its BlueNoroff subgroup as a highly capable, Korean-speaking actor that frequently deploys a full-feature backdoor known as Manuscrypt. The group’s operations stretch back to at least 2013 and encompass over fifty distinct campaigns targeting governments, financial institutions, cryptocurrency platforms, defense contractors, media, gaming companies, universities, and more. On May 13, 2024, Kaspersky’s consumer product detected a fresh Manuscrypt infection on a personal computer in Russia. Because Lazarus rarely targets individuals, this detection triggered deeper analysis that revealed a hidden exploitation vector originating from detankzone[.]com — a polished-looking web site offering a DeFi NFT-based MOBA tank game beta.

At first glance detankzone[.]com was a convincing promotional page inviting users to download a trial of the game, but its frontend contained a concealed script that executed a browser exploit in the visitor’s Google Chrome session. Visiting the site alone was sufficient to trigger the chain: the exploit achieved remote code execution in Chrome, which then enabled delivery of further payloads and ultimately the Manuscrypt backdoor. Kaspersky extracted the first-stage exploit and, after confirming it targeted the latest Chrome release as a zero-day, reported the issue to Google the same day. Google issued a patch two days later and acknowledged the find in the Chrome release notes.

Following responsible disclosure, Kaspersky withheld technical details publicly until users could apply updates and Google could block the campaign domains. Google also took action to block detankzone[.]com and related sites, warning users who attempted to visit them. Microsoft published a blog post on May 28, 2024, which touched on the campaign but omitted the critical detail that the attack leveraged a high-severity browser zero-day. In contrast, Kaspersky’s analysis delved into the exploit mechanics and the staged attack used to obtain system-level control.

The exploit delivered two distinct vulnerabilities: the first abused a logic error in V8’s new Maglev JIT compiler (tracked as CVE-2024-4947) to enable out-of-spec stores from JavaScript into V8 objects, and the second provided a way to bypass the V8 heap sandbox via a flaw in the Irregexp interpreter. The Maglev bug stemmed from missing checks when storing into module export objects: code that should always throw an exception under the ECMAScript rules instead performed an unauthorized store once Maglev compiled the code. By carefully crafting JavaScript that manipulated object layouts, arrays, and module exports, attackers caused a type confusion that let them corrupt internal V8 structures and obtain primitives for reading and writing arbitrary memory in the Chrome process.

To convert the memory-corruption primitive into true read/write access, the attackers prepared a precise heap layout. Their trigger function allocated and then shrank arrays to specific sizes, created holder objects to hold pointers, and repeatedly executed a function until Maglev compiled it—at which point the missing store check corrupted the Map pointer and turned a PropertyArray into a PropertyDictionary. With these memory primitives, they could overwrite pointers to arrays and ArrayBuffer backing stores, enabling primitives to leak addresses of JS objects and to read/write across the V8 heap.

Having gained arbitrary memory access inside V8, the attackers still needed to escape the V8 sandbox to reach process memory outside of V8’s compressed-pointer domain. They exploited a separate weakness in Irregexp, V8’s regular-expression interpreter: its opcode handlers decoded register indices from bytecode without bounds checking. By crafting malicious Irregexp bytecode that referenced out-of-bounds register indexes, the attackers could overwrite adjacent fields—such as pointers controlling output registers—and then trigger a SUCCEED opcode path that copied out-of-bounds memory. Because those adjacent fields sat next to the register array, this flaw allowed reads and writes beyond the sandbox and ultimately permitted overwriting JITed code with shellcode and executing it. That Irregexp issue was reported and fixed in March 2024, though it is unclear whether the attackers discovered it first.

Once shellcode ran in the process, the attackers executed a validator routine to fingerprint the environment and decide whether to continue the attack. The shellcode collected CPUID details, virtualization indicators, OS build and version, processor count, tick count, debugger presence, process and module file version information, and SMBIOS firmware data. Based on these checks, the operators could choose to deploy a privilege-escalation exploit and install a persistent backdoor or to abort to avoid detection.

By the time Kaspersky investigated, the exploit had been removed from the decoy site, preventing researchers from easily retrieving the next-stage exploits or privilege-escalation samples. Kaspersky opted to prioritize disclosure of the initial Chrome bug to Google rather than waiting for a follow-up infection that might reveal additional components; the proactive patching mitigated further in-the-wild exploitation.

The campaign’s social engineering layer was extensive and sustained. Over several months, the attackers built and promoted a convincing presence across social media, primarily on X (formerly Twitter), operating multiple accounts that posted generative-AI-produced content and professionally designed visuals to advertise the fake game. They reached out to crypto influencers, likely attempting to persuade them to amplify the site, and also maintained premium LinkedIn accounts and used spear-phishing emails as part of their distribution strategy. This coordinated outreach helped lend credibility to the decoy and broadened its reach within cryptocurrency communities.

Curiosity about the advertised game led researchers to download a 400 MB archive named detankzone.zip. The archive had the structure of a Unity game and contained logos, HUD assets, and textures for a title labeled “DeTankZone.” Initially, login attempts failed because the game contacted a hardcoded server at api.detankzone[.]com that was either offline or controlled by the attackers. To fully analyze the game and determine whether the attackers had developed a custom title or reused existing code, Kaspersky reverse-engineered the client, discovered the Socket.IO-based protocol and AES256+Base64 message format, and implemented a custom server that emulated the expected API.

The encryption used an AES key string “Full Stack IT Service 198703Game” and an IV string “MatGoGameProject.” After replicating the protocol and responding with correctly encoded JSON messages, Kaspersky’s server allowed the client to log in and connect; the team verified that the game was functional and could be played against bots. Deeper analysis, however, showed that the game’s source was not original: the malicious build was derived from DeFiTankLand (DFTL), a legitimate project. Kaspersky found evidence that the attackers had stolen the DFTL source, altered branding and references, and repackaged the build for their campaign. Corroborating timeline evidence from the original developers’ Telegram channel suggests the attackers began outreach for the campaign on February 20, 2024, and that two weeks later an alleged compromise of the developers’ cold wallet occurred, losing roughly $20,000 in DFTL2 tokens—an event the developers attributed to an insider. Kaspersky suspects Lazarus was responsible for both the source theft and the token theft.

In conclusion, this Lazarus operation demonstrates a high degree of technical and social-engineering sophistication: the group combined a zero-day Chrome exploit and a sandbox bypass with polished social-media promotion and a repackaged game to drive infections and financial theft. Manuscrypt remains a persistent tool in Lazarus’s arsenal, and the group’s frequent use of zero-days heightens the risk that simply visiting a malicious link can lead to total system compromise. Browser JIT compilers have historically been a fertile source of vulnerabilities, and major changes—such as adding new JITs like Maglev—can introduce novel bugs. Users should keep browsers and security software updated; organizations may also consider configurations that reduce JIT exposure, and defenders should monitor for the social-engineering tactics and domains highlighted in this report.

Read more: https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/