1. Overview

In September 2025, a coordinated Advanced Persistent Threat (APT) campaign was discovered, targeting both Windows and macOS systems. The campaign masqueraded as legitimate software patches, including Nvidia updates, arm64-fixer, and mac_camera.driver. Through in-depth analysis, the operation has been attributed to the Lazarus Group, a North Korean state-sponsored APT actor.

Lazarus is known for conducting multifaceted cyber campaigns with diverse objectives, including financial gain (e.g., cryptocurrency theft and banking fraud), cyber espionage (targeting governments and defense contractors), and destructive attacks. Their operations commonly employ techniques such as spear-phishing, weaponized documents, watering hole attacks, custom binary deployment, and supply chain compromise. Their hallmark tactics include multi-stage C2 infrastructure, code obfuscation, and anti-analysis techniques to evade detection. International reports have linked the group to high-profile cryptocurrency heists, bank wire fraud, ransomware incidents, and data-wiping campaigns.

Malware Distribution and Execution Summary

The attacker initiates execution by prompting the installation of node.js and running the main.js script, which communicates with the C2 server to download and decrypt a secondary Python-based payload. Once executed, this script collects system information, Chromium-based browser credentials, and credit card data, and exfiltrates the data to the C2 server. The agent also receives remote instructions for executing additional malicious actions.

Distribution Vectors

• The attacker distributes compressed archives or shell scripts named:
  • nvidiaRelease.zip
  • mac_camera.driver
  • Others resembling legitimate software
• Decompressed content includes:
  • A run.vbs file targeting Windows
  • A shell script mac_camera.driver targeting macOS

Execution Flow Upon User Interaction

1. Upon execution of run.vbs or mac_camera.driver, node.js is installed and main.js is launched, establishing communication with the C2 server.
2. A supplementary archive (p2.zip) is downloaded and extracted to enable python.exe.
3. node.exe connects to the C2 and triggers the execution of a Python script.
4. The Python script is encrypted and follows a multi-step decryption routine: string reversal → Base64 decoding → zlib decompression.
5. Ultimately, sensitive data is collected and transmitted to the C2 server. The environment is configured to re-execute the Python script upon system reboot.

Data Collection and Exfiltration

The decrypted Python script collects and exfiltrates the following data:

• System Metadata: OS version, hostname, release/build number, username, UUID
• Geolocation Data: IP address, country, city, ISP, GPS coordinates, time zone
• Browser Artifacts: Chromium-based browser credentials and credit card data

Command & Control Functionality

• Upon each system reboot, the malware contacts the C2 server to retrieve and execute additional remote commands.

2. Technical Analysis

2.1 macOS Attack Flow

Malware Architecture Diagram (PPTX)

Execution Trigger

• Shell script disguises: arm64-fixer, mac_camera.driver, mac_camera.driver-fix1816

Shell Script Actions

• Downloads and extracts a compressed archive (driv.zip)

• Executes a secondary script: drivfixer.sh

• Installs node.js and executes the embedded main.js file

• Downloads additional encrypted data and executes a Python payload from the C2 server

• Maintains persistence by registering:

  ~/Library/LaunchAgents/com.local.drvierUpdate.plist → drivfixer.sh
  
  

• Performs data collection and exfiltration to the C2

• Retrieves and executes remote commands after each system reboot

Data Collected on macOS

• System Info: OS, hostname, release/version, username, UUID
• Geolocation: IP, country, city, ISP, coordinates, time zone
• Browsers: Chromium-based credentials and card data (Chrome, Brave, Opera, Yandex, Edge)

2.2 Windows Attack Flow

Execution Trigger

• Delivered via compressed files:
  • nvidiaRelease.zip
  • nvidiaReleasenew.zip
  • update93w.zip

VBS Script Behavior

• If running on Windows 11 or later, executes drvUpdate.exe

• Runs a batch script (shell.bat)

• Installs node.js and runs the embedded main.js

• Downloads and executes additional Python scripts from the C2 server

• Maintains persistence via the Windows registry:

  HKCU\Software\Microsoft\Windows\CurrentVersion\Run →
  GoogleDriveUpdaterNew "%USERPROFILE%\.pyp\pythonw.exe" "%USERPROFILE%\.n2\pay"
  
  

• Sends collected data to the C2

• Executes new C2 commands upon each system reboot

Data Collected on Windows

• System Info: OS, hostname, release/version, username, UUID
• Geolocation: IP, country, city, ISP, coordinates, time zone
• Browsers: Chromium-based credentials and card data (Chrome, Brave, Opera, Yandex, Edge)

Behavioral Analysis of Nukesped (drvupdate.exe)

• Execution Condition: Triggers only on Windows 11 or newer
• String Decryption: Encrypted strings are decoded using Base64 + XOR 0x49
• C2 Handshake Requirement: Communication occurs only when:
  • Client sends: "ca2h6FmbGtsdw6bHJpnMzI0"
  • Server responds: "Z2WtchZ4"

• Remote Shell Execution:
  • Receives command string from the C2
  • Executes using: cmd.exe /c [command]
  • Output is captured, Base64-encoded, and returned via pipe to the C2

3. IoC

md5 (Files hashes contained in the downloaded ZIP archive)

f277110800d861faa6a737c8d668d297 .npl
cdf296d7404bd6193514284f021bfa54 arm64-fixer.zip
2d8c8c6323a4fea1952405f2daad5d7a browxyz2
f9e18687a38e968811b93351e9fca089 clickfix-1.bat
37911a1e8ca8a481cd989fafe7bfb75a decoded_browxyz2.bin
0b73c183056cdbacddcd5eb0d1191b3b decoded_npl.bin
858b616a388f6220e2fbcdaf545a9695 decoded_pay.bin
57a3b11361ea5908d7f79395f12e14f8 decoded_pay2.bin
0dae0f501fca7db547726c78db4ae172 driv.zip
cbd183f5e5ed7d295d83e29b62b15431 driv.zip
6175efd148a89ca61b6835c77acc7a8d drvupdate.exe
fc7b67af44b474db1bbc808a8f2a25f0 mac_camera.driver
8731b650457211decd5a7aa940dd8f0e mac_camera.driver-fix1816
b52e105bd040bda6639e958f7d9e3090 main.js
fcc0114e34b352d9d3312118c6fd9341 main.js
846b1734829ef754a42d915474b43192 nvidiaRelease (3).zip
8c274285c5f8914cdbb090d72d1720d3 nvidiaReleasenew.zip
a4e58b91531d199f268c5ea02c7bf456 nvidiarelease.zip
0550b73535fc3de5aec297707df73646 pay
3ef7717c8bcb26396fc50ed92e812d13 run.vbs
09d2336c6b76fa499f52773d930788a4 run.vbs
983a8a6f4d0a8c887536f5787a6b01a2 shell.bat
6559d05cfcf294ef325a3eb772c3d3ba update92w.zip
5a20eb4497913196212601430bd8da9d update93w.zip
13400d5c844b7ab9aacc81822b1e7f02 arm64-fixer\drivfixer.sh
b52e105bd040bda6639e958f7d9e3090 arm64-fixer\main.js
13400d5c844b7ab9aacc81822b1e7f02 driv\drivfixer.sh
ef7b96bffe252ede8259fea30fc3a9a3 driv\main.js
13400d5c844b7ab9aacc81822b1e7f02 drivv\drivfixer.sh
15e48aef2e26f2367e5002e6c3148e1f drivv\main.js
6175efd148a89ca61b6835c77acc7a8d nvidiarelease\drvUpdate.exe
b52e105bd040bda6639e958f7d9e3090 nvidiarelease\main.js
3ef7717c8bcb26396fc50ed92e812d13 nvidiarelease\run.vbs
983a8a6f4d0a8c887536f5787a6b01a2 nvidiarelease\shell.bat
6175efd148a89ca61b6835c77acc7a8d nvidiaRelease (3)\drvUpdate.exe
b52e105bd040bda6639e958f7d9e3090 nvidiaRelease (3)\main.js
945acbf53bd61ee1d6475c47f1db15d8 nvidiaRelease (3)\run.vbs
8e8066fa5de1b8cad438c2323bdf2304 nvidiaRelease (3)\shell.bat
6175efd148a89ca61b6835c77acc7a8d nvidiaReleasenew\drvUpdate.exe
15e48aef2e26f2367e5002e6c3148e1f nvidiaReleasenew\main.js
3ef7717c8bcb26396fc50ed92e812d13 nvidiaReleasenew\run.vbs
983a8a6f4d0a8c887536f5787a6b01a2 nvidiaReleasenew\shell.bat
fcc0114e34b352d9d3312118c6fd9341 update92w\main.js
09d2336c6b76fa499f52773d930788a4 update92w\run.vbs
983a8a6f4d0a8c887536f5787a6b01a2 update92w\shell.bat
ef7b96bffe252ede8259fea30fc3a9a3 update93w\main.js
09d2336c6b76fa499f52773d930788a4 update93w\run.vbs
983a8a6f4d0a8c887536f5787a6b01a2 update93w\shell.bat

C2

avalabs-digital.store
driverservices.store
webmail.driverservices.store
www.driverservices.store
block-digital.online
cpanel.block-digital.online
webmail.block-digital.online
www.block-digital.online

69.10.53.86
141.98.168.79
198.54.116.177
103.231.75.101
45.89.53.54
199.188.200.147
198.54.119.94
192.64.119.25
45.159.248.110

http://69.10.53.86
http://141.98.168.79
https://block-digital.online/drivers/mac_camera.driver-fix1816
http://block-digital.online/drivers/mac_camera.driver-fix1816
https://block-digital.online/drivers/mac_camera.driver
https://block-digital.online/drivers/camera
http://block-digital.online/
https://www.block-digital.online/
https://block-digital.online/
https://block-digital.online/drivers/cam_driver
http://block-digital.online/drivers/cam_driver
https://block-digital.online/drivers/
http://block-digital.online/cpanel
https://block-digital.online/drive
https://driverservices.store/visiodrive/arm64-fixernew
http://avalabs-digital.store/update/update93w
https://avalabs-digital.store/update/update93w
http://avalabs-digital.store/
http://avalabs-digital.store/cpanel
https://avalabs-digital.store/update/update93w/
https://avalabs-digital.store/update/z-update93m
https://driverservices.store/visiodrive/nvidiaReleasenew.zip
https://driverservices.store/visiodrive/nvidiaRelease.zi
http://driverservices.store/
https://driverservices.store/
https://driverservices.store/visiodrive/nvidiaRelease.zip https://driverservices.store/visiodri
https://driverservices.store/visiodrive/nvidiaRelease.zip
http://driverservices.store/visiodrive/arm64-fixernew
http://webmail.driverservices.store/
https://www.driverservices.store:2096/
https://webmail.driverservices.store/
https://driverservices.store/visiodrive/nvidiareleasenew.zip
http://driverservices.store/visiodrive
https://driverservices.store/visiodrive/nvidiarelease.zip
https://driverservices.store/visiodrive/mac-v-j1721.fixer
https://driverservices.store/visiodrive/
https://driverservices.store/visiodrive/arm64-fixer
http://driverservices.store/visiodrive/nvidiaRelease.zip
http://www.driverservices.store/