SOC337 // Lazarus Phishing Campaign Detected (APT38) // inksec.io

// soc investigation 2026-04-23

SOC337 Lazarus Phishing Campaign Detected (APT38)

letsdefend High closed ✓ true positive

phishing mitre/T1566-002 mitre/T1204-001 mitre/T1105 mitre/T1059-001 mitre/T1059-003 mitre/T1082 mitre/T1071-001 apt38

analyst verdict TRUE POSITIVE

✓

🎯 MITRE ATT&CK

T1566.002 Phishing Link
T1204.001 User Execution Malicious Link T1105 Ingress Tool Transfer
T1059.001 Command and Scripting Interpreter PowerShell
T1059.003 Command and Scripting Interpreter Windows Command Shell
T1082 System Information Discovery
T1071.001 Application Layer Protocol Web Protocols

🔎 What

The alert SOC337 Lazarus Phishing Campaign Detected (APT38) triggered after a phishing email with subject “Invitation: Coinbase Crypto Trader Hiring Assessment” was delivered to Ellen@letsdefend.io. The email contained a malicious link (https://blockchainjobhub.com/invite/E3fM8yF7) confirmed as a crypto phishing site. Logs show the user accessed the link, followed by process creation (EventID 4688) where curl.exe was executed from explorer.exe to download a payload (nvidiaupdate.zip) from api.drivercams.cloud and a secondary S3 source. The archive was then extracted via PowerShell, and additional commands show system reconnaissance via registry query.

🕐 When

Mar 06 2025 07:15 AM

📍 Where

Host under user LetsDefend accessed blockchainjobhub.com and downloaded payload from api.drivercams.cloud and files-ld.s3.us-east-2.amazonaws.com. Files saved to C:\Users\LetsDefend\nvidiaupdate.zip and extracted to C:\Users\LetsDefend\nvidiadrive

💡 Why

The alert was triggered due to indicators matching a known Lazarus (APT38) phishing campaign. Investigation confirms successful user interaction with a phishing link, followed by payload download using curl.exe and execution via PowerShell. The sequence of download, extraction, and registry query indicates staging and reconnaissance activity consistent with malware deployment. The endpoint was contained to prevent further compromise and lateral movement

[🔬 Analysis Reports 🧪 Hybrid Analysis → https://hybrid-analysis.com/sample/f551f5ba236d53aaaa3bbcce5cc3c0958eb7d5534f4da9464d9a0625f7124390/67cbe964f4785129280e0150 🦠 VirusTotal (blockchainjobhub.com) → https://www.virustotal.com/gui/url/1dc0aa5a2878900868737a96c59e19660832cebbd8816b2860d8b03be851a372/detection 🦠 VirusTotal (drivercams.cloud) → https://www.virustotal.com/gui/url/4d7ebfcefc1b9c25ddcdc921fcc1c792dc289f915532194f8d61d7f931dcae0c/community 🦠 VirusTotal (S3 source) → https://www.virustotal.com/gui/url/9778cfb5c24472ec8996d9ed15f776b3a62bbceb1c615924b69ce0574a5515b8/detection](https://hybrid-analysis.com/sample/f551f5ba236d53aaaa3bbcce5cc3c0958eb7d5534f4da9464d9a0625f7124390/67cbe964f4785129280e0150

https://www.virustotal.com/gui/url/1dc0aa5a2878900868737a96c59e19660832cebbd8816b2860d8b03be851a372/detection

https://www.virustotal.com/gui/url/4d7ebfcefc1b9c25ddcdc921fcc1c792dc289f915532194f8d61d7f931dcae0c/community

https://www.virustotal.com/gui/url/9778cfb5c24472ec8996d9ed15f776b3a62bbceb1c615924b69ce0574a5515b8/detection)