Lazarus & WageMole Infostealer Surge: ClickFix, Supply Chain, and Steganography Tactics — OTX Pulse Analysis | Security Arsenal

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns targeting high-value sectors including Finance, Technology, and Blockchain infrastructure. Notably, the Lazarus Group has deployed a ClickFix campaign specifically engineered for macOS ("Mach-O Man"), while WageMole (Void Dokkaebi) has evolved into a self-propagating supply chain threat using poisoned Git repositories. Simultaneously, the Fox Tempest actor is facilitating these operations through a Malware-Signing-as-a-Service (MSaaS) ecosystem, providing malicious code certificates to evade security controls. These actors are unified by their objective: harvesting sensitive credentials, session cookies, and cryptocurrency wallet data through novel delivery vectors including fake browser updates, steganography-laden images, and fake job interview lures.

Threat Actor / Malware Profile

1. Lazarus Group (Mach-O Man & PyLangGhostRAT)

Distribution: Social engineering via Telegram messages containing fake meeting invitations (Zoom/Teams). Redirects victims to fraudulent collaboration platforms triggering "ClickFix" fake browser updates or CAPTCHAs.
Payload Behavior:
- Mach-O Man: A macOS malware kit that steals browser data and credentials.
- PyLangGhostRAT: Remote Access Trojan for C2 communication.
Persistence: Uses LaunchAgents or scheduled cron jobs triggered by the initial terminal execution.
Exfiltration: Utilizes Telegram API for data exfiltration, bypassing traditional network egress monitoring.

2. Void Dokkaebi / WageMole (DEV#POPPER RAT, BeaverTail)

Distribution: "Fake Job Interview" lures targeting software developers. Victims are tricked into cloning malicious Git repositories.
Payload Behavior:
- BeaverTail: Infostealer targeting browser extensions and crypto wallets.
- DEV#POPPER RAT: Establishes remote access.
Persistence: Malicious VS Code task configurations (.vscode/tasks.) that execute payloads upon opening the project folder in the IDE.
Propagation: Worm capabilities allow it to compromise the victim's Git history and propagate to downstream repositories.

3. PureLogs / PawsRunner

Distribution: Phishing emails with TXZ archive attachments containing invoice-themed lures.
Payload Behavior:
- PawsRunner: A steganography loader that extracts encrypted payloads from PNG image files.
- PureLogs: A .NET infostealer targeting credentials and crypto wallets.
Anti-Analysis: Uses environment variables to hide command-line arguments and steganography to evade signature-based detection.

4. Fox Tempest (Malware-Signing-as-a-Service)

Role: An enabling actor rather than a direct payload.
Technique: Abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates.
Impact: Signs malware families like Lumma Stealer, Vidar, and Rhysida, allowing them to bypass SmartScreen and other trust-based controls.

IOC Analysis

The provided IOCs reveal a mix of infrastructure and file-based indicators:

Domains (Typosquatting & C2): livemicrosft.com (Lazarus typo-squatting), signspace.cloud (Fox Tempest infrastructure), bull-run.fun, spot-wave.fun (ClickFix C2). SOC teams should immediately block these at the perimeter and DNS resolver.
File Hashes: A significant volume of SHA256 and MD5 hashes are provided for the Mach-O binaries, .NET loaders (PawsRunner), and signed malware. These should be uploaded to EDR "blocklist" configurations.
Operationalization:
- SIEM: Correlate network connections to the listed domains with process creation events.
- EDR: Hunt for the specific file hashes; focus on the ~/Downloads and /tmp directories for macOS artifacts, and %AppData% for Windows steganography loaders.
- Network: Investigate outbound connections to 5.101.84.202 (IPv4 from PureLogs pulse).

Detection Engineering

Sigma Rules

YAML

title: Potential macOS ClickFix Terminal Execution via Browser
id: 6e3f2a1b-4c5d-4f8e-9a1b-2c3d4e5f6a7b
description: Detects potential ClickFix activity where a browser process spawns a shell or terminal on macOS, indicative of a user tricked into running a malicious command.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1059.04
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith:
            - '/Google Chrome'
            - '/Firefox'
            - '/Safari'
            - '/Microsoft Edge'
    selection_cli:
        Image|endswith:
            - '/bin/sh'
            - '/bin/bash'
            - '/bin/zsh'
            - '/usr/bin/osascript'
        CommandLine|contains:
            - 'curl'
            - 'chmod'
            - 'nohup'
    condition: selection and selection_cli
falsepositives:
    - Legitimate developer workflows running scripts from browser downloads
level: high
---
title: VS Code Task Execution via Malicious Repository
id: 7f4e3b2c-5d6e-4f9a-8b2c-3d4e5f6a7b8c
description: Detects execution of suspicious processes spawned by VS Code, often used by Void Dokkaebi to execute payloads via tasks. in cloned repositories.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://www.trendmicro.com/en_us/research/26/d/void-dokkaebi-uses-fake-job-interview-lure-to-spread-malware-via-code-repositories.html
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\Code.exe'
            - '\Code - Insiders.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\msbuild.exe'
            - '\node.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate build tasks or debugging sessions
level: medium
---
title: Steganography Loader Activity via PowerShell
id: 8g5f4d3e-6e7f-5a0b-9c3d-4e5f6a7b8c9d
description: Detects PowerShell scripts accessing image files and potentially reading byte streams, indicative of PawsRunner steganography behavior.
status: experimental
date: 2026/05/22
author: Security Arsenal
references:
    - https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_methods:
        CommandLine|contains:
            - 'System.Drawing'
            - 'Bitmap'
            - 'Get-Content'
            - 'FromBase64String'
    selection_files:
        CommandLine|contains:
            - '.png'
            - '.jpg'
            - '.bmp'
    condition: selection_pwsh and selection_methods and selection_files
falsepositives:
    - Legitimate image processing scripts
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix and Network IOCs
let IOCs = dynamic(["livemicrosft.com", "signspace.cloud", "bull-run.fun", "spot-wave.fun", "everycarebd.com"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any(IOCs) or RemoteDomain has_any(IOCs)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessParentFileName in ("chrome.exe", "msedge.exe", "firefox.exe", "safari.exe")
    | where FileName in ("sh", "bash", "zsh", "osascript", "powershell.exe", "cmd.exe")
    | where CommandLine has_any("curl", "chmod", "nohup", "iex", "downloadstring")
)
| summarize count() by DeviceName, InitiatingProcessFileName, Timestamp

PowerShell Hunt Script

PowerShell

<#
    IOC Hunt Script for Lazarus, WageMole, and PawsRunner Campaigns
    Scans for specific file hashes, process artifacts, and network indicators.
#>

$TargetHashes = @(
    "0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90",
    "23e37cf4e2a7d55ed107b3bc3eb7812a0e3d8f90b23b0c8f549d5c10d089a2c8",
    "77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5",
    "f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc",
    "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e"
)

$MaliciousDomains = @("livemicrosft.com","signspace.cloud","bull-run.fun","spot-wave.fun","everycarebd.com")

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Scan common download and temp directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData", "$env:APPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $fileHash) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking Hosts file for domain resolution..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($domain in $MaliciousDomains) {
        if ($HostsContent -match $domain) {
            Write-Host "[!] SUSPICIOUS ENTRY IN HOSTS FILE: $domain" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for VS Code task. modifications (WageMole vector)..." -ForegroundColor Cyan
# Check recent VS Code task files in user directories
$VSCodeTasks = Get-ChildItem -Path $env:USERPROFILE -Filter "tasks." -Recurse -ErrorAction SilentlyContinue -Depth 5 | Where-Object { $_.DirectoryName -match "\.vscode" }
foreach ($task in $VSCodeTasks) {
    # Heuristic: Flag if modified within last 7 days and contains suspicious commands
    if ($task.LastWriteTime -gt (Get-Date).AddDays(-7)) {
        $content = Get-Content $task.FullName -Raw
        if ($content -match "powershell" -or $content -match "cmd.exe" -or $content -match "curl") {
             Write-Host "[!] SUSPICIOUS VS CODE TASK: $($task.FullName) (Modified recently)" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

Immediate (0-24 hours)

Block IOCs: Push all listed domains and file hashes to EDR, Firewall, and DNS blocking lists immediately.
Hunt for Artifacts: Run the provided PowerShell script across endpoints to detect presence of Mach-O Man, PawsRunner, or malicious tasks. files.
Network Isolation: Isolate any endpoints communicating with 5.101.84.202 or the listed ClickFix domains.

Short Term (24-48 hours)

Identity Verification: Given the infostealer nature (targeting cookies/credentials), force password resets and MFA re-enrollment for accounts accessed from affected endpoints.
Git Repository Audit: For engineering teams, audit recent Git clones and .vscode/tasks. files in repositories to detect supply chain poising by Void Dokkaebi.
Code Signing Review: Investigate any code-signing certificates issued recently that match the patterns abused by Fox Tempest (MSaaS).

Long Term (1 Week+)

Application Hardening: Enforce strict application signing policies. Block execution of unsigned binaries on macOS and Windows where possible.
Developer Awareness: Train developers on the risks of cloning unverified repositories and the specifics of "fake job interview" social engineering.
Browser Policy: Implement browser security policies to block unauthorized extension installations and alert on suspicious script execution patterns (ClickFix).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Lazarus & WageMole Infostealer Surge: ClickFix, Supply Chain, and Steganography Tactics — OTX Pulse Analysis