company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Lazarus

APT

loading..
loading..
loading..

Lazarus APT group identified as BTC Changer using JS Sniffers now back in action

Lazarus BTC changer is now armed with JS sniffers that are crafted to steal crypto

17-Apr-2021
2 min read

Javascript sniffers have grown into one of the most dreaded threats for eCommerce businesses over the past five years. The uncomplicated nature of such kinds of attacks coupled with the use of rogue JavaScript code towards the interception of details regarding during payment, entice more and more hackers, as well as JS sniffers, went on to become one of the most leading sources of stolen bank cards on the various underground market. In one campaign that took place recently, a huge step forward in cyberattacks on e-commerce websites that involves JS-sniffers has been seen.

An article has been published by Sansec, in July 2020, regarding the attacks on the US and European online shops with the help of JavaScript sniffers (JS-Sniffers). The researchers have attributed the “clientToken=” campaign to the North Korean APT named Lazarus (aka Dark Seoul Gang, HIDDEN COBRA, Guardians of Peace, APT38, APT-C-26, Labyrinth Chollima, Zinc, Bluenoroff, Stardust Chollima).

These campaigns have been looked into by the Group-IB Threat Intelligence team, and he identified a separate campaign that involves the same infrastructure. The hacker returned to the old style of pilfering crypto with the help of a tool that has never been used before. Lazarus has attacked online stores that accept payments through the mode of cryptocurrency using crypto skimmers.

Initial Discovery

74d03cfa52078267541ab9c588b8add5

In May 2019, the clientToken= campaign launched by Lazarus and identified by Sansec began. During this particular campaign, the hackers made use of a list of breached websites for hosting rogue JavaScript files to steal bank card details from the US and European online shoppers.

  • stefanoturco[.]com
  • technokain[.]com
  • darvishkhan[.]net
  • areac-agr[.]com
  • luxmodelagency[.]com
  • signedbooksandcollectibles[.]com

Infected Websites

Three breached websites have been detected, while analysis was conducted on Lazarus BTC Changer. Two of these websites were even present in the list of Sansec’s articles as victims of the clientToken= campaign: “Realchems” (https://realchems.com/) and “Wongs Jewellers” (https://www.wongsjewellers.co.uk/).

Related Articles

Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958