Cybersecurity firm Kaspersky Lab has warned that Lazarus continues to evolve, and is expanding its ways of launching hacks and attacks online.

Lazarus is a cybercrime group believed to be connected to, or even possible backed by, North Korea. It is also known as Hidden Cobra, and believed to be made up of a group of individuals.

Kaspersky’s latest report (Mar 26) on Lazarus notes that the group has been working on expanding its platform which targets cryptocurrency exchanges, showing that Lazarus is still making attacks on such entities a major focus.

Lazarus has also begun developing malware that can target macOS users.

Kaspersky writes that by tracking Lazarus’ activities, it also discovered a new Lazarus operation which has been active “since at least November 2018”.  The new operation utilizes PowerShell to control Windows systems and macOS malware for Apple users.

Lazarus’ custom PowerShell scripts communicate with malicious C2 servers to execute commands from the operator. The C2 server script names are disguised as WordPress files, as well as those of other popular open source projects, said Kaspersky.

With C2 server script names misinterpreted as open source projects, this allows for manipulation, and both downloads and uploads of malware.

Malware is also distributed through documents “carefully prepared to attract the attention of cryptocurrency professionals”. Kaspersky added that some of the documents were prepared in Korean, hence it believes that South Korean businesses are a high priority for Lazarus.

Kaspersky thus cautions Windows and macOS users to be more careful. For those in the cryptocurrency or technological startup industries, extra caution is needed when dealing with new third parties or installing system software.

Though little is known about Lazarus, industry experts have attributed several hacking incidents to likely be their work, such as Operation Troy around 2009 to 2012, and the WannaCry cyberattacks of 2017. Kaspersky considers Lazarus to be “well organized”.

Previous research has held Lazarus accountable for the loss of over 65%, or $571 million out of $882 million, worth in digital tokens from online exchanges between 2017 and 2018. Japan’s Coincheck was the most heavily targeted with a loss of $532 million.