description: "Analysis of Lazarus Group's tactical evolution: from OpenClaw token scams to fake VS Code security advisories. Full email breakdown, technical indicators, and detection strategies."
How North Korean APT pivots from greed-based to fear-based social engineering in under one week
The Evolution Timeline
March 20, 2026: I received a sophisticated phishing email impersonating the OpenClaw project, offering a fake cryptocurrency airdrop to GitHub contributors.
March 27, 2026: Exactly seven days later, the same threat actor (attributed to Lazarus Group based on TTPs) returned with a fundamentally different psychological approach — this time exploiting fear rather than greed.
This article analyzes both campaigns to demonstrate how quickly APT groups adapt their tactics and why developers must remain vigilant against multiple attack vectors.
Campaign #1: The OpenClaw Airdrop (Greed Vector)
Full email content (March 20, 2026):
Thank you for your contributions on GitHub. We assessed profiles and shortlisted developers to redeem OpenClaw allocation.
Award Details & Redemption Process
Allocation: 5000.11 $CLAW
Status: Wallets are already confirmed
Action: Visit https://share.google/eGzdhAucWKKcwkZi9, register your wallet, and collect your allocation.Authorized Builders
Listing nicknames of real git repository
Not approved this iteration?
Continue contributing on GitHub — additional airdrops are planned.Regards|🔷|🌊|⚡
The OpenClaw Team
Technical analysis:
- Redirect chain:
share.google→token-claw.xyz(fake OpenClaw site) - Payload: JavaScript wallet drainer (
eleven.js) with C2 atwatery-compost.today - Attacker wallet:
0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5
Campaign #2: The Fake VS Code CVE (Fear Vector)
Full email content (March 27, 2026):
Summary
A serious protection vulnerability has been identified in Visual Studio Code.
Impact: CVE-2026-40271-64398
At-Risk Versions: [1.05.0-1.112.4]
System: Microsoft Windows onlyEmergency measure required for Windows OS users:
Install to the [1.112.5 or later] without delay: https://share.google/N3NwdcmyaYu9kwZ6D
Threat Level
Hackers have the opportunity to execute and activate malicious extensions no customer permission on Microsoft Windows systems. This exploit enables unapproved software implementation that may result to:
- Unauthorized access to victim machines
- Deployment of malicious software
- Credentials exposure
- Machine infection
Windows customers are strongly advised to fix promptly.
Found by: Nathaniel Pemberton, Precision Algorithmics
⚠️ At-Risk customers:
Listing nicknames of real git repository
Tactical Analysis: The Pivot
Psychological Engineering Comparison
| Dimension | Campaign #1 (Airdrop) | Campaign #2 (CVE) |
|---|---|---|
| Primary emotion | Greed/FOMO | Fear/Urgency |
| Cognitive bias exploited | Optimism bias, reciprocity | Authority bias, loss aversion |
| Call to action | "Collect your allocation" | "Install without delay" |
| Impersonated authority | Open-source project | Security researcher + Microsoft |
| Perceived benefit | Financial gain | System protection |
| Urgency mechanism | Limited-time offer | Active exploitation threat |
Technical Sophistication Markers
Campaign #2 improvements:
-
Fake CVE construction:
CVE-2026-40271-64398- Format: Valid CVE structure (CVE-YEAR-NUMBER)
- Red flag: 2026 assignments are extremely rare for "just discovered" vulnerabilities
- Verification: CVE MITRE database shows no such entry
- Red flag: 5-digit sequence number (standard is 4-digit)
-
Version number manipulation:
[1.05.0-1.112.4]- Current VS Code stable: ~1.98.x
- "1.112.x" suggests future release — creates impression of zero-day vulnerability
- Real Microsoft advisories use specific, current version ranges
-
Attribution fabrication: "Nathaniel Pemberton, Precision Algorithmics"
- "Precision Algorithmics" appears in AI/ML consulting contexts
- No security researcher by this name exists in disclosed vulnerability databases
- Fake attribution adds credibility layer
-
Platform targeting: "Microsoft Windows only"
- Excludes macOS/Linux users who might be more security-conscious
- Aligns with Lazarus Group's historical focus on Windows environments
Infrastructure Analysis
Both campaigns share core infrastructure patterns:
| Element | Campaign #1 | Campaign #2 |
|---|---|---|
| Initial redirect | share.google/eGzdhAucWKKcwkZi9 |
share.google/N3NwdcmyaYu9kwZ6D |
| Legitimate service abuse | Google Share | Google Share |
| Purpose | Bypass email filters, appear trustworthy | Same technique, different path |
| Target overlap |
@toxy4ny present in both lists |
Confirms same actor, refined targeting |
Likely payload behind Campaign #2 link:
- Fake VS Code installer (modified binary with backdoor)
- In-memory dropper (Lumma Stealer, Vidar, or custom Lazarus tooling)
- Potential supply chain compromise of extensions marketplace
Attribution Assessment
Lazarus Group Indicators
| TTP | Evidence | Confidence |
|---|---|---|
| Developer targeting | GitHub-centric campaigns | High |
| Cryptocurrency focus | Campaign #1 wallet drainer | High |
| Legitimate service abuse | Google Share redirects | Medium |
| Fast-burn infrastructure | 7-day campaign lifecycle | High |
| East Asian English patterns | Grammar errors ("no customer permission", "result to") | Medium |
| Supply chain interest | VS Code targeting aligns with historic npm/VS Code attacks | High |
Alternative Hypotheses
While Lazarus Group is the primary suspect, the rapid tactical evolution could indicate:
- Affiliate model: Initial access brokers selling GitHub-credentialed access
- Copycat actors: Emulation of disclosed Lazarus methodologies
- State-sponsored competition: Other nation-state actors adopting similar TTPs
Detection and Mitigation
For Developers
Immediate indicators of fake security advisories:
-
CVE verification: Always check
cve.mitre.orgornvd.nist.gov -
Source validation: Real Microsoft advisories originate from:
- https://msrc.microsoft.com/
- https://code.visualstudio.com/updates
- Official GitHub Security Advisories (not issue mentions)
-
Grammar analysis: Legitimate security teams have editorial review. Errors like:
- "no customer permission" → "without customer permission"
- "result to" → "result in"
- "fix promptly" → "apply the fix promptly"
GitHub-specific protections:
# Review apps with access to your account
https://github.com/settings/applications
# Check recent security events
https://github.com/settings/security-log
# Audit repository access
https://github.com/settings/repositories
For Security Teams
Network indicators to block:
| Type | Indicator | Campaign |
|---|---|---|
| URL | share.google/eGzdhAucWKKcwkZi9 |
#1 |
| URL | share.google/N3NwdcmyaYu9kwZ6D |
#2 |
| Domain | token-claw.xyz |
#1 |
| Domain | watery-compost.today |
#1 |
| Wallet | 0x6981E9EA7023a8407E4B08ad97f186A5CBDaFCf5 |
#1 |
| Fake CVE | CVE-2026-40271-64398 |
#2 |
Detection rules:
# Sigma rule for Lazarus GitHub phishing
title: Lazarus GitHub Phishing Email Indicators
logsource:
category: email
detection:
selection:
- body|contains: 'share.google'
- body|contains: 'OpenClaw'
- body|contains: 'CVE-2026-40271'
- sender|contains: 'notifications@github.com'
- body|contains|all:
- 'Emergency measure required'
- 'Visual Studio Code'
- 'without delay'
condition: selection
falsepositives: []
level: high
For VS Code Users
Verify update authenticity:
- Never install updates from email links
- Use in-app update mechanism:
Help→Check for Updates - Verify installer signatures:
# Windows
Get-AuthenticodeSignature "VSCodeSetup-x64-1.xx.x.exe"
# macOS
codesign -dv --verbose=4 /Applications/Visual\ Studio\ Code.app
The Bigger Picture
This 7-day tactical pivot reveals critical insights about modern APT operations:
A/B testing on live targets: The same victim pool (overlapping GitHub usernames) received both campaigns, suggesting deliberate testing of emotional triggers.
Platform trust exploitation: Both campaigns abuse legitimate platforms (Google Share, GitHub notifications) to bypass security controls.
Developer-specific targeting: Moving from generic crypto scams to development tool compromises indicates intelligence collection on software supply chains.
Rapid adaptation: Seven days between campaigns demonstrates operational tempo and resource availability consistent with state-sponsored actors.
Conclusion
The evolution from "free money" to "your system is vulnerable" represents a sophisticated understanding of developer psychology. While airdrop scams rely on victims suspending disbelief for financial gain, fake CVEs exploit the professional responsibility developers feel toward security.
Key takeaways:
- Verify all security advisories through official channels
- Google Share links in "urgent" emails are red flags
- Cross-reference CVEs in official databases before acting
- Report suspicious GitHub notifications to GitHub Support
The same threat actor targeting the same users with different pretexts within one week indicates persistent, resource-backed interest in the developer community. Stay vigilant, verify independently, and remember: legitimate security teams never distribute patches via Google Share.
Timeline of Events
| Date | Event |
|---|---|
| 2026-03-20 | OpenClaw airdrop phishing email received |
| 2026-03-20 | OX Security publishes analysis of similar campaigns |
| 2026-03-27 | Fake VS Code CVE phishing email received |
| 2026-03-27 | This analysis published |
References
: OX Security / Yahoo Tech. "OpenClaw Developers Lured in GitHub Phishing Campaign Targeting Crypto Wallets." March 19, 2026. https://tech.yahoo.com/cybersecurity/articles/openclaw-developers-lured-github-phishing-050725568.html
: CVE MITRE. CVE Database Search. https://cve.mitre.org/cve/
: Precision Algorithmics (legitimate entity, no affiliation with phishing campaign). https://www.precisionalgorithmics.com/
: CISA. "North Korean State-Sponsored Cyber Actors Use AppleJeus Malware Targeting Crypto Exchanges." https://www.cisa.gov/news-events/cybersecurity-advisories
: Socket.dev. "Lazarus Group's Deceptive Tactics: Malicious npm Packages and Social Engineering." https://socket.dev/blog/lazarus-group-deceptive-tactics-malicious-npm-packages-and-social-engineering
Have you received similar phishing attempts? Share sanitized indicators in the comments to help protect the community.
Stay safe. Verify everything. Trust no email.
Top comments (0)