Lazarus Group exploits Chrome flaw with fake NFT game

The North Korean Lazarus Group has leveraged a zero-day vulnerability in Google’s Chrome browser to install spyware via a fraudulent blockchain-based game. 

Kaspersky Labs analysts identified the exploit in May and subsequently notified Google, which has since resolved the issue. 

The fake play-to-earn multiplayer online battle arena game, named DeTankZone or DeTankWar, was fully functional and promoted on platforms like LinkedIn and X. 

It featured non-fungible tokens (NFTs) as tanks in a global competition, enticing users to participate. 

However, even those who did not download the game were at risk, as the hackers infected users directly through the game’s website. 

This operation mirrored the existing DeFiTankLand project. 

Utilising malware known as Manuscrypt, the Lazarus Group took advantage of a new type confusion bug in the V8 JavaScript engine, marking it as the seventh zero-day vulnerability discovered in Chrome in 2024 by mid-May. 

Kaspersky's principal security expert Boris Larin commented, “The significant effort invested in this campaign suggests they had ambitious plans, and the actual impact could be much broader, potentially affecting users and businesses worldwide.” 

Microsoft Security first detected the fake game in February, but by the time Kaspersky could analyse it, the hackers had already removed the exploit from their website. 

Despite this, Kaspersky informed Google, which promptly patched the vulnerability, preventing further exploitation. 

Zero-day vulnerabilities can take the vendor by surprise, lacking any ready patches, which in this case led to a 12-day period before Google could fix the issue. 

This incident follows another instance earlier in the year where a different North Korean hacker group exploited a similar vulnerability targeting cryptocurrency holders. 

The Lazarus Group has a history of engaging in cybercrime, having laundered over $200 million in cryptocurrency from various hacks between 2020 and 2023. 

The group is also linked to the 2022 attack on Ronin Bridge, which netted over $600 million in crypto, according to the U.S. Treasury Department. 

Overall, North Korean hackers have reportedly stolen more than $3 billion in crypto from 2017 to 2023.