Infamous hacker group Lazarus, specialized in stealing bitcoin and usually associated with North Korea, has evolved even further in terms of its methodology.

According to cybersecurity firm Kaspersky Lab’s latest statement, hackers are currently creating whole infrastructures and fake companies to get their hands on users’ and businesses’ bitcoin.

With a new wave of malware attacks—dubbed “Operation AppleJeus Sequel”—Lazarus is reportedly developing and launching numerous fake websites (mostly likely created using free templates found in abundance on the Internet) that are masquerading as cryptocurrency trading platforms or ICOs. Yet, instead of useful applications, links on these sites lead to malicious software and phony Telegram channels that distribute it.

One example of such malware is UnionCryptoTrader, which is portrayed as a trading platform for smart cryptocurrency arbitrage but steals users’ confidential data instead.

Furthermore, Lazarus hackers also stepped up their game in terms of software. For example, they registered a nonexistent company to deliver malicious files to macOS users and added an authentication mechanism that allows to secretly transfer private information.

Lazarus’s new malware is now capable of loading in devices’ memory (RAM) exclusively, bypassing hard drives. This makes it more dangerous.

Taking aim at Telegram

Kaspersky’s experts stated that Telegram—a privacy-focused chat app popular among crypto enthusiasts—is becoming one of the most prevalent platforms that Lazarus uses for attacks. As a result, links to malicious Telegram groups can be found on most of the fake websites.

While Telegram was identified as a means to deliver Lazarus payload only recently, some of the groups uncovered were created as back as December 2018.

“We can observe that since the initial appearance of Operation AppleJeus, the authors have significantly changed their style. We assume that these types of attacks on the cryptocurrency business will continue and will become more thoughtful,” analysts warned.

Kaspersky Lab has also identified the victims of “Operation AppleJeus Sequel”—individual users as well as businesses—from the UK, Poland, Russia and China. The estimated amount of stolen bitcoin was not disclosed.

As Decrypt reported back in September 2019, the Trump administration announced sanctions against three North Korean hacking groups, dubbed Lazarus Group, Bluenoroff and Andarie, which are allegedly controlled by the North Korean government and responsible for a number of malicious cyberattacks in recent years.

Prior to that, North Korea had publicly denied the UN report linking it to a $2 billion hacking campaign, with a spokesperson from the National Coordination Committee of the DPRK for Anti-Money Laundering and Countering the Financing of Terrorism calling the accusations a “sheer lie.”