1. Executive Summary
In a financially motivated campaign attributed to the Lazarus Group’s BlueNoroff ecosystem, attackers weaponised a Google Chrome zero-day in the V8 JavaScript engine to compromise victims who merely visited a convincing “DeFi/GameFi” website masquerading as a crypto-enabled tank game. According to Kaspersky’s technical analysis of the DeTankZone campaign, the malicious site triggered remote code execution within Chrome and culminated in the deployment of the long-running Lazarus backdoor family Manuscrypt. Google patched the issue as CVE-2024-4947 in Chrome 125, and stated it was aware of in-the-wild exploitation in its release notes (Google Chrome Stable Channel Update for Desktop (15 May 2024); NVD).
This activity is particularly relevant to cryptocurrency investors and organisations with exposure to digital-asset workflows, as the lure and post-exploitation objectives focus on wallet credentials and related sensitive data (Kaspersky press release summary; BleepingComputer coverage).
2. Contextual Background
2.1 Nature of the threat
The primary vulnerability disclosed is CVE-2024-4947, a V8 type confusion flaw enabling arbitrary code execution “inside a sandbox” via a crafted HTML page (Google Chrome Stable Channel Update for Desktop (15 May 2024); NVD). Government and national CERT-style advisories also highlighted active exploitation at the time (NHS England cyber alert CC-4494; CERT-EU advisory 2024-044).
Kaspersky reports the exploit chain was delivered through detankzone[.]com, presented as an NFT/DeFi-themed online tank game, where “visiting the website was all it took” to trigger exploitation and lead to system compromise (Kaspersky Securelist report).
2.2 Threat-actor attribution
Attribution is primarily based on Kaspersky’s assessment that the activity aligns with Lazarus APT and its BlueNoroff subgroup, including use of the Manuscrypt backdoor and campaign tradecraft (Kaspersky Securelist report). Lazarus is tracked in MITRE ATT&CK as G0032.
Because “BlueNoroff” is commonly discussed as part of Lazarus’ financially motivated operations, and some vendors map related activity to clusters such as APT38, it is useful to reference MITRE’s financial-operations-aligned North Korea grouping APT38 (G0082) for broader historical context. Confidence: Likely (A2) — the reporting is strong and vendor-led, but public artefacts in the sources provided do not claim absolute exclusivity of tooling to one single Lazarus sub-team (Kaspersky Securelist report; BleepingComputer coverage).
Microsoft also discussed overlapping campaign elements and North Korean clustering in its write-up of Moonstone Sleet, which Kaspersky references as partially revealing related findings and tracking of associated sites since February 2024 (Kaspersky Securelist report).
2.3 Sector and geographic targeting
Victimology and lures are aligned to cryptocurrency investors and related individuals/organisations globally, with Kaspersky describing targeted theft of wallet credentials and spyware installation (Kaspersky press release summary). Kaspersky’s case study began with detection on a system belonging to an individual in Russia, underscoring that the campaign can reach beyond traditional enterprise-only targeting (Kaspersky Securelist report).
3. Technical Analysis
3.1 Vulnerability and TTP overview (with ATT&CK mapping)
The initial access path leveraged social engineering and web-based exploitation: victims were enticed to a polished “crypto game” site that silently loaded an exploit from within the site’s codebase (Kaspersky Securelist report). This aligns with:
- T1204.001 (User Execution: Malicious Link) — victims visit attacker-controlled content.
- T1203 (Exploitation for Client Execution) — browser exploitation to gain code execution.
- T1583.001 (Acquire Infrastructure: Domains) — attacker-owned domains hosted the lure and exploit delivery.
Kaspersky further observed that the lure included a seemingly legitimate Unity game download and referenced an API endpoint (api.detankzone[.]com) embedded in the game’s configuration (Kaspersky Securelist report). While the site itself could trigger compromise, the broader ecosystem reflects a deliberate effort to increase credibility and engagement.
3.2 Exploitation status (in the wild) and PoC considerations
Google explicitly stated it was aware of active exploitation for CVE-2024-4947 in its Chrome stable-channel release notes (Google Chrome Stable Channel Update for Desktop (15 May 2024)). National and regional advisories likewise flagged exploitation (NHS England cyber alert CC-4494; CERT-EU advisory 2024-044).
Kaspersky’s disclosure indicates the vulnerability was reported to Google on 13 May 2024 and a fix was issued in the Chrome 125 line shortly thereafter, with public reporting commonly pointing to Chrome 125.0.6422.60/.61 as the patched build (Kaspersky Securelist report; BleepingComputer coverage).
4. Impact Assessment
4.1 Severity and scope
CVE-2024-4947 is a high-severity Chrome/V8 issue that enables remote arbitrary code execution via crafted web content (NVD). In practical terms, successful exploitation can provide attackers a beachhead on user endpoints and enable follow-on malware delivery, credential theft, and persistence — particularly dangerous for high-value users with access to cryptocurrency wallets and sensitive browser-stored secrets (Kaspersky press release summary).
4.2 Victim profile
Observed targeting focuses on cryptocurrency investors and users likely to interact with DeFi/GameFi ecosystems (Kaspersky Securelist report). The campaign also demonstrates that “consumer” endpoints may be explicitly targeted when they represent high-value financial access (e.g., personal wallets, seed phrases, exchange logins).
5. Indicators of Compromise (IOCs)
5.1 IOC Table
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| Domain | detankzone[.]com | Primary lure/exploit site (fake DeFi/NFT tank game). | Kaspersky Securelist report |
| Domain | ccwaterfall[.]com | Associated infrastructure linked to the campaign. | Kaspersky Securelist report |
| Hash (MD5) | B2DC7AEC2C6D2FFA28219AC288E4750C | Exploit artefact hash. | Kaspersky Securelist report |
| Hash (SHA-1) | E5DA4AB6366C5690DFD1BB386C7FE0C78F6ED54F | Exploit artefact hash. | Kaspersky Securelist report |
| Hash (SHA-256) | 7353AB9670133468081305BD442F7691CF2F2C1136F09D9508400546C417833A | Exploit artefact hash. | Kaspersky Securelist report |
| Hash (MD5) | 8312E556C4EEC999204368D69BA91BF4 | Game/lure archive hash. | Kaspersky Securelist report |
| Hash (SHA-1) | 7F28AD5EE9966410B15CA85B7FACB70088A17C5F | Game/lure archive hash. | Kaspersky Securelist report |
| Hash (SHA-256) | 59A37D7D2BF4CFFE31407EDD286A811D9600B68FE757829E30DA4394AB65A4CC | Game/lure archive hash. | Kaspersky Securelist report |
5.2 Detection guidance
- Network controls: Block and retro-hunt for DNS/HTTP(S) access to detankzone[.]com and ccwaterfall[.]com, and review proxy logs for first-seen connections that align with the campaign timeframe discussed by Kaspersky (February–May 2024) (Kaspersky Securelist report).
- Endpoint telemetry: Flag Chrome child-process anomalies following browsing sessions (especially immediate post-visit execution chains consistent with drive-by exploitation). Pair with alerting on the IOC hashes above where EDR supports file hash correlation (Kaspersky Securelist report).
- Browser version hygiene: Identify endpoints running Chrome versions prior to the patched builds (Chrome 125.0.6422.60/.61) and prioritise remediation (Google Chrome Stable Channel Update for Desktop (15 May 2024); BleepingComputer coverage).
6. Incident Response Guidance
6.1 Containment, eradication, and recovery
- Contain: Isolate suspected endpoints from the network; block known malicious domains and review egress policies to reduce direct-to-internet browser exposure for high-risk users.
- Eradicate: Reimage or surgically remove confirmed malware with validated EDR tooling; rotate credentials and revoke active sessions for exchanges, wallets, password managers, and email accounts used on impacted hosts.
- Recover: Restore from known-good backups; enforce browser auto-update and enterprise policy baselines (extensions allow-listing, reduced local admin, attack surface reduction).
6.2 Forensic artefacts to collect and preserve
- Full disk image (or triage collection) and memory capture, especially if exploitation is suspected to have occurred via the browser.
- Browser artefacts: Chrome profile directory, extension inventory, download history, cache, and “Last Session/Current Session” files.
- Proxy/DNS logs for connections to campaign domains and related subdomains.
- EDR process tree and script telemetry around the time the user visited the lure site.
6.3 Lessons learned
- Assume “legitimate-looking” Web3/GameFi properties can be weaponised; treat crypto-adjacent marketing and community links as high-risk.
- Adopt rapid browser patch SLAs and validate actual installed versions (not just update policies).
7. Threat Intelligence Contextualisation
7.1 Comparison with similar incidents
BlueNoroff-aligned activity has historically blended social engineering with malware tailored for financial theft. This campaign modernises that playbook by pairing a high-end browser exploit with a high-credibility lure (a functional Unity game) to reach victims who might otherwise avoid obvious phishing (Kaspersky Securelist report). It also overlaps with broader North Korean financially motivated activity clusters described by Microsoft (Microsoft’s Moonstone Sleet analysis).
7.2 ATT&CK mapping table
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Attacker-controlled domains hosted lure content and exploit delivery (e.g., detankzone[.]com). |
| Initial Access | T1204.001 | User Execution: Malicious Link | Victim visits a promoted “DeFi game” site; no further interaction required for exploitation. |
| Execution | T1203 | Exploitation for Client Execution | Chrome exploit triggers code execution in the browser process via crafted web content. |
| Collection | T1005 | Data from Local System | Campaign objective includes stealing wallet credentials and user data post-compromise. |
Note: The collection objective is based on reported outcomes (spyware/wallet credential theft) rather than a fully enumerated public TTP chain in the sources above (Kaspersky press release summary).
8. Mitigation Recommendations
8.1 Hardening and best practices
- Enforce rapid browser updates and validate compliance via endpoint management reporting.
- Reduce exposure for high-risk users (crypto admins, finance staff, executives): isolate browsing, restrict untrusted web access, and use hardened browser profiles.
- Domain/IP reputation controls: block newly registered or low-reputation domains for high-risk segments; apply SSL inspection where appropriate and lawful.
8.2 Patch management advice
- Prioritise CVE-2024-4947 remediation immediately on all endpoints using Chrome/Chromium-based browsers, focusing first on users with access to financial systems and wallets.
- Patch guidance: follow Google’s Chrome 125 stable-channel security update notes and track vulnerability status via NVD.
- Operational advisories: consult regional alerts such as NHS England CC-4494 and CERT-EU 2024-044 for risk framing and enterprise prioritisation language.
9. Historical Context & Related Vulnerabilities
This campaign reinforces a recurring pattern: high-value financial targeting paired with advanced initial access methods. While Lazarus/BlueNoroff operations have historically leveraged phishing and bespoke malware, the DeTankZone activity shows willingness to spend and burn a browser zero-day for access to cryptocurrency-related targets (Kaspersky Securelist report).
Related vulnerability record: CVE-2024-4947 (NVD entry).
10. Future Outlook
Expect continued convergence of high-credibility lures (AI-assisted branding, functional software, community-building on social platforms) with client-side exploitation to defeat user scepticism and bypass traditional email-focused controls (Kaspersky Securelist report). Financially motivated North Korean operators are likely to keep investing in exploit chains that reduce the need for victim interaction—particularly when targeting individuals holding digital assets.
11. Further Reading
- Vendor & vulnerability: Google Chrome Stable Channel Update for Desktop (15 May 2024); NVD entry for CVE-2024-4947
- Primary CTI reporting: Kaspersky Securelist: “The Crypto Game of Lazarus APT: Investors vs. Zero-days”
- Summaries & operational write-ups: Kaspersky press release summary; BleepingComputer coverage
- Government/CERT advisories: NHS England cyber alert CC-4494; CERT-EU advisory 2024-044
- Threat actor context: MITRE ATT&CK: Lazarus Group (G0032); MITRE ATT&CK: APT38 (G0082); Microsoft: Moonstone Sleet analysis