{"id":45319,"date":"2026-04-11T07:52:54","date_gmt":"2026-04-10T23:52:54","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/11\/graphalgo-scam-lazarus-hackers-register-real-us-llcs-to-spread-malware\/"},"modified":"2026-04-11T07:52:54","modified_gmt":"2026-04-10T23:52:54","slug":"graphalgo-scam-lazarus-hackers-register-real-us-llcs-to-spread-malware","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/11\/graphalgo-scam-lazarus-hackers-register-real-us-llcs-to-spread-malware\/","title":{"rendered":"GraphAlgo Scam: Lazarus Hackers Register Real US LLCs to Spread Malware"},"content":{"rendered":"\n

Cybersecurity researchers at ReversingLabs have found a new scam targeting blockchain<\/a> developers with fake job offers. Their research, shared with Hackread.com, reveals that hackers are now registering real legal companies in the US to trick their victims.<\/p>\n

The Florida Connection<\/strong><\/h3>\n

The hackers, part of the North Korea-linked Lazarus Group, are running what researchers have dubbed the graphalgo campaign, where they have gone to great lengths to create legitimacy. To look like a real business, they registered a company called Blocmerce as a legal LLC in Florida last August, set up accounts that mimic the legitimate firm SWFT Blockchain, and even ran fake operations under the names Blockmerce and Bridgers Finance.<\/p>\n

\n
\"GraphAlgo<\/a>
(Credit: ReversingLabs)<\/figcaption><\/figure>\n<\/p><\/div>\n

That\u2019s not all. They even filed official state papers listing a fake CEO named Alexandre Miller. Although the addresses in the filings were real locations, ReversingLabs\u2019 investigation revealed that they belonged to innocent residents. “It is more likely that these are fake (or stolen) identities,” researchers noted in the blog post,<\/a> pointing out that it is a tactic frequently <\/a>used by North Korean<\/a> state actors.<\/p>\n

\n
\"GraphAlgo<\/a>
The fake profile (Credit: ReversingLabs)<\/figcaption><\/figure>\n<\/p><\/div>\n

A Recurring Scam<\/strong><\/h3>\n

This isn’t a new scam, though. ReversingLabs first spotted and reported the GraphAlgo campaign<\/a> in February 2026 after finding that it had been active since at least June 2025. Previously, the attack relied on a fake GitHub-based crypto organisation, veltrix-capital, which installed a malicious package called bigmathutils, downloaded 10,000 times on npm.<\/p>\n

But this time, researchers noted that the hackers have improved their methods tremendously. Instead of using public stores like npm<\/a> or PyPI<\/a>, they now hide malware as \u2018release artifacts\u2019 inside GitHub<\/a>. They even used a trick called git log rewriting to fake the history of their code so that fake employees, Dmytro Buryma and Karina Lesova, look like they had been working on the projects for months. This is basically done to build a false sense of trust.<\/p>\n

The group also used typosquatting<\/a> to fool developers. In one case, they created a fake GitHub account that looked exactly like a famous developer Jordan Harband\u2019s account. They swapped the lowercase L at the start of his username, ljharb, with a capital i, which looks like Ijharb. <\/p>\n

Developers, thinking they were downloading his tool, side-channel-weakmap, were actually installing malware. The malware is a Remote Access Trojan (RAT<\/a>), installed right after a developer runs the \u2018test task.\u2019<\/p>\n

\u201cThat payload is the same RAT that we observed in the initial graphalgo campaign… The structure of the downloader code is pretty much the same as we observed in the earlier campaign, also,\u201d researchers noted.<\/p>\n