Operation 99: North Korea’s Cyber Assault on Software Developers

SecurityScorecard STRIKE uncovered 'Operation 99', a January 2025 Lazarus Group campaign that lures software developers with fake recruiter profiles and malicious GitLab repositories to deploy modular, cross-platform implants (Main99/Main5346, Payload99/73, Brow99/73, MCLIP). The implants enable browser credential theft, clipboard and keylogging exfiltration, file theft, and persistent C2 connectivity via heavily obfuscated Python servers hosted by a front company; the campaign targets source code, secrets, and cryptocurrency wallet keys, posing a high supply-chain and financial risk to developer ecosystems.