Inside Lazarus: How North Korea uses AI to industrialize attacks on developers

Expel identifies and profiles "HexagonalRodent", a DPRK-linked APT subgroup that targets Web3 developers by distributing backdoored coding assessments and abusing NodeJS/Python malware families (BeaverTail, OtterCookie, InvisibleFerret). The report details large-scale exfiltration (26,584 wallets from 2,726 developer systems, up to $12M in exposed wallet public-key value), a supply-chain compromise of a VSCode extension, active C2 infrastructure (e.g., 195.201.104.53), heavy use of generative AI in operations, and internal workforce-tracking tooling used to coordinate teams and campaigns, with recommended detection opportunities and IoCs provided.