top of page

The Gopuram backdoor: a second stage implant specifically targeting cryptocurrency companies

In March 2023, a supply chain attack targeting 3CX was observed by Russian cybersecurity firm Kaspersky. The attack deployed a second-stage implant specifically singling out a small number of cryptocurrency companies. The versatile backdoor, named Gopuram, has been internally tracked by Kaspersky since 2020. The primary function of Gopuram is to connect to a command-and-control (C2) server and await further instructions that allow the attackers to interact with the victim's file system, create processes, and launch as many as eight in-memory modules. The Lazarus Group, a North Korean threat actor, is thought to be behind the attack due to the backdoor's links to North Korea and the targeting of cryptocurrency companies. The Group has a recurring focus on the financial industry to generate illicit profits for the sanctions-hit nation. The highest infection rates have been detected in Brazil, Germany, Italy, and France.


bottom of page