Lazarus Group Evolves: From Fake Airdrops to Fake CVEs — New GitHub Phishing Wave

description: "Analysis of Lazarus Group's tactical evolution: from OpenClaw token scams to fake VS Code security advisories. Full email breakdown, technical indicators, and detection strategies." How North Korean APT pivots from greed-based to fear-based social engineering in under one week The Evolution Timeline March 20, 2026 : I received a sophisticated phishing email impersonating the OpenClaw project, offering a fake cryptocurrency airdrop to GitHub contributors. March 27, 2026 : Exactly seven days later, the same threat actor (attributed to Lazarus Group based on TTPs) returned with a fundamentally different psychological approach — this time exploiting fear rather than greed. This article analyzes both campaigns to demonstrate how quickly APT groups adapt their tactics and why developers must remain vigilant against multiple attack vectors. Campaign #1: The OpenClaw Airdrop (Greed Vector) Full email content (March 20, 2026): Thank you for your contributions on GitHub. We assesse