Researchers have linked the Lazarus hacker gang, which is supported by the North Korean government, to a recent cyber espionage effort that targeted energy companies in the United States, Canada, and Japan.

Cisco Talos, a threat intelligence firm, reported on Thursday that it has seen Lazarus, also known as APT38, aiming its attacks against unidentified energy companies in the United States, Canada, and Japan between February and July. Cisco found that the attackers gained initial access to the victim’s enterprise network through publicly accessible VMware Horizon servers by exploiting a vulnerability in Log4j called Log4Shell. From there, they deployed custom malware like “VSingle” and “YamaBot” to maintain their presence in the network. Japan’s CERT, the country’s primary cyber emergency response agency, has recently linked YamaBot to the Lazarus APT.

As Symanetc reported in April, “Stonefly,” another North Korean hacker outfit with certain parallels with Lazarus, was likely responsible for this espionage operation.

However, Cisco Talos also uncovered a remote access trojan (RAT) known as “MagicRAT,” which is associated with the Lazarus Group and is used by the hackers for reconnaissance and credential theft.

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

Known for their financial motivation, the Lazarus Group is most known for the high-profile Sony breach in 2016 and the WannaCry ransomware campaign in 2017. Both attacks were supported by the North Korean government. Efforts to aid North Korean official goals, such as military R&D and dodging international sanctions, are also motivating factors in Lazarus.

But in recent months, the group’s focus has shifted to blockchain and cryptocurrency firms.

In addition to the 625 million in cryptocurrency stolen from the Ronin Network, an Ethereum-based sidechain developed for the popular play-to-earn game Axie Infinity, it has been linked to the recent loss of 100 million in crypto assets from Harmony’s Horizon Bridge.

For quite some time, Pyongyang has relied on the illegal sale of stolen bitcoin and the sale of other stolen data to fund its nuclear weapons programme.

Two months ago, the United States doubled its reward for information leading to the arrest of members of state-sponsored North Korean threat organisations like Lazarus to 10 million. In April, the State Department made a statement.