Analysis Summary

The Lazarus Group, a North Korea-linked APT, is conducting an active campaign targeting professionals in the cryptocurrency and travel sectors through fake LinkedIn job offers. The attack begins with a fraudulent recruiter reaching out via social media, luring victims with attractive remote job opportunities. Once interest is expressed, the attacker requests a CV or GitHub repository link, exploiting these details for reconnaissance and to establish credibility.

According to the Researcher, The next phase involves directing the victim to a GitHub or Bitbucket repository containing a supposed decentralized exchange (DEX) project which actually hosts an obfuscated script that retrieves a JavaScript-based information stealer. This stealer is designed to extract data from cryptocurrency wallet extensions in the victim’s browser while also acting as a loader for a Python-based backdoor.

The infection chain demonstrates significant overlap with a previously identified attack cluster known as Contagious Interview (also called DeceptiveDevelopment and DEV#POPPER). The researcher's analysis suggests that this cluster employs a JavaScript stealer named BeaverTail and a Python-based malware called InvisibleFerret. The stealer first extracts browser data before deploying additional payloads. The Python malware ultimately delivers a .NET-based binary capable of launching a Tor proxy server for secure C2 communications, exfiltrating system data, logging keystrokes, stealing credentials, and deploying a cryptocurrency miner. These multi-stage attacks highlight the continuous evolution of Lazarus Group’s tactics, with each iteration introducing new techniques and obfuscation methods.

Researchers revealed that the malware infection chain is highly sophisticated, leveraging multiple programming languages and complex obfuscation strategies. The attackers use layered Python scripts that recursively decode and execute themselves, JavaScript stealers that act as initial payloads, and .NET-based stagers that can disable security tools and configure Tor proxies. Reports from LinkedIn and Reddit confirm that the campaign is widespread, with minor variations in tactics. In some cases, victims are asked to clone a Web3 repository and run it locally as part of a supposed interview, while others are tasked with fixing intentionally embedded code flaws. This social engineering approach ensures that the malware is executed by the victim without raising immediate suspicion.

A key element of this operation is the use of GitHub and Bitbucket repositories to distribute the malware. One such repository, "miketoken_v2," has been removed, but Bitdefender believes similar repositories continue to be used under different names. The ongoing campaign also aligns with SentinelOne’s recent discovery of a new malware variant, FlexibleFerret, being deployed through the same attack vector. The Lazarus Group's ability to constantly refine its methods makes these job scam campaigns particularly dangerous, as they exploit trust within professional networks to gain access to sensitive financial and system information.

Impact

• Sensitive Credential Theft
• Crypto Theft
• Financial Loss

Remediation

• Always cross-check recruiter profiles and job offers on LinkedIn and other professional platforms. Be cautious of unsolicited messages promising high-paying remote jobs.
• Never clone or execute code from unknown or unverified GitHub or Bitbucket repositories, especially during job interviews.
• Avoid sharing your CV, GitHub repository, or other personal details with unverified recruiters, as they may be used for reconnaissance.
• Protect online accounts, including GitHub and cryptocurrency wallets, with MFA to reduce unauthorized access risks.
• Deploy advanced endpoint detection and response (EDR) solutions to identify and block suspicious scripts and malware execution.
• Check for unusual outbound connections, especially to suspicious domains like api.npoint[.]io or Tor-related IP addresses.
• Regularly inspect browser extensions and system scripts for signs of obfuscated JavaScript or Python-based malware.
• Look for unexpected .NET processes or Tor proxy services running on the system, as they indicate potential compromise.
• Subscribe to cybersecurity threat feeds to stay updated on newly discovered tactics and malware signatures used by the Lazarus Group.
• If an infection is suspected, disconnect the affected device from the network immediately to prevent lateral movement.
• Use updated security tools to scan and remove malware, including JavaScript stealers and Python-based implants.
• Reset passwords for all potentially compromised accounts, particularly cryptocurrency wallets and development platforms.
• If GitHub or other repositories were accessed, revoke any associated API tokens to prevent further exploitation.
• Notify IT security teams and relevant cybersecurity agencies about the attack to help mitigate further risks.