North Korea Tried to Hack Our CEO Through a Fake Job Interview on LinkedIn
Summary:
This report from AllSecure details a highly targeted social engineering and malware campaign attributed to Lazarus Group, targeting high-level executives, founders, and technical leaders. While the report notes that those in the crypto/Web3 industry face a constant stream of fake, as well as legitimate recruiter DMs, the Lazarus Group recently targeted the CEO of the AllSecure cybersecurity firm (the author of this report) with a weaponized VS Code assessment. This incident indicates that Lazarus Group is actively expanding the scope of its targeting to include high-level executives, founders, and technical leaders across the broader technology and cybersecurity industries. The AllSecure team then downloaded the repository in an isolated VM for investigation. Threat actors utilize polished LinkedIn recruiter personas and fake job interviews to deliver malicious coding assessments. The attack relies on a weaponized Bitbucket repository disguised as a legitimate decentralized gaming platform. Upon interaction, the repository deploys a sophisticated, multi-stage Node.js infection chain designed to exfiltrate sensitive environment variables, establish in-memory persistence, and deploy secondary theft modules targeting cryptocurrency wallets and credentials. The operators demonstrate advanced operational security, including active victim triage, IP blocklisting, and the potential use of real-time deepfake technology or stolen identities during live video interviews.
Security Officer Comments:
The campaign begins with a social engineering phase where attackers identify high-value targets on LinkedIn. Using fabricated recruiter profiles, such as the observed "Nazar" persona, which is either a stolen identity via LinkedIn account hijacking or a real-time deepfake, they solicit candidates for fictitious roles at a fabricated company. The previously documented use of real-time face-swapping technology in DPRK operations in conjunction with the mismatch between Ayala’s voice patterns in a public video of the real Pedro Ayala vs. the observed scam call likely indicates the use of a real-time deepfake. Targets are directed to a technical assessment requiring them to clone a specific Bitbucket repository and open it strictly using VS Code or Cursor.
The malicious repository is a weaponized fork of an open-source project from 2015. It houses three independent infection vectors to ensure compromise:
Following approximately three beacons, the C2 delivers the "RAT Bootstrap" (Stage 2). This 19KB payload reconstructs a complete Node.js application from 728 obfuscated string fragments. It spawns the reconstructed code as a detached, hidden process that survives terminal closure. This establishes the "Persistent C2 Agent" (Stage 3), which runs entirely in-memory. It continues to beacon every five seconds to receive arbitrary JavaScript for execution. If the attackers validate the victim, they deploy Stage 4 "Theft Modules." Based on previously documented CTI on Lazarus Group, this involves deploying InvisibleFerret and OtterCookie modules to steal browser passwords, MetaMask crypto wallets, and SSH keys, alongside enabling keylogging, clipboard monitoring, and XMRig crypto mining. The operators actively monitor their infrastructure. During analysis, connections from AWS datacenter IPs were immediately blocked via a kill command, demonstrating strict triage based on IP reputation and system fingerprints. The primary C2 server is hosted on a Windows VPS provided by EuroHoster, a known DPRK C2 hosting provider. The attackers heavily abuse Vercel for payload delivery and data exfiltration, taking advantage of its free hosting, trusted TLS certificates, and ease of rotation. Git forensics indicate the operators commit code operating on Korean Standard Time.
Suggested Corrections:
Actionable Suggested Correctionss
Link(s):
https://www.allsecure.io/blog/lazarus-linkedin-attack/
This report from AllSecure details a highly targeted social engineering and malware campaign attributed to Lazarus Group, targeting high-level executives, founders, and technical leaders. While the report notes that those in the crypto/Web3 industry face a constant stream of fake, as well as legitimate recruiter DMs, the Lazarus Group recently targeted the CEO of the AllSecure cybersecurity firm (the author of this report) with a weaponized VS Code assessment. This incident indicates that Lazarus Group is actively expanding the scope of its targeting to include high-level executives, founders, and technical leaders across the broader technology and cybersecurity industries. The AllSecure team then downloaded the repository in an isolated VM for investigation. Threat actors utilize polished LinkedIn recruiter personas and fake job interviews to deliver malicious coding assessments. The attack relies on a weaponized Bitbucket repository disguised as a legitimate decentralized gaming platform. Upon interaction, the repository deploys a sophisticated, multi-stage Node.js infection chain designed to exfiltrate sensitive environment variables, establish in-memory persistence, and deploy secondary theft modules targeting cryptocurrency wallets and credentials. The operators demonstrate advanced operational security, including active victim triage, IP blocklisting, and the potential use of real-time deepfake technology or stolen identities during live video interviews.
Security Officer Comments:
The campaign begins with a social engineering phase where attackers identify high-value targets on LinkedIn. Using fabricated recruiter profiles, such as the observed "Nazar" persona, which is either a stolen identity via LinkedIn account hijacking or a real-time deepfake, they solicit candidates for fictitious roles at a fabricated company. The previously documented use of real-time face-swapping technology in DPRK operations in conjunction with the mismatch between Ayala’s voice patterns in a public video of the real Pedro Ayala vs. the observed scam call likely indicates the use of a real-time deepfake. Targets are directed to a technical assessment requiring them to clone a specific Bitbucket repository and open it strictly using VS Code or Cursor.
The malicious repository is a weaponized fork of an open-source project from 2015. It houses three independent infection vectors to ensure compromise:
- VS Code Auto-Execute: A hidden .vscode/tasks.json file uses the runOn: "folderOpen” configuration to execute a malicious command the moment the project folder is opened, requiring no further user interaction.
- npm Install Hook: The package.json file contains a malicious prepare lifecycle hook that silently initiates a background server during the standard npm install process.
- Route Injection & Environment Theft: A route file disguised as standard authentication logic captures the victim's process.env data, exfiltrating all local API keys, secrets, and tokens to a Vercel-hosted endpoint before executing code returned by the server.
Following approximately three beacons, the C2 delivers the "RAT Bootstrap" (Stage 2). This 19KB payload reconstructs a complete Node.js application from 728 obfuscated string fragments. It spawns the reconstructed code as a detached, hidden process that survives terminal closure. This establishes the "Persistent C2 Agent" (Stage 3), which runs entirely in-memory. It continues to beacon every five seconds to receive arbitrary JavaScript for execution. If the attackers validate the victim, they deploy Stage 4 "Theft Modules." Based on previously documented CTI on Lazarus Group, this involves deploying InvisibleFerret and OtterCookie modules to steal browser passwords, MetaMask crypto wallets, and SSH keys, alongside enabling keylogging, clipboard monitoring, and XMRig crypto mining. The operators actively monitor their infrastructure. During analysis, connections from AWS datacenter IPs were immediately blocked via a kill command, demonstrating strict triage based on IP reputation and system fingerprints. The primary C2 server is hosted on a Windows VPS provided by EuroHoster, a known DPRK C2 hosting provider. The attackers heavily abuse Vercel for payload delivery and data exfiltration, taking advantage of its free hosting, trusted TLS certificates, and ease of rotation. Git forensics indicate the operators commit code operating on Korean Standard Time.
Suggested Corrections:
Actionable Suggested Correctionss
- Disable VS Code Auto-Tasks: Immediately update VS Code user settings to block automatic task execution by adding "task.allowAutomaticTasks": "off". This neutralizes the .vscode/tasks.json initial access vector.
- Block Known Infrastructure: Add the identified C2 IP address (104[.]192[.]42[.]117) and Vercel domains (ipcheck-six.vercel[.]app) to enterprise firewalls, DNS sinkholes, and EDR blocklists.
- Monitor Node.js Spawns: Configure EDR solutions to alert on Node.js processes spawning with detached flags or ignored standard input/output streams.
- Investigate Development Directories: Hunt for unusual activity or hidden files within ~/.npm/, ~/.n2/, and ~/.n3/ directories on developer workstations.
- Credential Revocation: If compromise is suspected, immediately rotate all API keys, revoke AWS and Stripe tokens, secure cryptocurrency wallets, and rotate SSH keys. Full system reinstalls are highly recommended due to the in-memory nature of the persistence mechanisms.
- Use Isolated Environments: Mandate that all code cloned from untrusted or external sources be evaluated in disposable Virtual Machines or isolated containers devoid of sensitive corporate credentials or personal wallets.
- Inspect Package Configurations: Train engineering teams to manually inspect .vscode/ directories, .env files, and package.json scripts prior to execution.
- Safe Dependency Installation: Enforce the use of the -ignore-scripts flag during npm install for unverified or untrusted packages to prevent malicious lifecycle hooks from firing.
- Security Awareness Training: Update social engineering training to highlight targeted recruiter scams on LinkedIn, emphasizing the risks of fake coding assessments and the potential use of deepfake technologies in video interviews.
Link(s):
https://www.allsecure.io/blog/lazarus-linkedin-attack/