North Korean hackers offer fake jobs to distribute malware

Lazarus, a state-sponsored hacker group based in North Korea, now uses open-source software and creates fake jobs to distribute malware, Microsoft says.

The well-known group of hackers targets many key industry sectors such as technology, media entertainment and defense and uses many different types of software to carry out these attacks.


The next time you get a message on LinkedIn, be careful. Microsoft warns that the North Korea-based threat group is actively using open source software infected with trojans to attack industry professionals. Microsoft has determined that these social engineering attacks started in late April and lasted until at least mid-September.

Lazarus, also known as ZINC, Labyrinth Chollima and Black Artemis, is a state-sponsored military hacking group from North Korea. It is said to have been in business since 2009 and has been responsible for several major attacks since then, including phishing, ransomware campaigns and more.

The group created fake LinkedIn recruiter profiles and approached suitable candidates with job openings at legitimate, existing companies. “Targets were ranged according to their profession or background and were encouraged to apply for an open position at one of several legitimate companies,” Microsoft said.

Once the victims were convinced to move the conversation from LinkedIn to WhatsApp, which provides encrypted communication, the hackers moved on to the next step. During the WhatsApp conversation, the targets received infected software that allowed Lazarus to deploy malware on their systems.

The hackers’ end goal was to be able to steal sensitive information or gain access to valuable networks. Aside from the malware — found in programs like PuTTY, KiTTY, TightVNC, muPDF/Subliminal Recording, and Sumatra PDF Reader — the attacks were also well-developed on the social side of things, picking LinkedIn profiles and companies to fit. in the victim’s profession.

Getty Images

As noted by Bleeping Computer, ZINC has also carried out similar attacks by using fake social media personas to proliferate malware. Previously, it mainly focused on security researchers; this time the attacks have a wider range.

These attacks appear to be a sequel to Operation Dream Job. The campaign, active since 2020, targeted targets from the US defense and aerospace sector and lured them in with interesting job openings, all with the aim of carrying out cyber espionage. Lazarus has also been targeted by cryptocurrency workers and crypto exchanges in the past.

How can you protect yourself against these attacks? Try to keep your LinkedIn conversations on the platform, if possible. Don’t accept files from people you don’t know and make sure you use good antivirus software. Finally, don’t be afraid to contact the company and verify that the person trying to send you files actually works there.

Leave a Comment