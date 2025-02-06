The North Korean Lazarus group has attempted to target a Bitdefender researcher using the lure of a fake job offer via LinkedIn.

Bitdefender recognized this as a sophisticated malicious campaign which specifically targeted software developers and played out the attack within a sandbox environment.

Alina Bizga, Security Analyst at Bitdefender, told Infosecurity that the firm’s employee engaged with the fake recruitment campaign to observe how it worked, knowing that there have been cases where job seekers on LinkedIn were delivered malware.

The active campaign was designed to steal credentials and deliver malware in its environment. The researcher downloaded suspected malicious code in a safe sandbox environment.

“We only recommend downloading the malicious payload in sandbox environments, in which it can be safely analyzed. We strongly advise against untrained individuals attempting this, as the risk of severe infection is high,” Bizga said.

Bitdefender researchers wrote in a blog that the objectives for such a campaign go beyond personal data theft.

“By compromising people working in sectors such as aviation, defense and nuclear industries, they aim to exfiltrate classified information, proprietary technologies and corporate credentials. In this case, executing the malware on enterprise devices could grant attackers access to sensitive company data, amplifying the damage,” they wrote.

They warned developers to be on guard against these tactics by the North Korean nation-state actor, with Lazarus likely to be targeting many individuals using this technique.

Fake Job Offer Leads to Infostealer Download

The attack began when the Bitdefender employee was contacted via a LinkedIn message about an opportunity to collaborate on a decentralized cryptocurrency exchange.

The details of the job itself were vague, but inducements around remote working, flexibility and pay were provided.