North Korean hackers are targeting LinkedIn jobseekers with new malware - here's how to stay safe

Date:
Fri, 07 Feb 2025 22:30:00 +0000

Description:
Fake LinkedIn job offers are deceiving job hopefuls.

FULL STORY ======================================================================
- North Korean hackers are using LinkedIn to scam jobseekers
- The fake job offers often promise well-paid remote work
- But the victims are eventually infected with malware

A long-running campaign by notorious North Korean hacking group Lazarus has seen job hopefuls scammed in many different ways, including downloading
malware disguised as interview software , fake coding tests, infostealers,
and some companies have even accidentally hired North Korean hackers as
remote IT workers.

Now, a new facet of the Contagious Interview campaign has arisen, and this time, hackers are using LinkedIn to scam victims, research from Bitdefender warns.

LinkedIn can be a fantastic tool for professionals to network, and many businesses use the app to recruit new employees, and now, it turns out, so
are the Lazarus group.

Malicious offers

The fake recruitment scams ultimately result in the victim being infected
with malware, and the hackers tend to target jobseekers in high profile industries, like defense, aerospace, or engineering - looking to exfiltrate classified or sensitive information, or even corporate credentials.

The fake jobs researchers observed in these scams were often remote work, flexible and well paid, sometimes involving cryptocurrencies as payment.
These are designed to be enticing offers, so be wary of anything that looks a little too good to be true.

Scammers will message a victim via LinkedIn, then requesting a CV or personal GitHub repository link (which could be used to harvest personal information). From there, the recruiter shares a feedback document, which infects the
victim with malware.

There are some warning signs to look out for, like vague job descriptions,
poor communications, and users without popper documentations. Make sure to
vet any job offers, applications, and interview offers thoroughly - and dont click any links from unknown sources.

In February 2025, Apple delivered a new patch on Xprotect, its on-device malware removal tool to block variants of the macOS FerretFamily - which had been found disguised as Chrome or Zoom installers targeting applicants.

======================================================================
Link to news story: https://www.techradar.com/pro/security/north-korean-hackers-targeting-linkedin -jobseekers-with-new-malware

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

North Korean hackers are using LinkedIn to entice developers to coding challenges - here's what you need to know

Date:
Tue, 22 Apr 2025 21:26:00 +0000

Description:
North Korean hackers pose as recruiters, turning coding tests into costly crypto theft schemes.

FULL STORY ======================================================================
- Slow Pisces targets crypto developers with bad code disguised as stock analysis tools
- Malicious code hides in plain sight, using GitHub projects and YAML deserialization tricks
- Victims unknowingly install RN Loader and RN Stealer through rigged Python repositories

A hacker group from North Korea known as Slow Pisces has launched a sophisticated campaign targeting developers in the cryptocurrency sector through LinkedIn.

The group, also known as TraderTraitor or Jade Sleet, poses as recruiters to lure victims with seemingly genuine job offers and coding challenges, only to infect their systems with malicious Python and JavaScript code.

Thanks to this campaign, the group has been able to steal substantial amounts of cryptocurrency. In 2023 alone, they were linked to over $1 billion in
stolen funds. A $1.5 billion hack at a Dubai exchange and a $308 million
theft from a Japanese company are among the recent attacks.

Coders beware!

After initially sending PDF documents containing job descriptions, the malicious actors follow up with coding assignments hosted on GitHub.

Although these repositories appear to be based on legitimate open-source projects, they have been secretly altered to include hidden malware.

Victims, believing they are completing programming tests, unintentionally
allow malware like RN Loader and RN Stealer onto their systems.

These booby-trapped projects mimic legitimate developer tools and
applications. For instance, Python repositories might seem to analyze stock market trends using data from reputable sources, while secretly communicating with attacker-controlled domains.

The malware evades most detection tools by using YAML deserialization,
avoiding commonly flagged functions like eval or exec. Once triggered, the loader fetches and executes additional payloads directly in memory, making it difficult to detect or remove.

One such payload, RN Stealer, is specifically designed to exfiltrate credentials, cloud configuration files, and stored SSH keys, particularly
from macOS systems.

JavaScript variants of the malware operate similarly, using the Embedded JavaScript templating engine to hide malicious code, which activates only for targeted victims based on factors like IP addresses or browser headers.

Forensic analysis shows that the malware stores code in hidden directories
and communicates over HTTPS using custom tokens. However, investigators were unable to recover the full JavaScript payload.

GitHub and LinkedIn have responded by removing the malicious accounts and repositories involved.

GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated
technology, combined with teams of investigation experts and member
reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity, the companies said in a joint statement.

There is a growing need for caution when approached with remote job offers
and coding tests. Developers are advised to use strong antivirus software and run unfamiliar code in secure environments, particularly when working in sensitive sectors like cryptocurrency.

Those concerned about security should verify they are using the best IDE s, which typically include integrated security features. Staying alert, and working on a secure, controlled setup, can significantly reduce the risk of falling prey to state-backed cyber threats.

Via Unit42

======================================================================
Link to news story: https://www.techradar.com/pro/north-korean-hackers-are-using-linkedin-to-entic e-developers-to-coding-challenges-heres-what-you-need-to-know

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)