{
	"id": "05933fa2-981c-4b65-9083-267434f6beff",
	"created_at": "2026-04-06T00:13:45.549914Z",
	"updated_at": "2026-04-10T03:21:42.755645Z",
	"deleted_at": null,
	"sha1_hash": "5d5e42a06592685fff11c54e62fc3db67e4e5054",
	"title": "Inside a North Korean Phishing Operation Targeting DevOps Employees - SecurityScorecard",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1000231,
	"plain_text": "Inside a North Korean Phishing Operation Targeting DevOps\r\nEmployees - SecurityScorecard\r\nArchived: 2026-04-05 23:48:00 UTC\r\nUncover how SecurityScorecard thwarted a sophisticated phishing attack targeting our DevOps team. This blog\r\ndetails a North Korean state actor's attempt to deploy a malicious backdoor through a fake job offer on social\r\nmedia. Learn about the evolving tactics of threat actors and how our swift response blocked potential damage.\r\nStay informed and strengthen your defenses against these persistent cyber threats.\r\nInterested in the personal story behind the attack? Read the firsthand account hereSophisticated threat\r\nactors are increasingly targeting organizations with tailored phishing campaigns. Recently, SecurityScorecard\r\ndetected a similar attempt against our team—and stopped it in its tracks. We’re sharing our findings to support the\r\nInfoSec community and strengthen collective defenses against continually evolving threats.\r\nOn October 3rd, the SecurityScorecard STRIKE Team identified a North Korean state actor attempting to deploy a\r\nmalicious JavaScript backdoor through a fake job recruitment scheme. The attacker targeted a SecurityScorecard\r\nDevOps engineer, using direct social media contact to entice them into executing malicious code disguised as a\r\njob opportunity. Thanks to the swift actions of our Information Security team, we blocked the attack before any\r\ndamage occurred.\r\nThis attack exemplifies an evolving tactic: using social media to directly engage targets rather than traditional\r\nphishing documents. Analysis of Network Flow data reveals that this same backdoor has affected organizations\r\nworldwide. By publishing our findings, we aim to raise awareness and remind the InfoSec community that these\r\nthreats persist, targeting organizations of all sizes. Our goal remains clear: to make the digital world a safer place\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 1 of 11\n\nby staying vigilant and sharing critical insights.\r\nGeographical Distribution of Backdoor\r\n \r\nSTRIKE also identified additional C2 servers related to the attack that share similar patterns with C2s discovered.\r\nThe following is a geographical distribution of infected victims over port 1244 used to communicate to the C2.\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 2 of 11\n\nExpanded view of geographical distribution\r\nHow the attack happened\r\n \r\nThis particular attack involved a recruitment scheme related to Web3 and crypto currency development. This\r\nbackdoor was delivered via a malicious Bitbucket repository that was controlled by the threat actor. In this case\r\nthe backdoor was found in a NodeJS application that was present in the repository. The employee was targeted\r\ndirectly over LinkedIn offering a job related to the development of a Web3 gaming platform and that their skills\r\nmatched what they were looking for. It is likely that this threat actor matched the skills present on the employee’s\r\nprofile to a tailored repository. The threat actor used a compromised LinkedIn account belonging to an individual\r\nthat is employed at an organization in the UK. This account has existed since 2010 so it’s certain that the account\r\nwasn’t created by the TA. \r\nThreat Actor Engaging\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 3 of 11\n\nThreat Actor Promoting Business\r\n \r\nFake Skills Test\r\n \r\nThe adversary engages with the victim through LinkedIn, offering competitive packages and enticing positions.\r\nHowever there is a catch, the victim must complete a skills test. This involves interacting with a code repository\r\nwhich is rigged with a backdoor. The TA attempted to convince the employee to perform a skills test by modifying\r\na project from a Bitbucket repository. The repository contained complete code for an e-commerce web platform\r\nwhich adds to the authenticity of this attack. The repository also included a public key hard coded into the\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 4 of 11\n\nrepository.\r\nTA sharing malicious link over LinkedIn\r\n \r\nCode Repository\r\nThe TA has long used malicious repositories to target developers with Node.JS and React front end experience.\r\nFrom our analysis this type of campaign has been occurring since early 2024, one artifact that has remained\r\nconsistent is a public key. This public key has appeared in a few different repositories related to cryptocurrency\r\nover the past year that have been used to target developers at a variety of tech companies. It is unknown if this is\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 5 of 11\n\nan actor controlled public key, or commonly found. What we do know is the public key has appeared multiple\r\ntimes in specific repos that have been tied to similar attacks.    The presence of this article gives us further insight\r\ninto a broader campaign being executed by Lazarus.\r\nHardcoded Public Key\r\nThe code repository in this attack was an e-commerce application related to Web3 and Solana cryptocurrency. The\r\nrepo appears to mimic a legitimate project, further luring the developer into cloning it and ultimately running it on\r\ntheir system. This project further was capable of executing on Mac systems and launching a backdoor via JS code.\r\nAnalysis of the repository contains a .env which contains hard-coded credentials for a MongoDB. This MongoDb\r\ncloud database was used to store results from users interacting with the software project. It appears this database is\r\nattached to the code repository that stores information as a result of executing it. Analysis of this MongoDB and\r\nits contents reveals some interesting patterns that align with the infection map based on Network Flow traffic,\r\nspecifically in Brazil and Pakistan. STRIKE identified three additional impacted tech workers in US, Pakistan and\r\nBrazil that ran the code from the backdoored repository. The data from these sessions were saved in MongoDB\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 6 of 11\n\nproviding some clues about victimology and who successfully may have run this project.\r\nBackend MongoDB\r\n \r\nC2 Server Analysis\r\nThe obfuscated JS backdoor linked to this malicious repository communicated to a C2 server with the IP address\r\nof 147[.]124[.]214[.]129. This C2 is hosting other components that may be related to other attacks being\r\nconducted on tech workers abroad. This C2 server also downloaded a script that executes a payload that is base64\r\nencoded and XORed as a result. It’s important to note that this script is intended to execute some form of payload\r\nonce decoded as indicated by the execute statement. The script is loaded into a buffer after decrypting and\r\nexecuted on runtime.\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 7 of 11\n\nEncoded Payload\r\nThe encoded payload once decrypted contains a credential harvesting script designed to target browsers. The\r\nscript is designed to steal information from systems and exfiltrate it to the command and control server. The script\r\nhas the ability to detect what operating system to run on and supports a variety of browsers and this is likely the\r\n2nd stage payload delivered from the initial obfuscated JS backdoor. \r\nAt a high level the script performs the following actions against the target system:\r\nOperating System Detection\r\nImports Win32crypt in attempt to decrypt stored passwords\r\nImports secretstorage library in Linux to retrieve encryption keys\r\nInteracts with MacOS keychain to get encryption keys for Chrome, Opera, Brave or Yandex browsers\r\nFocuses on exfiltrating login details and credit cards data stored.\r\nDecrypted Payload\r\nVictimology\r\nAside from the attempted attack on our organization, STRIKE observed the adversary targeting other tech workers\r\naround the world. These tech workers all had blockchain or web3 experience in common with each other. Our\r\nanalysis into the campaign and this specific attack reveals additional victimology in Pakistan, United States and\r\nBrazil. Aside from the global map identifying potential victims across the world, we were able to identify specific\r\ntech workers that were impacted by this operation. Based on the metadata in the MongoDB database and\r\ncorrelating network flow we can identify specific software developers impacted. One individual in Pakistan was\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 8 of 11\n\nsuccessfully infected on 9/22/2024 and according to network flow data, had over a dozen sessions lasting over 10\r\nminutes with the C2 server between 9/22/2024 to 9/23/2024. The redacted image below shows a tech worker in\r\nPakistan with specific software development experience that could be of relevant interest to Lazarus.\r\nTargeted Victim in Pakistan\r\n \r\nOther Campaigns\r\nMultiple other C2s were discovered hosted around the world that shared similar patterns to the attack involving\r\nthe Bitbucket repository. These C2 servers all behave similarly to each other and communicate over port 1244. For\r\ninstance we discovered a live C2 that was involved in a malicious AnyDesk attack that hosted a malicious script.\r\nAt a high level this script enables the attacker to remotely control the desktop of the victim, send sensitive files\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 9 of 11\n\nand maintain persistence upon reboot.\r\nMalicious AnyDesk Script\r\n \r\nConclusion\r\nThis report shows how state actors are increasingly targeting tech professionals with precision. By using fake job\r\noffers and customized phishing, groups like Lazarus adapt quickly to catch individuals off guard.\r\nSecurityScorecard’s quick response blocked this attack, but the risks remain high for others in our industry.\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 10 of 11\n\nProtecting your organization means staying ahead of these evolving threats. SecurityScorecard’s STRIKE Team is\r\nready to help secure your business with the tools and insights needed to stop attacks before they start. \r\nContact us today to strengthen your defenses and keep your team safe.\r\nSource: https://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nhttps://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://securityscorecard.com/blog/inside-a-north-korean-phishing-operation-targeting-devops-employees/"
	],
	"report_names": [
		"inside-a-north-korean-phishing-operation-targeting-devops-employees"
	],
	"threat_actors": [],
	"ts_created_at": 1775434425,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d5e42a06592685fff11c54e62fc3db67e4e5054.pdf",
		"text": "https://archive.orkl.eu/5d5e42a06592685fff11c54e62fc3db67e4e5054.txt",
		"img": "https://archive.orkl.eu/5d5e42a06592685fff11c54e62fc3db67e4e5054.jpg"
	}
}