{ "id": "d9f0e434-1a0a-43eb-be7c-1bce364b6967", "created_at": "2026-04-06T00:09:10.193242Z", "updated_at": "2026-04-10T03:38:19.966493Z", "deleted_at": null, "sha1_hash": "d998dc8d92561b1cf97ff0d6d542eb3119e3d503", "title": "Lazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 649330, "plain_text": "Lazarus Group Targets Organizations with Sophisticated LinkedIn\r\nRecruiting Scam\r\nBy Ionut Alexandru BALTARIU\r\nArchived: 2026-04-05 16:11:20 UTC\r\nBitdefender Labs warns of an active campaign by the North Korea-linked Lazarus Group, targeting organizations\r\nby capturing credentials and delivering malware through fake LinkedIn job offers.\r\nLinkedIn may be a vital tool for job seekers and professionals, but it has also become a playground for\r\ncybercriminals exploiting its credibility. From fake job offers and elaborate phishing schemes to scams and even\r\nstate-sponsored threat actors who prey on people’s career aspirations and trust in professional networks.\r\nTo shed light on such scenarios, this article delves into the deceptive tactics of a failed \"recruitment\" operation on\r\nLinkedIn, where the attackers made one critical mistake: they targeted a Bitdefender researcher who quickly\r\nuncovered their malicious intent.\r\nThe Setup: A Tempting Job Offer\r\nThe scam begins with an enticing message: an opportunity to collaborate on a decentralized cryptocurrency\r\nexchange. While the details are left deliberately vague, the promise of remote work, part-time flexibility, and\r\nreasonable pay can lure unsuspecting individuals. Variations of this scam have also been observed, with projects\r\nsupposedly related to travel or financial domains.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 1 of 7\n\nOnce the target expresses interest, the \"hiring process\" unfolds, with the scammer requesting a CV or even a\r\npersonal GitHub repository link. Although seemingly innocent, these requests can serve nefarious purposes, such\r\nas harvesting personal data or lending a veneer of legitimacy to the interaction.\r\nThe submitted files provided by the “applicant” are most definitely put to good use by the “recruiter” who can\r\nharvest information and use it to further legitimize the conversation with the unsuspecting victim.\r\nThe Trap: Running the Malicious Code\r\nAfter receiving the requested information, the criminal shares a repository containing the \"minimum viable\r\nproduct\" (MVP) of the project. He also includes a document with questions that can only be answered by\r\nexecuting the demo.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 2 of 7\n\nAt first glance, the code appears harmless. However, closer inspection reveals a heavily obfuscated script that\r\ndynamically loads malicious code from a third-party endpoint.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 3 of 7\n\nOur researchers noted that the payload is a cross-platform info-stealer that can be deployed on Windows, MacOS\r\nand Linux operating systems. This infostealer is engineered to target a range of popular cryptocurrency wallets by\r\nlooking up for the crypto-related browsing extensions with the following IDs:\r\nOnce deployed, the stealer collects important files corresponding to these extensions while also collecting login\r\ndata of the used browsers and exfiltrates the information to a malicious IP address that seems to contain other\r\nmalicious files on the server. After exfiltrating login and extension-related data, the JavaScript stealer downloads\r\nand executes a Python script named main99_65.py that sets the stage for other malicious activities.\r\nThe Python script decompresses and decodes itself recursively until it finally reveals the next stage - a hidden\r\nscript that further enables the download of three additional Python modules: \r\nmlip.py\r\nHooks keyboard events specifically targeting web browsers. \r\nMonitors clipboard changes system-wide for crypto-related data. \r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 4 of 7\n\nImmediately sends stolen data to a remote attacker-controlled server. \r\n \r\npay.py\r\nReports system/network info to the attacker. \r\nSearches for and exfiltrates valuable files (documents, environment variables, private keys, crypto\r\nmnemonics) and uploads these files to the attacker’s C2 server. \r\nMaintains a persistent communication channel for additional commands and scripts. \r\n \r\nbow.py\r\nIterates over the following browsers: Chrome, Brave, Opera, Yandex, Microsoft Edge \r\nExtracts and exfiltrates sensitive browser data (logins and payment info) for Windows, Linux, and macOS \r\nRuns the Tsunami Injector python script that connects to multiple Pastebins to reach the URL for the\r\npayload (.exe 617205f5a241c2712d4d0a3b06ce3afd) \r\nThe next payload in line (a .NET binary) proceeds to further drop dependencies alongside the main payload. One\r\nof the dependencies adds malicious binaries to the exception list of Microsoft Defender, while also downloading\r\nand starting a Tor Proxy Server to communicate with the Command \u0026 Control (C2) server. Furthermore, the\r\nbinary also downloads another malicious executable from the Tor C2, installs .NET 6.0 if it is not already\r\ninstalled, and exfiltrates the following fingerprinting information about the victim: \r\nName of the host\r\nUsername\r\nOperating system\r\nProcessor name and core count\r\nGPU name\r\nRAM information\r\nPublic IP \u0026 Country \u0026 City\r\nThe executable downloaded from the Tor C2 server contains multiple modules that are run on different threads: \r\nBackdoor – performs a wide range of data-collection operations (browser passwords, sessions, crypto\r\nwallet keys, discord account secrets); \r\n“Secret file” stealer – a configurable stealer that scans and exfiltrates files based on designated rules\r\nfetched from the C2 server; \r\nCrypto-miner – also configurable. It can be throttled based on certain monitored metrics (CPU \u0026 GPU\r\nload, CPU cores, RAM amount, ongoing activity); \r\nKeylogger – uses the win32 APIs to capture, store and exfiltrate keystrokes. \r\nThe threat actors' infection chain is complex, containing malicious software written in multiple programming\r\nlanguages and using a variety of technologies, such as multi-layered Python scripts that recursively decode and\r\nexecute themselves, a JavaScript stealer that first harvests browser data before pivoting to further payloads,\r\nand.NET-based stagers capable of disabling security tools, configuring a Tor proxy, and launching crypto miners.\r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 5 of 7\n\nThe malware infects Windows, macOS, and Linux via cross-platform compatibility, uses a variety of exfiltration\r\nmethods (HTTP, Tor, and attacker-controlled IPs), and includes modules for keylogging, system reconnaissance,\r\nfile harvesting, and continuous C2 communication, demonstrating the breadth and complexity of its capabilities. \r\nAnalysis of the malware and operational tactics strongly suggests the involvement of state-sponsored threat actors,\r\nspecifically those from North Korea. These actors, previously linked to malicious job offers and fake job\r\napplications, have ties to groups like the Lazarus Group (APT 38).\r\nTheir objectives go beyond personal data theft. By compromising people working in sectors such as aviation,\r\ndefense, and nuclear industries, they aim to exfiltrate classified information, proprietary technologies, and\r\ncorporate credentials. In this case, executing the malware on enterprise devices could grant attackers access to\r\nsensitive company data, amplifying the damage.\r\nWhile in this article, we’ve discussed malicious job offers, it has been observed that the same threat actors have\r\ntried to infiltrate various companies by faking identities and applying for a multitude of job positions. The result\r\nwould be approximately the same: private information, credentials, and technology would be exfiltrated by\r\ncorporate spies. \r\nAn up-to-date, complete list of indicators of compromise is available to Bitdefender Advanced Threat\r\nIntelligence users here.\r\nHow to Stay Safe\r\nAs social platforms increasingly become hotspots for malicious activities, vigilance is essential. Here are some red\r\nflags and measures to protect yourself:\r\nRed Flags:\r\nVague job descriptions: No corresponding job posting on the platform.\r\nSuspicious repositories: Belong to users with random names and lack proper documentation or\r\ncontributions.\r\nPoor communication: Frequent spelling errors and refusal to provide alternative contact methods, such as\r\ncorporate emails or phone numbers.\r\nBest Practices:\r\nAvoid running unverified code: Use virtual machines, sandboxes, or online platforms to test code safely.\r\nVerify authenticity: Cross-check job offers with official corporate websites and confirm email domains.\r\nAdopt a cautious mindset: Scrutinize unsolicited messages and requests for personal information.\r\nIt is ideal to never execute any foreign source code on enterprise devices, and to use Virtual Machines, sandboxes\r\nor various online platforms when doing so on personal computers. Even though this would add some overhead to\r\nthe process, it would prevent any personal information from being leaked and used with malicious intent in the\r\nfuture. \r\nGet Comprehensive Protection Across All Devices \r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 6 of 7\n\nBitdefender’s comprehensive multi-layered protection keeps you safe from all kinds of cyber threats, from viruses,\r\nmalware, spyware, ransomware, and the most sophisticated phishing attacks.\r\nYou can check our plans here.\r\nIf you suspect someone is trying to scam you, or a website looks suspicious, check it with Scamio, our AI-powered scam detection service for Free. Send any texts, messages, links, QR codes, or images to Scamio, which\r\nwill analyze them to determine if they are part of a scam. Scamio is free and available on Facebook\r\nMessenger, WhatsApp, your web browser and Discord. You can also our handy Link Checker for free to verify the\r\nlegitimacy of links and protect your device, data and identity against compromise.\r\nSource: https://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nhttps://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam" ], "report_names": [ "lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434150, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d998dc8d92561b1cf97ff0d6d542eb3119e3d503.pdf", "text": "https://archive.orkl.eu/d998dc8d92561b1cf97ff0d6d542eb3119e3d503.txt", "img": "https://archive.orkl.eu/d998dc8d92561b1cf97ff0d6d542eb3119e3d503.jpg" } }