Thursday, May 8, 2025
Homecyber securityBeware of Lazarus LinkedIn Recruiting Scam Targeting Org’s to Deliver Malware

Beware of Lazarus LinkedIn Recruiting Scam Targeting Org’s to Deliver Malware

Published on

SIEM as a Service

Follow Us on Google News

A new wave of cyberattacks orchestrated by the North Korea-linked Lazarus Group has been identified, leveraging fake LinkedIn job offers to infiltrate organizations and deliver sophisticated malware.

Reports from cybersecurity firms, including Bitdefender, reveal that this campaign targets professionals across industries by exploiting their trust in LinkedIn as a professional networking platform.

The operation begins with a seemingly legitimate job offer, often related to decentralized cryptocurrency exchanges or other high-demand sectors such as finance and travel.

- Advertisement - Google News

The attackers promise attractive benefits like remote work and flexible hours to lure victims.

Once the target expresses interest, the “recruiter” requests personal information such as a CV or GitHub repository link.

These initial interactions are designed to build credibility while harvesting sensitive personal data.

From Recruitment to Malware Deployment

The scam escalates when the attacker provides access to a GitHub repository containing what appears to be a “minimum viable product” (MVP) of a project.

Victims are asked to execute the code under the guise of answering technical questions.

However, embedded within this code is an obfuscated script that dynamically downloads malicious payloads from external servers.

The malware is a cross-platform infostealer capable of targeting Windows, macOS, and Linux systems.

It focuses on extracting sensitive data such as cryptocurrency wallet credentials, browser login details, and system configurations.

The infection chain includes multiple stages:

  • Initial Payload: A JavaScript-based stealer that collects browser extensions related to cryptocurrency wallets.
  • Secondary Scripts: Python modules that monitor clipboard activity for crypto-related data, extract sensitive files, and exfiltrate them to attacker-controlled servers.
  • Advanced Modules: These include keyloggers, backdoors for persistent access, and even crypto-mining software designed to exploit system resources.

State-Sponsored Cyber Espionage

Bitdefender analysis strongly links these activities to the Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT).

The group has previously targeted industries such as defense, aerospace, and nuclear sectors with similar tactics under campaigns like “Operation DreamJob.”

Their objectives extend beyond financial theft to corporate espionage, aiming to exfiltrate proprietary technologies and classified information.

It employs advanced techniques like disabling antivirus software, using Tor proxies for communication with command-and-control (C2) servers, and leveraging multi-layered scripting for stealth.

Protective Measures Against Such Threats

Organizations and individuals must remain vigilant against such sophisticated schemes.

Key red flags include vague job descriptions, suspicious repositories lacking proper documentation, and poor communication from recruiters. Experts recommend:

  • Avoid running unverified code on enterprise devices; use virtual machines or sandboxes instead.
  • Cross-check job offers with official company websites and verify email domains.
  • Stay cautious of unsolicited messages requesting personal information.

This campaign serves as a stark reminder of the evolving tactics employed by cybercriminals.

As platforms like LinkedIn become hotspots for malicious activities, implementing robust cybersecurity measures is more critical than ever to safeguard sensitive data from exploitation.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cisco IOS, XE, and XR Vulnerability Allows Remote Device Reboots

 Cisco has issued an urgent security advisory (cisco-sa-twamp-kV4FHugn) warning of a critical vulnerability in...

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically...

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...