Wednesday, May 21, 2025
Homecyber securityLazarus Tricking Employees with Trojanized Coding Challenges

Lazarus Tricking Employees with Trojanized Coding Challenges

Published on

SIEM as a Service

Follow Us on Google News

Lazarus group has been recently discovered to have targeted an Aerospace company in Spain, which involved deploying several tools, including an undocumented backdoor named “LightlessCan.”

Reports indicate that the threat actor gained access to the organization’s network last year using a spearphishing campaign impersonating a recruiter from Meta.

The threat group contacted one of the victims inside the organization via LinkedIn social networking, posing as a recruiter from Meta. The threat actor then sent two coding challenges and a job description PDF, which was malware, resulting in the execution of the malicious payload.

- Advertisement - Google News
Scammer contacting via Linkedin
Scammer contacting via Linkedin (Source: ESET)

Lazarus Coding Challenges

The victim was provided with two malicious executables, Quiz1.exe and Quiz2.exe, embedded inside two ISO images, Quiz1.iso and Quiz2.iso. The victim was tasked with rewriting the code in C++ programming language.

Fibonacci program from Quiz2.exe
Fibonacci program from Quiz2.exe (Source: ESET)

The two executables were a simple Hello World program and a Fibonacci program. However, the executables were much more than they printed on the console.

Both executables trigger the installation of additional payloads inside the ISO images. The first payload that was delivered was named “NickelLoader” which enables the threat actor to deploy any program on the system’s memory. Followed by other additional payloads which are used by the threat actor for various purposes.

LightlessCan – New Backdoor

One of the most interesting payloads used was the LightlessCan, which was found to be the successor of the Lazarus RAT BlindingCan. LightlessCab supports 68 distinct commands, of which 43 lack their original functionality.

LightlessCan can be confirmed to have been derived from BlindingCan because the order of the shared commands between LightlessCan and BlindingCan has no significant changes.

One of the most important updates on this new backdoor is mimicking Windows Native commands like ping, ipconfig, systeminfo, sc, net, etc.

ESET has published a complete report about this compromise and other detailed information, providing additional information about the source code, payload, exploit chain of the payload, compromising the system, and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate...