"North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys. In a white paper [PDF] presented at Virus Bulletin 2025, ESET researchers Peter Kálnai and Matěj Havránek identified new links between DeceptiveDevelopment's malware and the Lazarus Group's PostNapTea RAT."
"Its members pose as recruiters, posting fake profiles on social media along the lines of Lazarus' Operation Dream Job, which tricked job seekers into clicking on malicious links. But in this case, the cybercriminals primarily reach out to software developers and typically those involved in cryptocurrency projects. DeceptiveDevelopment also uses other social engineering techniques, including ClickFix, which tricks users into following bogus prompts such as fake CAPTCHAs, and then infects victims' computers with trojanized codebases during the fake interview process."
"And then they pass information, identities, and other data stolen during this process to the North Korean IT workers seeking jobs with Western companies so they can use interview answers to help them get hired. After they're employed by Western firms, IT workers funnel their salary money back to Pyongyang. In some cases, the fraudsters use their insider access to steal proprietary source code, and then extort their employers with threats to leak corporate data if not paid a ransom demand."
DeceptiveDevelopment employs advanced malware and a backdoor sharing code with the Lazarus Group's PostNapTea RAT. The group targets software developers, especially those in cryptocurrency projects, by posing as recruiters and posting fake profiles on social media. Social engineering techniques such as ClickFix and trojanized codebases during fake interviews enable infection and data theft. Stolen information and identities are passed to North Korean IT workers, who use interview answers to secure Western jobs and remit salaries back to Pyongyang. Insider access is sometimes used to exfiltrate proprietary source code and extort employers. Common payloads include BeaverTail and InvisibleFerret, both obfuscated scripts.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]