Fake LinkedIn job offers used by North Korean hackers to target businesses

The North Korean Lazarus Group is using fake LinkedIn job offers to trick individuals into sharing sensitive data and installing malware.

Victims are lured with offers to collaborate on a decentralized crypto exchange, submitting CVs or GitHub links as part of the recruitment process. Attackers then provide access to a fake demo project, which, when executed, downloads malicious payloads. The malware first steals cryptocurrency wallet data before deploying additional components to monitor activity, extract files and capture browser logins. Further payloads, delivered via Tor Proxy servers, include a persistent backdoor, keylogger and cryptominer.

According to researchers, Lazarus' real goal is to steal classified data from critical industries. Due to that, the researchers are urging professionals to scrutinize vague job offers and avoid executing foreign code on enterprise devices.