Coders Hunted: North Korean Hackers Use Fake Job Challenges to Deploy Stealth Malware

It starts like a dream job offer: a recruiter from a hot new blockchain company reaches out, offering an exciting developer position. The catch? To proceed, you must complete a coding challenge - one that could end up costing you far more than your time.

The latest scheme, exposed by ReversingLabs researchers, is both insidious and alarmingly effective. North Korean threat actors, believed to be the infamous Lazarus group, are leveraging the ambitions of software developers to compromise their computers. The attackers create convincing fake companies in the blockchain and crypto-trading sectors, posting enticing job ads on major platforms such as LinkedIn, Facebook, and Reddit.

Once a developer bites, they are asked to demonstrate their skills by running and debugging a coding project. Unbeknownst to them, the project is booby-trapped: it contains dependencies - software components - from legitimate package repositories like npm and PyPi. These dependencies, often masquerading as popular libraries such as “graphlib” or under names like “bigmathutils,” quietly deliver a remote access trojan (RAT) onto the victim’s machine.

What makes this campaign particularly dangerous is its modularity and stealth. The attackers frequently update and rename packages, sometimes introducing malicious code only in specific versions before quickly removing them to cover their tracks. The use of clean, legitimate-looking GitHub repositories further lowers suspicions, while the true payload is hidden in the web of dependencies.

Once installed, the RAT is capable of executing commands, stealing files, and even searching for cryptocurrency wallet extensions such as MetaMask - clear evidence of the hackers’ financial motives. The malware communicates with command-and-control servers using authentication tokens, a hallmark of advanced state-sponsored hacking operations. Multiple variants have been observed, written in JavaScript, Python, and VBS, ensuring a broad reach across developer communities.

ReversingLabs’ investigation found that several real developers had already fallen victim, with the attackers demonstrating a high degree of patience and operational security - hallmarks of the Lazarus group. Telltale signs, such as code commit timestamps matching North Korean time and a focus on cryptocurrency theft, further confirm the attribution.

Developers who have interacted with suspicious job challenges or installed unknown packages are urged to rotate all credentials, wipe their systems, and remain vigilant. In the high-stakes world of cybercrime, even a dream job offer can become a nightmare.

As the digital job market grows increasingly competitive, the line between opportunity and threat blurs. For developers, skepticism isn’t just healthy - it’s essential.

WIKICROOK

• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Dependency: A dependency is external code or software a project relies on; if compromised, it can introduce vulnerabilities to all dependent projects.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• PyPi/npm: PyPi and npm are major repositories for Python and JavaScript packages, widely used by developers but sometimes targeted for supply chain attacks.
• Lazarus Group: Lazarus Group is a North Korean state-sponsored hacking team known for global cyberattacks and stealing money to fund the regime’s activities.