North Korean Lazarus Group Exploits Online Interviews
The North Korean Lazarus group leverages fake tech job listings to extract cryptocurrency wallets.
According to a new report from Silent Push, Contagious Interview—an affiliate of North Korean Lazarus Group—is behind the creation of three shell companies used to execute targeted campaigns aimed at stealing private credentials and cryptocurrency.
The attack vector centers on bogus recruitment processes conducted by fake entities—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. These actors list positions on developer-focused platforms such as GitHub and curated job boards, then direct candidates to submit a short video pitch via a bespoke app, which serves as a trojan delivery mechanism.
Midway through the video task, users are hit with a fake error and told to run a command to “resolve it.” But this so-called fix secretly triggers the download of malware, masked as a routine system tool. It’s a textbook case of social engineering—and an effective one. People tend to trust and follow instructions, especially when interacting with a new digital environment.
During their investigation, Silent Push analysts identified three types of malware, each tailored to different user platforms (Windows, MacOS, Linux):
- BeaverTail – collects sensitive information and installs additional payloads.
- InvisibleFerret – monitors clipboard activity to intercept cryptocurrency wallet private keys.
- OtterCookie – harvests user credentials, including those stored in browsers.
Crafting an illusion of legitimacy, cybercriminals weave together stolen photographs and AI-spun portraits. The report reveals that even authentic images were artfully retouched using Remaker AI, blurring the line between real and counterfeit.
Presented with convincing corporate façades, users rarely pause to question the reality behind the glass.
Сheck this out: 2024 Crypto Hacks Total $2.2 Billion in Losses
The malicious campaign, now active for over a year, has resulted in significant losses across the Web3 community. Among the recorded incidents, one involved the compromise of a MetaMask wallet’s private key, affecting a standard Web3 developer.
Cyber threat intelligence expert Zach Edwards characterizes this campaign as one of Lazarus Group’s most intricate operations yet:
This certainly isn’t the first Contagious Interview campaign, and it won’t be the last – but it’s by far the most sophisticated and what they’ve done here should set off countless warning bells for anyone targeted by any of the North Korean threat groups.
The North Korean Lazarus Group and its offshoots remain among the most relentless forces in North Korea’s cyber arsenal. Their suspected fingerprints are all over some of the largest crypto heists on record: $1.5 billion stolen from Bybit, $600 million siphoned from Ronin’s blockchain.
Their recent campaigns show a sophisticated blend of technical exploits, social engineering, and diversified attack methods, aimed squarely at IT professionals across industries.
Read on: WhiteBIT’s Cybersecurity Tips
Following enforcement action, the FBI has seized the domain linked to BlockNovas, while websites for SoftGlide and Angeloper Agency remain accessible. Silent Push experts emphasize that advancements in AI are likely to increase the frequency and sophistication of these operations, with threat actors demonstrating rapid adaptability to security measures.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
