- Trending
- Comments
- Latest
North Korea’s Lazarus Group is approaching cryptocurrency developers on LinkedIn with fake job offers, sending them malware-laced coding tests hosted on GitHub, and using a fictitious company called Veltrix Capital as cover, part of a campaign that has been running since May 2025 and is now escalating, according to security firm ReversingLabs.
Active since May 2025, the campaign targets blockchain and crypto professionals with fraudulent job offers that ultimately deliver remote access trojans (RATs). Researchers say the operation weaponizes trusted platforms such as GitHub, npm, and PyPI—turning legitimate development tools into infection pathways.
The latest phase of the Fake Recruiter Campaign was identified by security firm ReversingLabs, which traced the activity to malicious packages hidden within coding test assignments sent to job seekers. The effort appears designed to infiltrate systems used by developers building cryptocurrency applications and exchanges.
At the center of the operation is a calculated social engineering strategy. Threat actors posing as recruiters approach potential victims via LinkedIn and Facebook or post job advertisements in online developer communities such as Reddit. The fraudulent employers, including a company operating under the name “Veltrix Capital,” claim to offer blockchain or cryptocurrency exchange roles.
Victims who respond are sent coding assignments hosted on GitHub repositories controlled by the attackers. On the surface, these repositories appear legitimate, featuring DevOps or blockchain-focused tasks. However, embedded within the project files are malicious dependencies hosted on npm and PyPI.
According to ReversingLabs, the campaign takes its name from the first malicious npm package discovered during the investigation.
“The npm package ‘bigmathutils’ accumulated over 10,000 downloads before a weaponized version was released,” — ReversingLabs researchers, in their campaign analysis.
The delayed activation underscores the patience and planning commonly associated with state-sponsored threat actors. By allowing a package to build credibility before introducing malicious code, attackers increase the likelihood that developers will trust and execute it.
This evolving Fake Recruiter Campaign reflects Lazarus Group’s continued focus on the cryptocurrency ecosystem, a sector long viewed as strategically valuable for financial gain and sanctions evasion.
The infection process begins when developers download and run the GitHub-hosted coding assignments. When executed or debugged, the project automatically triggers package managers to install dependencies—including the compromised npm and PyPI libraries.
“These packages include multiple obfuscation layers and encrypted payloads that download second-stage malware from command-and-control servers,” — ReversingLabs, Campaign Overview.
The malware uses a modular architecture, enabling operators to maintain the broader Fake Recruiter Campaign even if certain packages or repositories are exposed and removed. This structure allows components to be swapped or updated without dismantling the entire operation.
.webp)
Once installed, the second-stage payload deploys a fully functional remote access trojan. The RAT is capable of executing arbitrary commands, uploading files, enumerating processes, and checking for the presence of the MetaMask browser extension—an indication that cryptocurrency wallet theft may be a primary objective.
.webp)
Researchers identified three distinct versions of the RAT written in JavaScript, Python, and Visual Basic Script. The malware communicates with command-and-control (C2) servers using token-protected authentication, a tactic designed to restrict access and prevent security researchers from analyzing server responses.
“This token mechanism has been observed in other North Korean campaigns,” — ReversingLabs researchers, attribution assessment.
Additional indicators strengthen the link to Lazarus Group. Git commit timestamps align with the GMT+9 timezone, consistent with North Korea. The focus on cryptocurrency developers, combined with the tokenized C2 infrastructure and long-term staging tactics, mirrors previous Lazarus operations.
Security analysts note that the Fake Recruiter Campaign is particularly dangerous because it blends seamlessly into routine development workflows. Developers accustomed to pulling open-source packages from npm or PyPI may not immediately detect malicious modifications—especially when packages have an established download history.
The campaign’s persistence since May 2025 suggests that the threat actors continue refining their methods. By exploiting professional trust networks and open-source ecosystems, the Lazarus Group has turned hiring pipelines into attack surfaces.
