North Korean Lazarus Hackers Use Fake Coding Tests to Steal Passwords

Cybersecurity researchers recently uncovered that the North Korean state-sponsored Lazarus Group is evolving its longstanding ‘fake job’ campaign. This notorious hacking group is now targeting Python developers through a supposed coding test.

The new tactic involves fake LinkedIn accounts, enticing job offers, and malware disguised as password management projects on GitHub. Victims are asked to complete a coding test that, in reality, installs malicious software on their systems.

The VMConnect Campaign

Starting with fake LinkedIn profiles, the Lazarus Group impersonates recruiters from well-known companies, such as Capital One. By offering high salaries and attractive packages, they lure unsuspecting developers into their trap.

Once a victim is interested, they are directed to GitHub to download a ‘password manager’ project. This software, introduced as a coding test, is actually malware. Victims are asked to download, install, and hunt for bugs within a tight half-hour timeframe.

This time constraint is meant to prevent victims from identifying the ruse. As they rush to complete the test, they inadvertently install software that grants attackers access to deploy further malicious code, depending on the compromised environment.

Targeting Python Developers

The latest reports from ReversingLabs indicate that the Lazarus Group has been focusing on Python developers since August 2023. By targeting this specific group, they exploit the developers’ familiarity with coding projects and tools.

These developers, often involved in cryptocurrency, are lucrative targets. Lazarus uses the stolen credentials and access to siphon funds and support North Korea’s state apparatus and weapons programs. This strategic focus capitalizes on developers’ trust in legitimate-looking coding tests and their potential access to financial assets.

One of the group’s significant heists amassed over half a billion dollars, highlighting the effectiveness and scale of their operations.

Implementation of Social Engineering

Lazarus Group’s methodology relies heavily on social engineering. By creating highly convincing personas and job offers, they build a narrative that appears legitimate to their targets.

This level of social engineering deception is sophisticated and includes multiple stages. The recruitments usually involve several rounds of interviews and tests, heightening the appearance of authenticity.

The hackers’ ability to adapt their methods and keep their tactics fresh ensures continued success and difficulty in detection.

Consequences of the Campaign

The repercussions of Lazarus Group’s campaign are severe. Developers not only risk losing sensitive information but also face potential financial loss and reputational damage.

Once the malware is installed, it acts as a downloader for additional malicious threats. This secondary malware could potentially cause extensive harm, ranging from data theft to complete system compromise.

Clients relying on hacked developers may also suffer collateral damage, leading to industry-wide repercussions and a loss of trust in digital project recruitment.

Protective Measures for Developers

Developers are advised to exercise extreme caution when responding to job offers and coding tests, especially those involving unfamiliar software downloads. Scrutinizing the source and legitimacy of the request is crucial.

Using robust antivirus software and maintaining updated security measures can help detect and prevent malware installation. Additionally, developers should seek to verify job offers through direct contact with companies rather than through third-party platforms.

Fostering awareness and education on the latest cybersecurity threats can empower developers to recognize and avoid potential scams.

The Role of Cybersecurity Firms

Cybersecurity companies like ReversingLabs play a critical role in identifying and mitigating threats posed by groups like Lazarus. By analyzing and reporting on these campaigns, they provide valuable insights into hacker methodologies.

These firms encourage a proactive approach to cybersecurity, highlighting the importance of continuous vigilance and updated defenses against evolving threats.

Their research not only protects targeted individuals but also informs wider security protocols and strategies, contributing to global cybersecurity resilience.

The Broader Impact on Cybersecurity

The persistent efforts of the Lazarus Group underscore a broader challenge within the cybersecurity landscape. As hacking tactics evolve, so must the defenses deployed by individuals and organizations.

This ongoing cat-and-mouse game between hackers and cybersecurity experts demands continuous innovation and adaptation. The VMConnect campaign exemplifies the sophisticated nature of modern cyber threats and the need for robust, dynamic defense mechanisms.


The Lazarus Group’s use of fake coding tests to deploy malware exemplifies the evolving nature of cyber threats. Developers must remain vigilant and informed to protect themselves and their networks.

Through collaborative efforts between individuals, organizations, and cybersecurity firms, the risks posed by such sophisticated campaigns can be mitigated. Staying ahead of these threats requires constant vigilance and proactive security measures.

Source: Techradar

Latest articles

Related articles

Leave a reply

Please enter your comment!
Please enter your name here