Executive Summary

A new wave of highly targeted cyberattacks is exploiting the trust inherent in the software development hiring process. Threat actors, most notably the Lazarus Group (also known as APT38), are impersonating legitimate job recruiters and luring developers with enticing job offers. As part of the supposed interview process, these attackers deliver coding challenges that, when executed, surreptitiously install sophisticated malware on the victim’s system. This campaign leverages trusted developer ecosystems such as npm, PyPI, and GitHub to distribute remote access trojans (RATs) and other malicious payloads, often through dependencies embedded in the coding tasks. The attacks are highly adaptive, modular, and persistent, with a particular focus on cryptocurrency and blockchain developers. This report provides a comprehensive technical analysis of the threat, including the tactics, techniques, and procedures (TTPs) observed, indicators of compromise (IOCs), and actionable mitigation strategies.

Threat Actor Profile

The primary threat actor behind these campaigns is the Lazarus Group, a North Korean state-sponsored advanced persistent threat (APT) group. Lazarus Group is renowned for its sophisticated cyber operations targeting financial institutions, cryptocurrency exchanges, and software supply chains. The group’s modus operandi includes leveraging social engineering, spearphishing, and supply chain compromise to achieve its objectives, which are believed to be both financially and strategically motivated. The group’s technical sophistication is evident in its use of modular malware, delayed payload activation, and rapid infrastructure rotation. Attribution to Lazarus Group is supported by TTPs, time zone artifacts in Git commits (GMT+9), and a consistent focus on cryptocurrency theft and developer targeting.

Technical Analysis of Malware/TTPs

The attack chain begins with initial contact via professional platforms such as LinkedIn, Facebook, Reddit, and email, where attackers pose as recruiters from fictitious or impersonated companies, often in the blockchain or fintech sectors. The developer is asked to complete a coding challenge, typically provided as a project hosted on GitHub or as a compressed archive. The project appears legitimate but includes dependencies from npm or PyPI that are controlled by the attacker.

Malicious packages such as bigmathutils, graphalgo, graphnetworkx, and others are introduced as dependencies. These packages are often benign in earlier versions, with malicious code introduced in later updates to evade detection and build trust. Upon execution, the malicious dependency installs a modular RAT capable of enumerating running processes, executing arbitrary commands from a command-and-control (C2) server, exfiltrating files, dropping additional payloads, and specifically checking for the presence of the MetaMask browser extension to target cryptocurrency assets. The C2 communication is token-protected and uses web protocols to blend in with legitimate traffic.

The malware is often delivered via indirect dependencies, making detection challenging. The campaign demonstrates patience and operational security, with attackers publishing benign packages to gain downloads and trust before switching to malicious versions. The infrastructure is modular, allowing attackers to quickly rotate domains and package names while reusing backend payloads.

Exploitation in the Wild

This campaign has resulted in multiple confirmed compromises of developers who executed the provided coding challenges. The attacks are global in scope, with a strong emphasis on North America, Europe, and Asia-Pacific regions where cryptocurrency and blockchain development is prevalent. The campaign is ongoing and highly adaptive, with new package names and variants appearing regularly. The attackers’ focus on cryptocurrency assets is evident in the malware’s functionality, which includes detection of the MetaMask extension and targeted exfiltration of wallet data. The modular nature of the campaign allows for rapid resumption of operations if any part of the infrastructure is disrupted.

Victimology and Targeting

The primary targets are software developers, particularly those working in the cryptocurrency, blockchain, and financial technology sectors. The attackers leverage open-source intelligence to identify potential victims, often targeting individuals who are active on professional networking sites or have public profiles indicating experience in relevant technologies. The use of realistic job offers and legitimate-seeming coding challenges increases the likelihood of successful compromise. The campaign has affected organizations and individuals globally, with a concentration in regions with high levels of cryptocurrency development activity.

Mitigation and Countermeasures

Organizations and individuals can take several steps to mitigate the risk posed by these attacks. First, developers should be educated about the risks of running unsolicited code, especially as part of job application processes. All coding challenges from unknown or unverified sources should be treated with suspicion and executed only in isolated, sandboxed environments. Endpoint detection and response (EDR) solutions should be deployed to monitor for suspicious file executions and network activity, particularly connections to known C2 domains such as codepool[.]cloud and aurevian[.]cloud. Regular auditing of npm and PyPI dependencies is essential, with particular attention paid to packages with names containing "graph" or "big" and those that have been recently updated. If compromise is suspected, immediate rotation of all credentials, tokens, and secrets is recommended, along with a full operating system reinstall to ensure complete removal of malware. Network monitoring should be configured to detect and block outbound connections to known malicious infrastructure. Finally, organizations should implement strict controls and review processes for running code from untrusted sources, especially in developer environments.

References

CISA: North Korean State-Sponsored Cyber Actors Use Social Engineering to Enable Hacking of Think Tanks, Academia, and Media

Microsoft Threat Intelligence: DEV-0530 targeting cryptocurrency companies

Mandiant: North Korean Threat Actors Targeting Job Seekers

CrowdStrike: 3CX Supply Chain Attack

BleepingComputer: Fake job recruiters hide malware in developer coding challenges

ReversingLabs: Fake recruiter campaign targets crypto developers with RAT

MITRE ATT&CK Framework: Lazarus Group

Reddit: Recruiter sent me a “tech task” repo for a Node.js role; code hits ...

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to identify, assess, and mitigate cyber risks across their digital supply chains. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to help organizations stay ahead of emerging threats and ensure the security of their critical assets. For more information about how Rescana can help protect your organization, or if you have questions about this advisory, please contact us at ops@rescana.com.