The “Graphalgo” Evolution: How North Korea Built a Fake Florida LLC to Hack Developers
Ddos 
Fake Blocmerce GitHub organization | Image: ReversingLabs
The ReversingLabs (RL) research team has uncovered a sophisticated expansion of the “graphalgo” campaign. Originally identified in February, this North Korean state-sponsored operation has evolved from simple phishing into a multi-layered deception involving fake job interviews, typo-squatted GitHub repositories, and even the registration of legitimate legal entities in the United States.
The campaign centers on “front end phishing activities being conducted via job seeking platforms and social networks”. Attackers pose as technical recruiters for fake or mimicked blockchain companies, such as “Bridgers Finance” and “Blockmerce,” lure developers with attractive job offerings, and eventually present them with a “coding task”.
One prominent example identified by researchers is the fake LinkedIn profile of “Gnanika Thumba,” a supposed technical recruiter for Bridgers Finance. “At the time of publication, a fake LinkedIn profile of a Bridgers ‘technical recruiter’ named Gnanika Thumba is actively publishing job offering posts related to this campaign,” the report wrote. These profiles are used to build trust before delivering a malicious coding assignment that installs a Remote Access Trojan (RAT).
For the fake company “Blocmerce,” threat actors established a “legitimate legal entity a limited liability corporation (LLC) for Blocmerce, filing registration papers (PDF) with the Florida Secretary of State’s Office” in August 2025.
These filings listed names and addresses of fake employees, including a CEO named “Alexandre Miller,” whose LinkedIn profile was used to interact with potential victims. While the physical addresses in the filings were real, they belonged to different people, highlighting a tactic of identity theft or fabrication common among North Korean threat actors.
The “graphalgo” campaign has also shifted its backend tactics to avoid detection by security vendors. While initial iterations hosted malicious packages on public registries like npm or PyPI, the actors now hide their payloads within GitHub release artifacts.
- The Dependency Pivot: “The malicious dependency is now hosted as a release artifact in GitHub repositories,” which are not as heavily monitored as official open-source (OSS) package managers.
- Transitive Obfuscation: The reference to these malicious files is buried deep within package-lock.json files, making it difficult for developers to notice that a dependency is being fetched from a “crafted GitHub repository” instead of the official npm registry.
- Typo-squatting: Attackers mimic popular maintainers using subtle character swaps, such as replacing a capital “I” with a lowercase “l” in the account name ljharb.
- Git Log Rewriting: To further increase their credibility, the actors copy legitimate repositories and “rewrote their entire git history to make them look like they were conducted from attacker controlled accounts”.
Evidence strongly points toward a determined state-sponsored actor. ReversingLabs noted that “Git log information for every one of [the malicious repositories] contains only one commit with GMT+9 timestamp,” which aligns with North Korea’s time zone. Furthermore, the reuse of the same final RAT payload and specific release artifacts across different branches of the campaign supports the attribution.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
