Dream Job or Nightmare? Lazarus Group Hunts Crypto Devs with “Graphalgo” Malware
Ddos 
The notorious North Korean hacking syndicate, Lazarus Group, has launched a new, highly sophisticated branch of its infamous “fake recruiter” campaigns, this time zeroing in on Python and JavaScript developers in the cryptocurrency sector. A new report by the ReversingLabs research team details a coordinated operation dubbed “Graphalgo,” which lures victims with lucrative job offers before infecting their systems with multi-layered malware hidden in open-source packages.
The campaign, active since May 2025, marks a dangerous evolution in the group’s tactics, showcasing a “modular” approach designed to survive takedowns and persist in the wild.
The attack begins on social platforms like LinkedIn, Facebook, and even Reddit, where developers are approached with job opportunities that seem too good to miss. The threat actors spin a “well-orchestrated story” about a company involved in blockchain and cryptocurrency exchanges, building trust with potential victims over time.
Once the hook is set, the trap is sprung. Developers are asked to complete a coding task or review a project that requires downloading specific packages from public repositories like npm and PyPI.
“The malicious functionality is hidden using several layers of indirection across public services which include GitHub, npm and PyPI,” the report explains.
The core weapon in this campaign is a malicious npm package named bigmathutils. To the casual observer, it looks legitimate—and for a time, it was. The report notes that the package “collected more than 10K downloads since publishing the original, non-malicious version, and before the second version containing malicious payload was released”.
This “bait-and-switch” tactic allowed the package to build a reputation before turning toxic.
What sets Graphalgo apart is its engineering. The malware isn’t a simple script; it’s a complex, multi-stage infection chain.
“Evidence suggests that this is a highly sophisticated campaign,” ReversingLabs researchers state. “Its modularity, long-lived nature, patience in building trust across different campaign elements, and the complexity of the multilayered and encrypted malware point to the work of a state-sponsored threat actor”.
The modular design is a strategic choice. By separating the frontend (the job offer) from the backend (the malicious package), the attackers can easily swap out components if one part gets detected. “The modular approach in this campaign makes it easy for the threat actor to design frontend campaigns without the need to change backend services responsible for serving malicious payloads,” the report notes.
The campaign shows no signs of slowing down. Timestamps found in the malware’s Git commits align with the GMT+9 timezone, a fingerprint pointing directly to North Korea.
“Their footprint is continuously present in these ecosystems, and new malicious packages will certainly continue to appear for an extended period of time,” the report concludes. “All these facts lead to a conclusion that this is an ongoing campaign and there are no signs of stopping”.
Related Posts:
- Temptation from Money: Lazarus APT extended to cryptocurrencies
- Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
- North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
- Lazarus Group Deploys Electron-Based Malware to Target Cryptocurrency Enthusiasts
- Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
