Bitdefender Labs has uncovered an active cyber espionage campaign by the Lazarus Group, a North Korean state-sponsored threat actor, exploiting LinkedIn’s professional network to target high-value individuals. This campaign employs sophisticated social engineering techniques, using fake job offers as bait to lure victims into executing multi-stage malware payloads.
“LinkedIn may be a vital tool for job seekers and professionals, but it has also become a playground for cybercriminals exploiting its credibility,” the report warns.
The attackers pose as recruiters, reaching out to finance, technology, and cryptocurrency professionals, enticing them with remote work opportunities and lucrative job offers. However, the end goal is not employment—it’s credential harvesting and malware deployment.
The attackers initiate contact with targets through LinkedIn, engaging them in conversations about seemingly legitimate projects. Once they gain the victim’s trust, they share malicious files disguised as project documents or demo applications. These files, when executed, deliver malware that can steal sensitive information, such as login credentials, financial data, and cryptocurrency wallet keys.
In one instance, the attackers used a Bitbucket repository to host a “minimum viable product” (MVP) of a fake decentralized cryptocurrency exchange project. They then sent a Google Docs document with questions that could only be answered by running the malicious demo application.
The malware used in this campaign is a cross-platform infostealer that can be deployed on Windows, macOS, and Linux systems. It specifically targets popular cryptocurrency wallets and browser extensions, exfiltrating login data and other sensitive information to attacker-controlled servers.
“The Python script decompresses and decodes itself recursively until it finally reveals the next stage – a hidden script that further enables the download of three additional Python modules,” the report explains.
The Lazarus Group has employed various methods to ensure long-term access to compromised devices while bypassing security solutions.
- Exploiting Tor Networks – Malware downloads and starts a Tor Proxy Server to communicate covertly with C2 infrastructure.
- Disabling Security Tools – Some payloads modify Microsoft Defender’s exception list, preventing detection of malicious files.
- System Fingerprinting – The malware collects detailed system information, including CPU specs, GPU details, RAM capacity, and geographic location.
- Keylogging & Credential Theft – The .NET binary captures browser passwords, crypto keys, and Discord authentication tokens.
This LinkedIn-based campaign is not just about financial theft—it aligns with North Korea’s broader cyber-espionage goals. According to Bitdefender, these attacks have historically targeted industries such as:
- Aerospace & Defense
- Nuclear Research & Energy
- Cryptocurrency & Financial Services
“By compromising people working in sectors such as aviation, defense, and nuclear industries, they aim to exfiltrate classified information, proprietary technologies, and corporate credentials,” the researchers warn.
Related Posts:
- New Cyber-Espionage Campaign Hits Europe: UAC-0063 Threat Actor Expands Operations
- LinkedIn influencer program: How to Grow Accounts Using LinkedIn
- From Dream Jobs to Dangerous Passwords: Lazarus Group’s LinkedIn Attacks
- Hacker Leaks LinkedIn Database Containing 35 Million User Records
- Beware of LinkedIn: Ducktail Malware’s Sneaky ZIP Attack Revealed
