North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including Lazarus (aka HIDDEN COBRA), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on Operation DreamJob describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed “Fake Font” uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse Visual Studio Code automation (via .vscode/tasks.json) and disguised payloads (e.g., .woff2 “font” files) to execute multi-stage malware that ultimately deploys the InvisibleFerret Python backdoor for credential and crypto-wallet theft and long-term access.
A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses VS Code tunnels as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of Vercel to deliver remote-access tooling, exploitation of CVE-2025-51683 (blind SQLi) in the Mjobtime time-tracking app to reach MSSQL xp_cmdshell, a hospitality-focused DCRat campaign using ClickFix and MSBuild.exe, a generic CSS exfiltration technique write-up, and Trend Micro research on the PeckBirdy LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Darktrace identifies VS Code tunnel espionage targeting South Koreans
Darktrace reported a DPRK-linked cyberespionage campaign targeting South Korean users with spear-phishing emails delivering a JSE file disguised as an HWPX document. After execution, the malware established a Visual Studio Code tunnel through Microsoft infrastructure and used a compromised legitimate website to broker remote access.
DPRK 'Fake Font' developer campaign begins
Lazarus Group launched a developer-focused campaign dubbed 'Fake Font' more than 100 days before late January 2026, using fake LinkedIn recruiters and malicious GitHub coding assessments. The repositories abused Visual Studio Code task automation and disguised JavaScript malware as .woff2 font files to deploy the InvisibleFerret backdoor.
Operation DreamJob targets European drone and defense firms
In late March 2025, Lazarus Group began a renewed Operation DreamJob cyberespionage campaign against European drone manufacturers and defense contractors, using fake job offers and trojanized documents to steal UAV-related intellectual property. Researchers later confirmed at least three targeted companies in Central and Southeastern Europe.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
VS Code exploited once again in new Contagious Interview campaign variant | SC Media
scworld.com
Open sourceLazarus Hackers Actively Attacking European Drone Manufacturing Companies
cybersecuritynews.com
Open sourceNew DPRK Interview Campaign Leverages Fake Fonts to Deploy Malware
cybersecuritynews.com
Open sourceThe Developer's Backdoor: North Korea Weaponizes Visual Studio Code
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
Mar 21, 2026
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
May 28, 2026
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
Mar 21, 2026