North Korea-linked Lazarus APT has been observed targeting experts in the fintech industry with a new social engineering campaign that involves fake Coinbase job offers laced with malware.

Since Coinbase is one of the world's largest cryptocurrency exchange platforms, a potential opportunity to land a job with one of the most recognizable names in the industry can lure many crypto experts thus providing the Lazarus hackers with a large pool of potential victims.

The fake job ad spotted by Malwarebytes researcher Hossein Jazi, was titled ‘Engineering Manager, Product Security,’ indicating North Korean hackers are interested in particular types of victims.

Once the victim downloads a what appears to be a PDF document allegedly containing details on the job position, the file named “Coinbase_online_careers_2022_07.exe” is downloaded, which will display the decoy PDF document while also deploying malware on the victim’s device.

Once executed, the malware will use GitHub as a command and control server to receive commands to execute on the infected device.

Earlier this month, security researchers warned that suspected North Korean hackers are plagiarizing resumes and pretending to be from other countries to raise money for the North Korean government. The scammers browse job listings on LinkedIn and Indeed and incorporate details they find in legitimate profiles into their own resumes in attempt to get hired by US cryptocurrency companies.