8 August 2022

Lazarus hackers are luring crypto experts with fake Coinbase job offers


Lazarus hackers are luring crypto experts with fake Coinbase job offers

North Korea-linked Lazarus APT has been observed targeting experts in the fintech industry with a new social engineering campaign that involves fake Coinbase job offers laced with malware.

Since Coinbase is one of the world's largest cryptocurrency exchange platforms, a potential opportunity to land a job with one of the most recognizable names in the industry can lure many crypto experts thus providing the Lazarus hackers with a large pool of potential victims.

The fake job ad spotted by Malwarebytes researcher Hossein Jazi, was titled ‘Engineering Manager, Product Security,’ indicating North Korean hackers are interested in particular types of victims.

Once the victim downloads a what appears to be a PDF document allegedly containing details on the job position, the file named “Coinbase_online_careers_2022_07.exe” is downloaded, which will display the decoy PDF document while also deploying malware on the victim’s device.

Once executed, the malware will use GitHub as a command and control server to receive commands to execute on the infected device.

Earlier this month, security researchers warned that suspected North Korean hackers are plagiarizing resumes and pretending to be from other countries to raise money for the North Korean government. The scammers browse job listings on LinkedIn and Indeed and incorporate details they find in legitimate profiles into their own resumes in attempt to get hired by US cryptocurrency companies.

Back to the list

Latest Posts

Lazarus hackers are luring crypto experts with fake Coinbase job offers

Lazarus hackers are luring crypto experts with fake Coinbase job offers

The new phishing campaign uses a PDF containing details of the job offer at crypto giant Coinbase.
8 August 2022
Rapidly evolving IoT RapperBot malware targets Linux systems using SSH brute force

Rapidly evolving IoT RapperBot malware targets Linux systems using SSH brute force

While RapperBot heavily reuses parts of the Mirai source code, it differs from the original Mirai and typical Mirai-based variants.
8 August 2022
Twitter confirms recent data breach was caused by a vulnerability

Twitter confirms recent data breach was caused by a vulnerability

The company said that a malicious actor took advantage of the issue before it was identified and fixed.
8 August 2022