A North Korean state-sponsored threat group is running an active campaign that tricks software developers into installing malware through fake job interviews and rigged coding tests.
The group, tracked by cybersecurity firm Expel as HexagonalRodent (also called Expel-TA-0001), is widely believed to be a subgroup or spin-off within the broader Lazarus hacking ecosystem tied to North Korea’s intelligence apparatus.
The campaign follows a simple but effective pattern. Threat actors pose as tech recruiters and approach developers through platforms like LinkedIn or post fake job openings on popular career portals.
Once a developer shows interest, they are sent a “take-home coding assessment,” which is a project they must complete and submit for review.
These assessments appear legitimate, but they carry hidden malware quietly embedded inside the code and project configuration files.
The group primarily targets Web3 developers with the goal of stealing cryptocurrency and NFTs. In just three months, the threat actor exfiltrated a total of 26,584 cryptocurrency wallets from 2,726 infected developer systems, with public keys for wallets holding up to $12 million worth of crypto assets exposed.
What makes this campaign stand out from other known DPRK-aligned groups is the heavy and deliberate use of generative AI.
The attackers used tools like ChatGPT and Cursor to write malware code, build fake company websites, and create entirely fictional leadership teams to lend credibility to their fraudulent recruitment fronts.
Expel analysts and researchers identified the campaign after investigating a BeaverTail malware infection on a customer network in October 2025, which led them to uncover a large web of command-and-control (C2) panels, infrastructure, and internal tracking systems used by the group.
The Lazarus group has long been one of the most persistent and financially driven threat actors operating on behalf of North Korea.
But HexagonalRodent represents a shift in approach. Rather than targeting large crypto exchanges with complex multi-step intrusions, this subgroup runs high-volume opportunistic attacks against individual developers.
.webp)
This strategy works because many small Web3 projects and individual investors hold significant digital assets but lack strong security protections.
The group’s malware, written in NodeJS and Python, naturally blends in with the software tools developers use every day, making it harder to detect on personal machines.
The campaign gained further attention when researchers found that HexagonalRodent had successfully carried out a supply chain attack in early 2026.
A popular VSCode extension called “fast-draft” was compromised and used to distribute OtterCookie malware.
This was the first confirmed instance of this particular subgroup conducting a supply chain attack, suggesting the group is expanding its attack methods and growing in technical confidence.
Inside the Infection Mechanism
The core infection method relies on a feature built into VSCode, one of the most popular code editors used by developers worldwide. The attackers embed a malicious tasks.json configuration file inside the coding assessment project they send to their target.
This file allows VSCode to run automated tasks whenever certain events happen in the editor.
The threat actors configure the file with a runOn:”folderOpen” command, which means the malware executes the moment the developer simply opens the project folder in VSCode, without clicking anything suspicious or running any code manually.
The backdoor does not stop there. The actual source code files within the assessment also contain hidden malicious functions designed to run when the developer executes the code normally.
This serves as a secondary infection route for developers not using VSCode, or for cases where automated tasks have been disabled.
Together, these two methods cover a wide range of scenarios and significantly raise the chance that the infection will succeed regardless of how the developer opens the project.
Once inside a system, the malware family known as BeaverTail begins exfiltrating credentials from web browsers, the macOS Keychain, Linux Keyring, and password managers like 1Password.
.webp)
A second component called OtterCookie acts as a reverse shell, giving the attacker direct remote access. A third tool, InvisibleFerret, written in Python, also functions as a reverse shell.
Expel researchers confirmed through analysis of the group’s exposed C2 panels that these tools work together, with BeaverTail handling credential theft and OtterCookie managing ongoing system access.
Security researchers and Expel strongly advise developers to take the following precautions to protect themselves from this type of attack.
- Never run code received from unknown sources, even as part of a job interview, without first reviewing every file in the project, including hidden configuration files like tasks.json.
- Disable automatic task execution in VSCode under Settings to prevent tasks from running when a folder is opened.
- Use AI-based code auditing tools to scan any assessment source code for unusual functions or suspicious network calls before executing it.
- Use hardware security tokens for cryptocurrency wallets, as the Expel investigation confirmed that wallets protected by hardware tokens were significantly harder for the threat actors to drain.
- Verify recruiter identities independently by checking the company’s official website and contacting them through verified channels before accepting any coding task.
- Monitor for unexpected NodeJS or Python processes making persistent outbound TCP connections, which may indicate active BeaverTail or OtterCookie activity on the system.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
