The notorious North Korean Lazarus Group has been caught trying to rob a CEO through a fake job interview. Just last week, the hackers used LinkedIn to target Chris Papathanasiou, the head of a security firm called AllSecure, in a state-sponsored malware campaign.
The approach was remarkably polished. A recruiter named Nazar reached out about a role at 0G Labs, a firm building an AI project. However, this wasn’t just a random message; it included a professional job description and a link to book a call with a hiring manager named Pedro Perez de Ayala. It is worth noting that the details of this incident and the subsequent research were shared with Hackread.com.
The Deepfake theory
The scam nearly worked. Chris actually attended the video call, and as we know it, seeing a face on camera usually builds trust. The person on the screen briefly showed a face that matched the real Pedro’s LinkedIn profile, but things felt off.
“I started recording mid-conversation once I became suspicious,” Chris noted, explaining that the caller’s voice didn’t match public videos of the real Pedro Ayala found online. Further inspection hinted that the hackers could be using real-time Deepfake technology or a stolen identity. When the interviewer insisted that Chris download a folder of code and open it in VS Code for a technical test, the CEO got a bad feeling and told them to “f**k off.”
Three Traps in One: The BeaverTail Attack
According to AllSecure’s blog post, the story didn’t end there. Chris decided to investigate the trap by downloading the code into a safe, isolated virtual machine, which revealed that inside the project folder were three independent ways to infect the computer, so if one failed, the others would still take over.
The code contained an incredibly sneaky malware called BeaverTail, which executes the moment you open the folder. It then fingerprints your machine, recording things like your computer’s name, and pings a secret server every five seconds. When the hackers realised Chris was investigating them from a professional data centre instead of a home laptop, they immediately “triggered a kill switch” to delete their progress.
What was the goal?
Had the attack succeeded, the results would have been a disaster. The “endgame,” as researchers put it, was to “steal your crypto wallets, browser passwords, SSH keys, env secrets – everything.” They were even after MetaMask accounts and saved login data from browsers like Chrome and Brave.
The attack was attributed to the Lazarus Group because the methods used, such as the specific way the code was written, the malware used, and the use of servers previously linked to North Korean operations, matched the group’s textbook patterns perfectly.
To stay safe, it is a good idea to disable automatic tasks in your coding software. If a recruiter is pushing you to use specific software just to look at a job task, treat it as a major red flag.
