Famous Chollima APT Hackers Attacking Job Seekers and Organization to Deploy JavaScript Based Malware

North Korean-linked Famous Chollima APT group has emerged as a sophisticated threat actor, orchestrating targeted campaigns against job seekers and organizations through deceptive recruitment processes.

Active since December 2022, this advanced persistent threat has developed an intricate multi-stage attack methodology that exploits the trust inherent in professional networking and job-seeking activities.

The group’s operations represent a significant evolution in social engineering tactics, leveraging the vulnerability of individuals seeking employment opportunities to establish footholds within target organizations.

The attack campaign demonstrates remarkable sophistication in its approach, beginning with attackers posing as legitimate recruiters or hiring managers who invite potential victims to participate in online interviews.

During these seemingly authentic interactions conducted through video conferencing platforms, the threat actors skillfully manipulate targets into downloading and installing malicious NPM packages hosted on GitHub repositories.

The attackers present these packages as legitimate software requiring technical evaluation or code review, effectively weaponizing the standard practices of software development interviews.

Offensive Security Engineer Abdulrehman Ali identified the malware’s complex infection chain, noting that the group strategically targets software developers and IT professionals who possess both technical expertise and potential access to sensitive organizational resources.

The campaign’s effectiveness stems from its exploitation of two key demographic vulnerabilities: recently laid-off employees who may retain access credentials to former employers, and active professionals seeking freelance opportunities alongside their primary employment.

The delivery mechanism represents a sophisticated abuse of GitHub’s trusted infrastructure, transforming the platform into an unwitting distribution network for malicious payloads.

The attackers create repositories containing NPM packages embedded with obfuscated JavaScript code designed to deploy the InvisibleFerret backdoor.

This Python-based malware establishes persistent command-and-control communication through TCP connections secured with XOR encryption, enabling remote access and credential harvesting capabilities.

Infection Mechanism

The malware’s infection process begins with the execution of the malicious NPM package, which triggers a carefully orchestrated deployment sequence.

Upon installation, the JavaScript payload executes system reconnaissance commands and prepares the environment for the secondary Python backdoor installation.

The InvisibleFerret component leverages the target’s existing Python environment, a strategic choice given that most software developers already have the necessary dependencies installed.

The backdoor establishes communication with command-and-control servers through encrypted TCP channels, utilizing XOR encryption with hardcoded keys to obfuscate data transmission.

The malware’s cross-platform compatibility enables operations across Windows, Linux, and macOS environments, maximizing the attack surface across diverse development ecosystems.

Once established, the backdoor facilitates comprehensive data exfiltration, including browser credential harvesting and remote command execution capabilities.

The campaign’s success highlights critical vulnerabilities in supply chain security and social engineering defenses, particularly within development communities where GitHub interactions and technical assessments during interviews are standard practice.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches