Threat actors linked to North Korea have been observed using LinkedIn as part of a deceptive job recruiting scheme, specifically targeting developers. According to a recent report from Google-owned Mandiant, these attacks are becoming more common in the Web3 sector, often starting with a coding test as the initial infection vector.
“After an initial chat, the attacker sent a ZIP file containing COVERTCATCH malware disguised as a Python coding challenge,” said researchers Robert Wallace, Blas Kojusner, and Joseph Dobson.
This malware acts as an entry point to compromise macOS systems by downloading a second-stage payload. This payload then establishes persistence on the infected system using Launch Agents and Launch Daemons.
This tactic is not isolated. It’s part of broader campaigns such as Operation Dream Job and Contagious Interview, which are spearheaded by North Korean hacking groups. These groups frequently use job-related lures to infect their targets with malware. Other malicious software families, including RustBucket and KANDYKORN, have also been delivered through these fake recruiting strategies. However, it’s unclear if COVERTCATCH is linked to these or the newly discovered strain known as TodoSwift.
In one particular case, Mandiant noted a social engineering campaign that involved sending a malicious PDF file posing as a job description for a "VP of Finance and Operations" role at a major cryptocurrency exchange. This PDF, once opened, deployed RustBucket, a backdoor written in Rust, capable of executing files, gathering system information, and maintaining persistence by disguising itself as a "Safari Update." This backdoor communicates with a command-and-control (C2) domain to carry out further malicious actions.
North Korea's attacks on Web3 organizations go beyond social engineering, even extending to software supply chain compromises. This was demonstrated in attacks on 3CX and JumpCloud in recent years.
Once a foothold is gained, attackers often focus on password managers to steal credentials. They perform internal reconnaissance by probing code repositories and documentation, eventually moving into cloud environments where they can find keys to cryptocurrency hot wallets, allowing them to drain funds.
This disclosure coincides with a warning from the U.S. Federal Bureau of Investigation (FBI) regarding North Korean cybercriminals targeting the cryptocurrency industry through "highly tailored, difficult-to-detect social engineering campaigns."
These efforts, which involve impersonating recruiting firms or individuals familiar to the victim, are seen as a direct method for launching audacious crypto heists. These operations are designed to funnel illicit income back to North Korea, which remains under international sanctions.
Tactics used by these actors often include identifying cryptocurrency businesses of interest, conducting in-depth research on potential targets, and crafting personalized fake scenarios. These detailed approaches increase the chances of deceiving victims.
According to the FBI, “The actors may reference personal information, interests, events, or professional connections that make their communications appear more legitimate to the victim.” This careful manipulation of trust is designed to establish rapport, leading to the eventual delivery of malware.
“If the attackers succeed in initiating a two-way conversation, either they or another member of their team may spend a considerable amount of time engaging with the victim to make the offer seem more credible,” the FBI added.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067