The Lazarus Effect 2 – The Crypto Edition

Are you looking for a job in the crypto industry? If so, make sure which offer you apply to first as it might be a scam. Leveraging unsolicited job opportunities to deploy malware has become a very popular practice among cyber criminals. However, when none other than the infamous Lazarus group is applying this, things get a bit more serious.

Lazarus Group Targets macOS

North Korea’s hacker group Lazarus’ new campaign involves fake job offers that end up with them deploying malware on their victims’ Apple macOS operating system.

The interest in crypto jobs has skyrocketed in 2022, which makes this phishing campaign a lot more dangerous – Lazarus knows what it’s doing, and here’s what we know about it.

Lazarus Strikes Again – macOS Users Beware

The crypto industry doesn’t seem to have a break lately as threat actors are using it constantly to practice their malicious activities.

A few weeks back, General Bytes – the Bitcoin ATM manufacturer – confirmed that cybercriminals were successfully able to exploit a vulnerability within its systems. As a result, they managed to plunder cryptocurrency from its users.

Now, a new phishing campaign is spreading quickly courtesy of the infamous Lazarus Group. This time around, the hackers are advertising job positions for the Singapore-based cryptocurrency exchange firm Crypto[.]com.

Job Offer Lazarus

It doesn’t end here. There’s also another form of attack, but the group is masquerading as a different firm. They’re also sending job postings for the Coinbase cryptocurrency exchange platform.

So far, we don’t know how the phishing campaign is spreading. But according to, it might be through direct messages on the business networking site LinkedIn.

Once the user proceeds with the scam, they’ll install a Mach-O binary, a dropper that launches a PDF document containing the job listings at Crypto.com.

However, since it’s a scam, the page is not real. It’s just a fake page that, in the background, deletes the Terminal’s saved state (“com.apple.Terminal.savedState”).

According to SentinelOne researchers Dinesh Devadoss and Phil Stokes:

“The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent. This functions as a downloader from a [command-and-control] server.”

The Lazarus Group is well known for carrying out all sorts of cyber-assaults on blockchain and cryptocurrency platforms.

So, if you’re interested in such jobs or in the entire industry, to be frank, make sure you double-check the source you’re visiting. It might be a threat actor waiting for the right moment to strike.

Dream Job Phishing – A Victim’s Crypto-nite

Hacking groups will always target what is popular among users. Now that crypto is taking over the world, expect more attacks such as this one.

However, attacks differ in impact, but when Lazarus is involved, it’s going to be huge. Always check the source you’re receiving offers from. Don’t trust blindly and stay safe.

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

as-seen-on