INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Lazarus Hackers Target AllSecure CEO via Fake LinkedIn Interview

| 2026-03-10 12:37 CRITICAL MEDIUM
JSON
Executive Summary AI-generated
The notorious North Korean Lazarus Group has been caught trying to rob a CEO through a fake job interview, using tactics such as fake LinkedIn interviews and malware attacks. The group's methods are textbook patterns for the hackers, including the use of servers previously linked to North Korean operations. This incident highlights the ongoing threat posed by the Lazarus Group, who have been targeting companies with sophisticated cyber espionage techniques. Further investigation is needed to understand the motivations behind these efforts and how they can be prevented or mitigated.
Technical Mitigations AI-generated
* Use a virtual private network (VPN) to encrypt internet traffic and protect against man-in-the-middle attacks. * Regularly update software, operating systems, and applications to ensure you have the latest security patches and features. * Be cautious when clicking on links or downloading attachments from unknown sources, as they may contain malware or phishing scams. * Use two-factor authentication (2FA) whenever possible to add an extra layer of security for your online accounts. * Keep your operating system and browser up-to-date with the latest security updates and patches.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation Dream JobOperation Dream Job Contagious InterviewContagious InterviewAndarielAndarielLazarus GroupLazarus GroupAppleJeusAppleJeus InvisibleFerretInvisibleFerretBeaverTailBeaverTail
Target & Sectors
NORDICS NORDICS
Incident Timeline
‎October 2025
Lazarus hackers used fake LinkedIn interviews to target AllSecure CEO.
source_region DPRK
"Once their salaries are paid, DPRK IT workers transfer cryptocurrency through a variety of different money laundering techniques," blockchain analysis firm Chainalysis noted in a report published in October 2025.
‎2026/01/11
Threat actors used the DPRK remote worker program to gain administrative access to AllSecure's codebases.
source_region DPRK
Last month, cybersecurity company Silent Push described the DPRK remote worker program as a "high-volume revenue engine" for the regime, enabling the threat actors to also gain administrative access to sensitive codebases and establish living-off-the-land persistence within corporate infrastructure.
‎2026/02/03
Threat actors used fake LinkedIn profiles to target AllSecure CEO.
source_region DPRK
"The businesses have been tricked into hiring what likely North Korean IT workers in home office positions," PST said last week.
‎2026/03/03
Lazarus hackers used LinkedIn to target Chris Papathanasiou, head of AllSecure.
attribution LinkedIn
Just last week, the hackers used LinkedIn to target Chris Papathanasiou, the head of a security firm called AllSecure , in a state-sponsored malware campaign.
attribution AllSecure
Just last week, the hackers used LinkedIn to target Chris Papathanasiou, the head of a security firm called AllSecure , in a state-sponsored malware campaign.
‎2026/03/10
Lazarus Hackers used fake LinkedIn interviews to target AllSecure CEO.
organisation New North Korea Clusters
New North Korea Clusters On the other hand, Labyrinth Chollima's operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth.
organisation FudModule
New North Korea Clusters On the other hand, Labyrinth Chollima's operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth.
organisation DPRK Operatives Impersonate Professionals
DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies.
organisation the Democratic People's Republic of Korea
The information technology (IT) workers associated with the Democratic People's Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they're impersonating, marking a new escalation of the fraudulent scheme.
organisation LinkedIn
The information technology (IT) workers associated with the Democratic People's Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they're impersonating, marking a new escalation of the fraudulent scheme.
organisation Labyrinth Chollima Segments
" Labyrinth Chollima Segments into Specialized Operational Units The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
organisation Specialized Operational Units
" Labyrinth Chollima Segments into Specialized Operational Units The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
organisation CrowdStrike
" Labyrinth Chollima Segments into Specialized Operational Units The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
organisation Labyrinth Chollima
" Labyrinth Chollima Segments into Specialized Operational Units The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
threat_actor AppleJeus
" Labyrinth Chollima Segments into Specialized Operational Units The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
threat_actor Lazarus Group
The notorious North Korean Lazarus Group has been caught trying to rob a CEO through a fake job interview.
The attack was attributed to the Lazarus Group because the methods used, such as the specific way the code was written, the malware used, and the use of servers previously linked to North Korean operations, matched the group’s textbook patterns perfectly.
It's worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.
organisation North Korean
The notorious North Korean Lazarus Group has been caught trying to rob a CEO through a fake job interview.
threat_actor Contagious Interview
" Running parallel to the IT worker scheme is another social engineering campaign dubbed Contagious Interview that involves using fake hiring flows to lure prospective targets into interviews after approaching them on LinkedIn with job offers.
" In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware .
infrastructure Vs Code
" In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware .
When the interviewer insisted that Chris download a folder of code and open it in VS Code for a technical test, the CEO got a bad feeling and told them to “f**k off.”
organisation Microsoft
" In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware .
organisation Abstract Security
" In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware .
organisation Fireblocks
In one case of a recruiting impersonation campaign targeting tech workers using a hiring process resembling that of digital asset infrastructure company Fireblocks, the threat actors are said to have asked candidates to clone a GitHub repository and run commands to install an npm package to trigger malware execution.
organisation AllSecure
Three Traps in One: The BeaverTail Attack According to AllSecure’s blog post , the story didn’t end there.
organisation PurpleDelta
The threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole.
organisation Wagemole
The threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole.
organisation Security Alliance
"Always validate that accounts listed by candidates are controlled by the email they provide," Security Alliance said.
organisation EtherHiding
"The campaign also employed EtherHiding, a novel technique that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making the malicious payload more resilient to takedowns," security researcher Ori Hershko said .
organisation DNS
The names of some of the packages associated with the activity are as follows - env-workflow-test sra-test-test sra-testing-test vg-medallia-digital vg-ccc-client vg-dev-env "The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process," security researcher Alessandra Rizzo said .
threat_actor Andariel
It's worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.
organisation BlueNoroff
It's worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.
organisation CryptoCore
It's worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.
organisation DTEX
It's worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.
organisation Fake LinkedIn Interview
Fake LinkedIn Interview Used by Lazarus Hackers to Target AllSecure CEO.
organisation Hackread.com
It is worth noting that the details of this incident and the subsequent research were shared with Hackread.com.
organisation Deepfake
Further inspection hinted that the hackers could be using real-time Deepfake technology or a stolen identity.
organisation SSH
The “endgame,” as researchers put it, was to “steal your crypto wallets, browser passwords, SSH keys, env secrets – everything.”
organisation Chrome and Brave
They were even after MetaMask accounts and saved login data from browsers like Chrome and Brave.
Tactical Metrics
Metrics
infrastructure
​Vs Code
Affected Product
" In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware .
When the interviewer insisted that Chris download a folder of code and open it in VS Code for a technical test, the CEO got a bad feeling and told them to “f**k off.”
Intelligence Sources
The Hacker News 2026-02-10
HackRead 2026-03-10